Dear All
First of all, Thanks you for everyone who posted and help me. I have
appropriate solution for my system. Let's me share my idea.
- I have 2 Box of squid proxy : proxy1=10.1.1.11 , proxy2=10.1.1.12
- I want client to authenticate with AD account , windows 2003
server. I use squid_ldap_auth to access AD account.
- I use cache_peer to load balance
- I use monit for my fail over. I have problem to solve with HA
because I use each server as different function i.e. proxy1 -->
proxy,DHCP, proxy2 --> proxy, DNS.
- DNS Alias can help me to improve fail over : "mainproxy" =
10.1.1.11, 10.1.1.12
- In client's browser, I set "manual proxy configuration" as mainproxy:8080
- In proxy1 has configuration like this
: squid.conf --> squid_ldap_auth, http_port 8080 , cache_peer to proxy2
- In proxy2
: squid.conf --> squid , http_port 3128, cache_peer to proxy1
: monit --> keep watching on proxy2's port 8080. If proxy1
down proxy1 will replicate with squid.conf like this -->
squid_ldap_auth , http_port 8080. If proxy2 up again proxy1 will
roll-backup old config.
I think I accept delay and replicate time when fail over operate.
It's ok for my requirement.
Thank
Chowalit
On 4/23/07, chowalit.lab Chowalit Lab Linux <chowalit.lab@xxxxxxxxx> wrote:
Dear all,
Thanks Henrik, It can help me to clear this wccp concept. I just try
to implement my proxy farm with this solution
- Add domain "proxytest.mycom" to point both of my proxy's ip (such
as 10.1.1.1, 10.1.1.2) our DNS
proxytest.mycom. IN A 10.1.1.1
IN A 10.1.1.2
- Setting up both of proxy with ldap authentication to access the
same Windows 2003 Server.
- Set proxy domain in client's browser as "proxytest.mycom:8080"
It look fine. I can fix the twice authentication pop-up windows.
Because client will choose proxy by itself (with round robbin DNS).
However, I still have some problem. I want to restrict only 1 IP per 1
User authentication. The problem occur when different client access
different proxy. How to fix this problem.
Thanks
On 4/21/07, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> wrote:
> ons 2007-04-18 klockan 17:14 +0700 skrev chowalit.lab Chowalit Lab
> Linux:
>
> > As I know (Sorry if I have some miss-understanding), It's the same
> > result if I implement either wccp or WPAD. There are difference in
> > client setting up. Client don't need to set anything on browser but
> > WPAD need.
>
> No,
>
> WCCP is transparent interception, violating RFCs etc. Here
> authentication won't work.
>
> WPAD is automatic discovery of the proxy (or to be exact automatic
> discovery of the PAC file telling the browser how it should use
> proxies). As the browser knows it's using a proxy and no RFCs violated
> there is no problem with proxy authentication.
>
> > Sorry I'm not clear. However, as Chris claimed that HA is not fix this problem.
> > Please explain clearly.
>
> A load balanced proxy address solves a problem with basic proxy
> authentication. Basic proxy authentication is performed per proxy host
> name, and as a result PAC based solutions may result in multiple
> authentication prompts during the browsing session, one per proxy used.
> The load balancer solution where the browser always goes to the same
> load balanced proxy address avoid this.
>
> Regards
> Henrik
>
>
