Geoff Varney wrote:
Hi,
I am trying to make Squid 2.6 work in the following setup:
I haven't had the time yet to upgrade to 2.6, so my advice may be...
Unreliable. You have been warned.
Main Site:
I have one master caching/authentication Squid 2.6 server
I have one DansGuardian (2.9.7.1) server with the above master Squid as its
parent
Remote Sites:
I have 3 remote Squid servers that each authenticate their local clients and
point to the above DG server as parent
I am passing on user and password from the remote Squids (no-query
login=*:password default). This worked great when the main site had an
authentication Squid in front of DG (2.8) and the remote Squids used DG as
the parent, and the main site authentication Squid did the same. In this
setup all sites were really the same.
Now with DG 2.9.7.1 I have tried to eliminate the main site authentication
Squid as DG will now pass through to Squid to authenticate. This works
great at the main site. However, when I set a remote Squid to use DG as its
parent there is now an attempt to authenticate AGAIN to the main site Squid
which is the parent to DG.
Philip Allison (DG developer) suggested using ACLs to exclude these remote
requests from being authenticated by the main Squid.
Hmmm... By the time the requests reach the "main" Squid, they have all
passed through DG, and all appear to be from the same IP. Unless, of
course, the follow-XFF patch was integrated in to Squid2.6... If that
is the case (and you compiled with enable, you should be able to insert
an http_access rule allowing the subnet(s) access before denying access
to non-authenticated hosts. Something like...
# The following lines require XFF
acl DansGuardian src <IP of DG server>
follow_x_forwarded_for allow DansGuardian
acl_uses_indirect_client on
# End XFF requirement
acl no_auth src <remote subnet range>
acl passwords_required proxy_auth REQUIRED
http_access allow no_auth
http_access allow passwords_required
http_access deny all
I have been working on
this but can't seem to get it to work. I can get things to work if I allow
the remote subnet's IPs to have http_access, but that effectively skips DG
filtering. I had hoped that something like:
acl no_auth src <remote subnet range>
proxy_auth REQUIRED !no_auth
This would be trying to use an ACL within another ACL. Perhaps that's
possible in 2.6...
or something like that would skip auth on the main Squid. But that doesn't
work, maybe the syntax is invalid for proxy_auth REQUIRED.
I know I don't have a complete understanding of acls (and much more!) and
know they are very powerful if you get them right and put them in the right
order, etc.
Check out the Wiki section on ACLs
(http://wiki.squid-cache.org/SquidFaq/SquidAcl). There's a lot of good
information there.
I'm stuck in getting the remote Squid requests to go to the main Squid and
then go back to DG to filter, then out through Squid without trying to
authenticate again. How I do make Squid ignore authenticating some requests
(by IP acl or something?) but still filter with DG? Can it be done? If
not, I'll just go back to Squid Auth->DG->Squid Cache like before.
Thanks,
Geoff
An other option would be to create a login/password combination on the
"main" Squid server, and have the "remote" Squid servers use that (e.g.
the remote Squid servers would define their parent cache using
"login=user:password"). *shrug*
Chris