On Sun, 6 Feb 2005, Kinkie wrote:
The login=*:password cache_peer option comes in handy for implementing this kind of scheme.
Sure, but it requires a custom authenticator, or at least some kind of wrapper, which is certainly doable but not easy (might it be interesting to add something of the sort to the default package, maybe?). Also, it probably requires extra care when two simultaneous auth-schemes are involved.
The login=... cache_peer option only specified basic authentication.
Implementing the custom authenticator wrapper is easy. Here is an shell example acting as a wrapper around any other basic authenticator to allow the Squid to be used both by normal clients and other caches.
#!/bin/sh if [ $# -lt 2 ]; then echo "Usage: $0 secretpassword helper ..." exit 1 fi
secret="$1" shift
exec 4>&1
while read user password; do if [ "$password" = "$secret" ]; then echo OK >&4 else echo "$user $password" fi done | "$@"
Designed to be used as
auth_param basic program /path/to/script topsecretpassword normal_helper_with_arguments
numerous other variants are possible.
Note: If the selected secret shared password for squid->squid communication contains odd characters these must be URL-encoded in the helper specification.
Regards Henrik
