Hi, I posted this question on the DG list but haven't had any responses yet, so I am hoping someone out there can help me with this problem. I have upgraded some of my Squids to 2.6 and have installed DG 2.9.7.1 to use its new NTLM capability. I have in the past been successful using Squid to authenticate users with NTLM then to DG, then Squid for cache. Since DG 2.9 provides better support for authentication I have eliminated the authentication Squid server and send clients directly to DG with a parent Squid that authenticates users. This has worked well in testing. HOWEVER I have 3 remote sites that use the same DG filter as the above mentioned Squid. The problem is that when I connect to one of the remote Squids it goes through the DG server and tries to authenticate AGAIN to the Squid server (parent to DG) which I don't want. I'm already authenticating at the remote site as it provides a Squid cache for the site avoiding bandwidth use on already locally cached pages. Also, I don't want to allow direct access to the main parent Squid (the one downstream of DG) so I limit access to localhost (DG) and the IP of the remote Squid servers. When I do this I get an access denied message when using a remote proxy since it's apparently going *through* DG to the parent Squid and trying to authenticate there as well, but is denied by IP restriction. I can get this to work by opening up access to the parent Squid to ALL IPs in the remote Squid server's IP range. I don't want to do this. Also, in the DG access.log (when I have it opened up so it all "works" I am not getting usernames logged (just -) but am getting the IP (or host name in my case) of the requester, or the remote Squid server. The DG parent Squid does show the actual computer (not Squid) that made the request, via follow_x_forwarded_for. DG is also using this successfully ONLY when the request comes directly to DG from a client, not from another Squid server. Is there any way to make this all work nice as follows: Single DG server for entire school district Single authenticating/caching Squid 2.6 server (for the DG subnet clients) as parent to DG Remote Squid 2.6 caching/authenticating servers authenticating local users with DG as parent (which then of course goes through DG's parent Squid) I would like to have authentication and logging at each of the remote sites, and ALSO DG logging with username for all requests to DG, and authentication and logging for the DG subnet via the DG parent Squid server. I have messed around with Squid acls trying to figure a way for this to work, can't get it. Is there perhaps something I can add to the cache_peer line to help with this?? Right now it's using " parent 8080 7 no-query login=*:password default". I have now been able to get this to "work" by not allowing follow_x_forwarded_for (on DG parent Squid) for anything outside the DG subnet, but then I get the DG IP (localhost) logged in the Squid access.log and still no user for DG log. Is there a way to make the DG parent Squid not attempt to authenticate any requests outside of its local subnet or some other way to handle this? Or will I end up needing to go back to the Squid->DG->Squid setup that I have used successfully with DG 2.8 and Squid 2.5? I hope this is reasonably clear. I can provide more info if it would help. Using Squid 2.6STABLE1 and DG 2.9.7.1. Thanks Geoff
