On Fri, Mar 02, 2012 at 03:29:22PM +1300, Amos Jeffries wrote:
>
> You really need that functionality from 3.2 then.
> * login=NEGOTIATE to have one key representing your Squid and all
> users going through it. Or at least one key peer cache_peer line ;)
Unfortunately I really need to stick with a stable version of squid, I
want to make this setup production soon-ish.
> Or
> * login=PASSTHRU to act as a transparent proxy (HTTP meaning) with
> regards to proxy-auth. NTLM passthru fails if squid is authenticating
> due to NTLM multi-stage handshake. But Kerberos works fine with both
> layers validating and rejecting invalid keys (assuming they are both
> checking it against the same AD control servers).
>
Hmmm - I just tried login=PASSTHRU and I had an authorisation required
back from the upstream proxy for both basic & kerberos auth.
At the moment I am looking at setting up a LDAP proxy for the upstream
to query and then use login=*:password in squid. This should allow me
to make the upstream proxy believe it is authenticating so that it has
the username it wants.
> Despite any claims they might make, X-Authenticate-User would not work
> for a properly authenticating upstream either. Since the data in it
> lacks the password/token it cannot be re-authenticated, and is easily
> forged. At worst they are claiming authentication but not actually doing
> any when X-Authenticate-Info is received (scary thought).
>
Yes, I think that all they are doing is picking out the username and
doing an LDAP lookup on AD for the DN and making some decisions based on
that. In my case this is not so bad, I can firewall off access to the
upstream proxy so only the squid proxies can access it (ultimately, the
upstream may just be a xen guest on the squid proxy machine which
simplifies things further in terms of access).
-- Brett Lymn "Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer."Received on Fri Mar 02 2012 - 03:29:37 MST
This archive was generated by hypermail 2.2.0 : Wed Mar 07 2012 - 12:00:02 MST