RE: [squid-users] Logging username at parent cache using ntlm_aut h

From: Wilshire, Andrew <[email protected]>
Date: Wed, 24 Sep 2003 14:29:46 +1200

Thanks Henrik!

Ok I have done what you suggested and now I see the usernames in access.log
on the 2nd tier proxy... however I am consistently denied access (my IE
session brings up a login/password box)..

The 1st Tier Proxy's squid.conf

        auth_param ntlm program /lib/squid/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
        auth_param ntlm children 5
        auth_param ntlm max_challenge_reuses 0
        auth_param ntlm max_challenge_lifetime 2 minutes
        cache_peer proxytier2.fqdn.co.nz parent 3128 3130 login=*
        external_acl_type grouphelper %LOGIN /lib/squid/wbinfo_group.pl
        acl nzproxyusers external grouphelper DOMAIN\LocalGroup
        http_access deny !nzproxyusers

The 2nd Tier Proxy's squid.conf

        auth_param basic program /libexec/fakeauth_auth
        auth_param basic children 5
        auth_param basic realm Squid Proxy Tier-2
        auth_param basic credentialsttl 1 minute
        acl nzproxyauth proxy_auth REQUIRED
        http_access allow nzproxyauth
        http_access allow proxytier1.fqdn.co.nz

Any ideas on what I have gotten wrong?

Many thanks :)
Andrew.

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Wednesday, 24 September 2003 12:47
To: Wilshire, Andrew
Cc: 'squid-users@squid-cache.org'
Subject: Re: [squid-users] Logging username at parent cache using
ntlm_auth

On Wed, 24 Sep 2003, Wilshire, Andrew wrote:

> When I look inside access.log on the PARENT (2nd tier) cache of the
> first-tier cache I see
>
> 1064290276.165 4844 eee.fff.ggg.hhh TCP_MISS/200 10100 GET
> http://www.nzherald.co.nz/pics/ACFNAA.Taimy.JPG -
> FIRST_UP_PARENT/3rdtiercache.fqdn.co.nz image/jpeg
>
> What I need to accomplish is to get the domain/username passed through to
> the PARENT cache so that I may use a filtering product on our 2nd tier
> proxy.

Then you need to set up a system where "faked" logins are used to the 2nd
tier proxy. You can set up the first proxy to log in with the same
username but a static password. See the login= cache_peer option.

This also requires reconfiguring the parent proxy to require basic
authentication and know about the static password assigned to the first
proxy.

> Do I need to recompile Squid on the 2nd tier cache with ntlm_auth support?

Won't help. You can't proxy ntlm_auth due to the nature of NTLM.

Regards
Henrik

____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby
notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in
error please notify Air New Zealand immediately. Any views expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Air New Zealand.
_____________________________________________________________________
For more information on the Air New Zealand Group, visit us online
at http://www.airnewzealand.com
_____________________________________________________________________
Received on Tue Sep 23 2003 - 20:29:59 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:01 MST