Re: [squid-users] dual internet connections traffic routing

From: Adam Parsons <[email protected]>
Date: Thu, 1 Mar 2007 15:11:25 +1030 (CST)

I am pretty confident that its working as intended (internal traffic one way, external traffic other link), its just that the site is getting an authentication pop-up even when going to the internal sites.

If i put in:

acl edsites dstdomain .xx.edu.au
acl govsites dstdomain .xx.gov.au
acl authorised_users proxy_auth REQUIRED

http_access allow all edsites
http_access allow all govsites

http_access allow all authorised_users

Shouldn't that allow these sites to be retrieved to the client without authentication? I dont have direct access to the conf file, so i have had to direct someone onsite to make the change, but it still it popping up with the authentication window.

Any help is appreciated.

Thanks,
Adam

-----Original Message-----
From: Adrian Chadd <adrian@creative.net.au>
Sent: Wed, February 21, 2007 7:25 pm
To: Adam Parsons <adamp@officexpress.com.au>
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] dual internet connections traffic routing

Ok, lets have a stab at this.

On Wed, Feb 21, 2007, Adam Parsons wrote:

> The organisation i work for has many sites, all connecting to our core servers via frame-relay or other links. They need to use our organisations proxy address to go anywhere, which requires authentication for internet access. Now we have some sites that have two network links, the standard frame-relay and an additional ADSL connection. The intention is to have all organisational traffic (i.e. xxx.gov.au and xxx.edu.au) go through the frame-relay link and all other internet traffic (i.e. cisco.com, squid-cache.org, etc) go through the ADSL connection. I have rebuilt one of these sites with two links, and copied their configuration which i dont think is working as intended.

Ok. Makes sense.

> Now i cant use a proxy.pac file, as i need to put a default username and password in for all traffic going out the frame-relay, otherwise they will be prompted and i dont want that as the traffic is free and doesnt need to be metered. On the otherhand traffic out the ADSL link we use authentication on the squidbox (smb) and that works fine.
>
> My question is (finally you say), if i use the cache_peer_domain directive. i.e.
>
> cache_peer proxy.xxx.xx.edu.au parent 8080 0 no-query login=username:password
> cache_peer_domain proxy.xxx.xx.edu.au .xx.edu.au .xx.gov.au
>
> Will this only go out the frame-relay link (when the router sees proxy.xxx.xx.edu.au it forwards out the organisation link) and check if the URL has been cached, and if not, come back to the local squid and retrieve the URL from the ADSL connection? Can anyone see a better way of doing this?

That does say "please only allow those domains through to that particular peer". I haven't tried
it so I'm not sure of the exact behaviour if the parent isn't up (ie, does squid fall back to
sending those URLs off to another parent or direct, or does it fail to forward entirely?
You should set it up and test it out.)

The "no-query" means "don't query via ICP", so if you've got a proxy on the end of the frame relay link
it'll only be used to forward requests through. It won't be "asked" if it has a copy of the
page.

If the parent says "i don't have the object and no, you can't fetch it through me" then with
that above configuration I believe your Squid will send that right back to the client.
It won't notice the failure and try via another path.

(ICBW, so I'd suggest testing it out on the workbench.)

Adrian
Received on Wed Feb 28 2007 - 21:41:33 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST