[squid-users] Excluding some clients from authentication REQUIRED acl

From: Geoff Varney <[email protected]>
Date: Wed, 12 Jul 2006 11:46:17 -0700

Hi,
I am trying to make Squid 2.6 work in the following setup:

Main Site:
I have one master caching/authentication Squid 2.6 server

I have one DansGuardian (2.9.7.1) server with the above master Squid as its
parent

Remote Sites:
I have 3 remote Squid servers that each authenticate their local clients and
point to the above DG server as parent

I am passing on user and password from the remote Squids (no-query
login=*:password default). This worked great when the main site had an
authentication Squid in front of DG (2.8) and the remote Squids used DG as
the parent, and the main site authentication Squid did the same. In this
setup all sites were really the same.

Now with DG 2.9.7.1 I have tried to eliminate the main site authentication
Squid as DG will now pass through to Squid to authenticate. This works
great at the main site. However, when I set a remote Squid to use DG as its
parent there is now an attempt to authenticate AGAIN to the main site Squid
which is the parent to DG.

Philip Allison (DG developer) suggested using ACLs to exclude these remote
requests from being authenticated by the main Squid. I have been working on
this but can't seem to get it to work. I can get things to work if I allow
the remote subnet's IPs to have http_access, but that effectively skips DG
filtering. I had hoped that something like:

acl no_auth src <remote subnet range>
proxy_auth REQUIRED !no_auth

or something like that would skip auth on the main Squid. But that doesn't
work, maybe the syntax is invalid for proxy_auth REQUIRED.

I know I don't have a complete understanding of acls (and much more!) and
know they are very powerful if you get them right and put them in the right
order, etc.

I'm stuck in getting the remote Squid requests to go to the main Squid and
then go back to DG to filter, then out through Squid without trying to
authenticate again. How I do make Squid ignore authenticating some requests
(by IP acl or something?) but still filter with DG? Can it be done? If
not, I'll just go back to Squid Auth->DG->Squid Cache like before.

Thanks,
Geoff
Received on Wed Jul 12 2006 - 12:48:01 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:01 MDT