Chris, Thanks for the suggestions. Comments inline... > -----Original Message----- > From: Chris Robertson [mailto:crobertson@xxxxxxx] > Sent: Monday, July 17, 2006 12:57 PM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: Excluding some clients from authentication > REQUIRED acl > > Geoff Varney wrote: > > Hi, > > I am trying to make Squid 2.6 work in the following setup: > > > I haven't had the time yet to upgrade to 2.6, so my advice may be... > Unreliable. You have been warned. > > Main Site: > > I have one master caching/authentication Squid 2.6 server > > > > I have one DansGuardian (2.9.7.1) server with the above master Squid as > its > > parent > > > > Remote Sites: > > I have 3 remote Squid servers that each authenticate their local clients > and > > point to the above DG server as parent > > > > > > I am passing on user and password from the remote Squids (no-query > > login=*:password default). This worked great when the main site had an > > authentication Squid in front of DG (2.8) and the remote Squids used DG > as > > the parent, and the main site authentication Squid did the same. In > this > > setup all sites were really the same. > > > > Now with DG 2.9.7.1 I have tried to eliminate the main site > authentication > > Squid as DG will now pass through to Squid to authenticate. This works > > great at the main site. However, when I set a remote Squid to use DG as > its > > parent there is now an attempt to authenticate AGAIN to the main site > Squid > > which is the parent to DG. > > > > Philip Allison (DG developer) suggested using ACLs to exclude these > remote > > requests from being authenticated by the main Squid. > Hmmm... By the time the requests reach the "main" Squid, they have all > passed through DG, and all appear to be from the same IP. Unless, of > course, the follow-XFF patch was integrated in to Squid2.6... If that > is the case (and you compiled with enable, you should be able to insert > an http_access rule allowing the subnet(s) access before denying access > to non-authenticated hosts. Something like... > > # The following lines require XFF > acl DansGuardian src <IP of DG server> > follow_x_forwarded_for allow DansGuardian > acl_uses_indirect_client on > # End XFF requirement > acl no_auth src <remote subnet range> > acl passwords_required proxy_auth REQUIRED > http_access allow no_auth > http_access allow passwords_required > http_access deny all Yeah, I followed this path and it didn't quite work the way I need it to. What happens is that if I use follow_x_forwarded_for then I can allow the IP range before auth, but then it doesn't filter. It goes from DG, then straight out per http_access allowance. If I don't use follow_x_forwarded_for then I have a problem with what DG logs for users, or I end up with more than just remote IP ranges being allowed http_access.... > > I have been working on > > this but can't seem to get it to work. I can get things to work if I > allow > > the remote subnet's IPs to have http_access, but that effectively skips > DG > > filtering. I had hoped that something like: > > > > acl no_auth src <remote subnet range> > > proxy_auth REQUIRED !no_auth > > > This would be trying to use an ACL within another ACL. Perhaps that's > possible in 2.6... > > or something like that would skip auth on the main Squid. But that > doesn't > > work, maybe the syntax is invalid for proxy_auth REQUIRED. > > > > I know I don't have a complete understanding of acls (and much more!) > and > > know they are very powerful if you get them right and put them in the > right > > order, etc. > > > Check out the Wiki section on ACLs > (http://wiki.squid-cache.org/SquidFaq/SquidAcl). There's a lot of good > information there. > > I'm stuck in getting the remote Squid requests to go to the main Squid > and > > then go back to DG to filter, then out through Squid without trying to > > authenticate again. How I do make Squid ignore authenticating some > requests > > (by IP acl or something?) but still filter with DG? Can it be done? If > > not, I'll just go back to Squid Auth->DG->Squid Cache like before. > > > > Thanks, > > Geoff > > > An other option would be to create a login/password combination on the > "main" Squid server, and have the "remote" Squid servers use that (e.g. > the remote Squid servers would define their parent cache using > "login=user:password"). *shrug* I think I considered this also, but one of the things I want is DG to log the usernames and this would log just the one remote username... I don't think what I want can be easily (if possibly) achieved, so I've gone back to adding a separate authorization Squid in front of DG (like the old days!) and point clients on DG's local subnet to it, then the remote Squids point at DG directly. It works that way! I think maybe the HTTP spec of logging in only once is the issue here, and I don't think Squid has a way to look at the source IP to determine whether or not to require authorization. That would be nice I think! I am using the " --require-membership-of=" in my "auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" statement, but I don't think there's a similar "don-not-require-membership-of" sort of option for this! Besides, I don't know what this Squid is seeing compared to what the initial authentication Squid is seeing since it's already an authenticated connection.. > > Chris Geoff
