On Sat, 29 Oct 2005, Brian Phillips wrote:
I have squid set up as an httpd accelerator for some websites I have on a private network behind the cache. I direct requests from outside the network to squid running on port 80 on the gateway machine and then squid sorts them out and hands them to the private webservers. I assume I have to use the httpd_accelerator options (as this is what has got it to work in the past).
Yes.
proxy/filter for clients that are on the private web wishing to surf the net. I have firewall level rules to direct all web traffic from the internal network to my squid machine (the same port) and then squid has acls to find out if the traffic is coming from within the network, and if it is, forwards it on (as long as squidGuard says it's okay ;) )
Don't mix reverse and forward proxying in the same Squid. You should run one Squid for people wanting to get in to your web sites, and another Squid for your internal people to get out to the Internet.
Finally, my questions. I would like to use the username authentication feature NTSA in squid.
For whom in the above picture?
I have it all set up, but as in that mailing list article I've linked to, squid doesn't request authentication unless the proxy settings are placed in the browser. This is not really the most desirable option because of the A) "simpleness" of the users behind the cache and B) the fact that the proxy information can be removed, causing the whole thing to be bypassed. Right now I have set it up so it can't be bypassed, but would eventually like to start allowing passwords (to bypass certain aspects of my squidGuard filter)
Right, for the people on the inside using the Squid as an transparently intercepting proxy.
I read in other posts by Henrik Nordstrom, that squid3.0 was going to have clearer differences in the way it handles accelerated requests and transparent proxy requests.
Yes. Making it possible to use authentication in the accelerator setup without causing conflicts with the transparent intercepting setup where authentication is not possible.
I guess it's lack of understanding of the finite details of each type of setup by my part, but I was wondering if my current setup ( and wishes ) will be possible with these new changes in 3.0
From what I can understand of what you want to do no.
With Squid-3.0 you will be able to impose authentication on the reverse proxy part of the setup where you use Squid to allow external users access to your servers on the private network.
For the transparent interception part using HTTP authentication is not possible, not due to Squid but due to the transparent interception without the browsers knowing. Transparent interception is a significant bending of the rules of TCP/IP and as such you do run into some problems due to being "outside the law of TCP/IP"..
Or maybe they're possible with the current version of squid ( 2.5 ) ? Someone shed some light for me please.
Squid-2.5 is as capable as Squid-3.0 with respect for authentication of transparently intercepted requests. This has to be implemented using an out-of-band mechanism such as forms based authentication on a web server on the same machine as Squid authorizing the IP address of the client to access the Internet via the proxy. external_acl and deny_info can be used to connect the two together.
Regards Henrik
