Re: [squid-users] Excluding some clients from authentication REQUIRED acl

From: Chris Robertson <[email protected]>
Date: Mon, 17 Jul 2006 11:57:18 -0800

Geoff Varney wrote:
> Hi,
> I am trying to make Squid 2.6 work in the following setup:
>
I haven't had the time yet to upgrade to 2.6, so my advice may be...
Unreliable. You have been warned.
> Main Site:
> I have one master caching/authentication Squid 2.6 server
>
> I have one DansGuardian (2.9.7.1) server with the above master Squid as its
> parent
>
> Remote Sites:
> I have 3 remote Squid servers that each authenticate their local clients and
> point to the above DG server as parent
>
>
> I am passing on user and password from the remote Squids (no-query
> login=*:password default). This worked great when the main site had an
> authentication Squid in front of DG (2.8) and the remote Squids used DG as
> the parent, and the main site authentication Squid did the same. In this
> setup all sites were really the same.
>
> Now with DG 2.9.7.1 I have tried to eliminate the main site authentication
> Squid as DG will now pass through to Squid to authenticate. This works
> great at the main site. However, when I set a remote Squid to use DG as its
> parent there is now an attempt to authenticate AGAIN to the main site Squid
> which is the parent to DG.
>
> Philip Allison (DG developer) suggested using ACLs to exclude these remote
> requests from being authenticated by the main Squid.
Hmmm... By the time the requests reach the "main" Squid, they have all
passed through DG, and all appear to be from the same IP. Unless, of
course, the follow-XFF patch was integrated in to Squid2.6... If that
is the case (and you compiled with enable, you should be able to insert
an http_access rule allowing the subnet(s) access before denying access
to non-authenticated hosts. Something like...

# The following lines require XFF
acl DansGuardian src <IP of DG server>
follow_x_forwarded_for allow DansGuardian
acl_uses_indirect_client on
# End XFF requirement
acl no_auth src <remote subnet range>
acl passwords_required proxy_auth REQUIRED
http_access allow no_auth
http_access allow passwords_required
http_access deny all
> I have been working on
> this but can't seem to get it to work. I can get things to work if I allow
> the remote subnet's IPs to have http_access, but that effectively skips DG
> filtering. I had hoped that something like:
>
> acl no_auth src <remote subnet range>
> proxy_auth REQUIRED !no_auth
>
This would be trying to use an ACL within another ACL. Perhaps that's
possible in 2.6...
> or something like that would skip auth on the main Squid. But that doesn't
> work, maybe the syntax is invalid for proxy_auth REQUIRED.
>
> I know I don't have a complete understanding of acls (and much more!) and
> know they are very powerful if you get them right and put them in the right
> order, etc.
>
Check out the Wiki section on ACLs
(http://wiki.squid-cache.org/SquidFaq/SquidAcl). There's a lot of good
information there.
> I'm stuck in getting the remote Squid requests to go to the main Squid and
> then go back to DG to filter, then out through Squid without trying to
> authenticate again. How I do make Squid ignore authenticating some requests
> (by IP acl or something?) but still filter with DG? Can it be done? If
> not, I'll just go back to Squid Auth->DG->Squid Cache like before.
>
> Thanks,
> Geoff
>
An other option would be to create a login/password combination on the
"main" Squid server, and have the "remote" Squid servers use that (e.g.
the remote Squid servers would define their parent cache using
"login=user:password"). *shrug*

Chris
Received on Mon Jul 17 2006 - 13:57:32 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:01 MDT