Re: Inter-squid authorization problems

From: Adrian Bassett <[email protected]>
Date: Fri, 14 Nov 1997 10:52:24 +0000 ()

Thanks for this. However, what you do not say is that you also seem to
need to compile in your contributed ACL proxy authentication patches
(http://www.IAEhv.nl/users/devet/squid/proxy_auth/) otherwise squid logs
"Invalid ACL type 'proxy_auth'" in cache.log.

Your patches do not seem to be available for squid versions more recent
than 1.1.14. Do you intend to release for the current version (1.1.18) or
will those for 1.1.14 work cleanly with 1.1.18?

Also, is it know if this functionality will be incoporated into the main
development stream of future squid versions?

Thanks,

Adrian Bassett

On Thu, 13 Nov 1997, Arjan de Vet wrote:

> Date: Thu, 13 Nov 1997 19:32:15 +0100 (CET)
> From: Arjan de Vet <Arjan.deVet@adv.IAEhv.nl>
> To: A.J.Bassett@reading.ac.uk
> Cc: squid-users@nlanr.net
> Subject: Re: Inter-squid authorization problems
>
> In article <Pine.WNT.3.95.971113162752.-436679D-100000@supc281.rdg.ac.uk> you write:
>
> >The problems start when I configure each to use the other as a neighbour
> >and to treat the servers as a cluster. When an object could be supplied
> >by the 'other' server the transaction nonetheless fails with the message
> >'Proxy authorization failed. Retry?' displayed by the client browser. It
> >would seem that the second server is requiring authorization as though the
> >request were coming direct from the end user rather than a querying
> >server. It makes no difference whether the two servers are siblings or
> >whether one is defined as a parent of the other. There are no examples of
> >the ignore-domain argument to the proxy_auth option in squid.conf but I
> >assume that this is not intended to prevent the behaviour I am
> >experiencing (which I assume is unintentional and unforeseen).
>
> You should make sure that the proxy servers themselves can use each other
> without authentication. Try something like this:
>
> acl myneighbor src 1.2.3.4
> acl customers src some-range
> acl password proxy_auth "password file"
>
> # neighbor cache gets access without password
> http_access allow myneighbor
> # all others should be from a customer IP address and present a valid
> # password
> http_access allow customers password
> # deny the rest
> http_access deny all
>
> # similar for ICP
> icp_access allow myneighbor
> icp_acesss deny all
>
> >Can anybody comment or offer any further insight into the problem, please?
>
> Arjan
>

---Adrian Bassett---
Computer Services Centre, | Tel: +44 (0)1189-316630
Whiteknights, Reading, | Fax: +44 (0)1189-753094
RG6 2AF. England.

Internet: A.J.Bassett@reading.ac.uk
X400: I=AJ;S=Bassett;O=reading;P=UK.AC;A= ;C=GB
WWW: http://www.rdg.ac.uk/~suqbaset
Received on Fri Nov 14 1997 - 02:54:30 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:32 MST