Dear All
First of all, Thanks you for everyone who posted and help me. I have
appropriate solution for my system. Let's me share my idea.
- I have 2 Box of squid proxy : proxy1=10.1.1.11 , proxy2=10.1.1.12
- I want client to authenticate with AD account , windows 2003
server. I use squid_ldap_auth to access AD account.
- I use cache_peer to load balance
- I use monit for my fail over. I have problem to solve with HA
because I use each server as different function i.e. proxy1 -->
proxy,DHCP, proxy2 --> proxy, DNS.
- DNS Alias can help me to improve fail over : "mainproxy" =
10.1.1.11, 10.1.1.12
- In client's browser, I set "manual proxy configuration" as mainproxy:8080
- In proxy1 has configuration like this
: squid.conf --> squid_ldap_auth, http_port 8080 , cache_peer to proxy2
- In proxy2
: squid.conf --> squid , http_port 3128, cache_peer to proxy1
: monit --> keep watching on proxy2's port 8080. If proxy1
down proxy1 will replicate with squid.conf like this -->
squid_ldap_auth , http_port 8080. If proxy2 up again proxy1 will
roll-backup old config.
I think I accept delay and replicate time when fail over operate.
It's ok for my requirement.
Thank
Chowalit
On 4/23/07, chowalit.lab Chowalit Lab Linux <chowalit.lab@gmail.com> wrote:
> Dear all,
> Thanks Henrik, It can help me to clear this wccp concept. I just try
> to implement my proxy farm with this solution
> - Add domain "proxytest.mycom" to point both of my proxy's ip (such
> as 10.1.1.1, 10.1.1.2) our DNS
> proxytest.mycom. IN A 10.1.1.1
> IN A 10.1.1.2
> - Setting up both of proxy with ldap authentication to access the
> same Windows 2003 Server.
> - Set proxy domain in client's browser as "proxytest.mycom:8080"
>
> It look fine. I can fix the twice authentication pop-up windows.
> Because client will choose proxy by itself (with round robbin DNS).
> However, I still have some problem. I want to restrict only 1 IP per 1
> User authentication. The problem occur when different client access
> different proxy. How to fix this problem.
>
> Thanks
>
>
> On 4/21/07, Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
> > ons 2007-04-18 klockan 17:14 +0700 skrev chowalit.lab Chowalit Lab
> > Linux:
> >
> > > As I know (Sorry if I have some miss-understanding), It's the same
> > > result if I implement either wccp or WPAD. There are difference in
> > > client setting up. Client don't need to set anything on browser but
> > > WPAD need.
> >
> > No,
> >
> > WCCP is transparent interception, violating RFCs etc. Here
> > authentication won't work.
> >
> > WPAD is automatic discovery of the proxy (or to be exact automatic
> > discovery of the PAC file telling the browser how it should use
> > proxies). As the browser knows it's using a proxy and no RFCs violated
> > there is no problem with proxy authentication.
> >
> > > Sorry I'm not clear. However, as Chris claimed that HA is not fix this problem.
> > > Please explain clearly.
> >
> > A load balanced proxy address solves a problem with basic proxy
> > authentication. Basic proxy authentication is performed per proxy host
> > name, and as a result PAC based solutions may result in multiple
> > authentication prompts during the browsing session, one per proxy used.
> > The load balancer solution where the browser always goes to the same
> > load balanced proxy address avoid this.
> >
> > Regards
> > Henrik
> >
> >
>
Received on Thu Apr 26 2007 - 09:16:12 MDT
This archive was generated by hypermail pre-2.1.9 : Tue May 01 2007 - 12:00:01 MDT