Re: [squid-users] FW: Acclerator mode and Authentication

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 31 Oct 2005 07:28:24 +0100 (CET)

On Sat, 29 Oct 2005, Brian Phillips wrote:

> I have squid set up as an httpd accelerator for some websites I have on a
> private network behind the cache. I direct requests from outside the
> network to squid running on port 80 on the gateway machine and then squid
> sorts them out and hands them to the private webservers. I assume I have to
> use the httpd_accelerator options (as this is what has got it to work in the
> past).

Yes.

> proxy/filter for clients that are on the private web wishing to surf the
> net. I have firewall level rules to direct all web traffic from the
> internal network to my squid machine (the same port) and then squid has acls
> to find out if the traffic is coming from within the network, and if it is,
> forwards it on (as long as squidGuard says it's okay ;) )

Don't mix reverse and forward proxying in the same Squid. You should run
one Squid for people wanting to get in to your web sites, and another
Squid for your internal people to get out to the Internet.

> Finally, my questions. I would like to use the username authentication
> feature NTSA in squid.

For whom in the above picture?

> I have it all set up, but as in that mailing list
> article I've linked to, squid doesn't request authentication unless the
> proxy settings are placed in the browser. This is not really the most
> desirable option because of the A) "simpleness" of the users behind the
> cache and B) the fact that the proxy information can be removed, causing the
> whole thing to be bypassed. Right now I have set it up so it can't be
> bypassed, but would eventually like to start allowing passwords (to bypass
> certain aspects of my squidGuard filter)

Right, for the people on the inside using the Squid as an transparently
intercepting proxy.

> I read in other posts by Henrik Nordstrom, that squid3.0 was going to have
> clearer differences in the way it handles accelerated requests and
> transparent proxy requests.

Yes. Making it possible to use authentication in the accelerator setup
without causing conflicts with the transparent intercepting setup where
authentication is not possible.

> I guess it's lack of understanding of the
> finite details of each type of setup by my part, but I was wondering if my
> current setup ( and wishes ) will be possible with these new changes in 3.0

From what I can understand of what you want to do no.

With Squid-3.0 you will be able to impose authentication on the reverse
proxy part of the setup where you use Squid to allow external users access
to your servers on the private network.

For the transparent interception part using HTTP authentication is not
possible, not due to Squid but due to the transparent interception without
the browsers knowing. Transparent interception is a significant bending of
the rules of TCP/IP and as such you do run into some problems due to being
"outside the law of TCP/IP"..

> Or maybe they're possible with the current version of squid ( 2.5 ) ?
> Someone shed some light for me please.

Squid-2.5 is as capable as Squid-3.0 with respect for authentication of
transparently intercepted requests. This has to be implemented using an
out-of-band mechanism such as forms based authentication on a web server
on the same machine as Squid authorizing the IP address of the client to
access the Internet via the proxy. external_acl and deny_info can be used
to connect the two together.

Regards
Henrik
Received on Sun Oct 30 2005 - 23:28:28 MST

This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:05 MST