Vosloo, Jaco wrote:
From: Amos Jeffries
From: Henrik Nordstrom
From: Vosloo, Jaco
I need to configure a transparent proxy to an upstream
authenticating
proxy and I believe that Squid should be able to do this. I've been
searching the net for months now and would really appreciate any
advice
or pointers.
interception and authentication is mutually exclusive.
2. The FAQ says authentication can not be run on a transparent
proxy,
this is acceptable because I do not want to authenticate on the
transparent proxy, I want the transparent proxy to let the user
authenticate to the upstream proxy.
Does not matter. What matters is that the browser isn't configured
for
using a proxy so it does not accept that the requested web server (as
far as the browser knows, it's talking to the IP of the requested web
server) suddenly requests proxy authentication.
He seems to be asking for a way to let Squid ignore the Proxy-Auth
headers and simply not strip any that go through if the BC does ask for
it. Semantic transparency et al.
Thanks for the replies. Amos is correct, I'm trying to use squid as a
truly transparent proxy, it should not add anything or take anything
away except when the object is cacheable.
The browser is configured to use the upstream proxy. I want the
transparent proxy to be a MITM between the browser and the upstream
proxy and cache whatever can be cached. This is why I am wondering if a
reverse proxy in front of the upstream proxy might provide the solution?
I have full control over the browsers as well as the internal DNS so I
can change the DNS to point to whatever proxy I want.
Current setup:
Browser --Auth--> Proxy1 --> Web server
New setup:
Browser --Tunnel Auth--> ProxyMITM --Tunnel Auth--> Proxy1 --> Web
Server
Regards
Jaco Vosloo
In theory Squid could do semantic transparency. In reality it does not.
All current releases began as pure forward-proxies and have been
migrating very slowly towards transparency.
Squid is currently just moving from interception level of transparency
to IP-level invisibility. The headers passing through are still handled
roughly as they would be for a regular proxy hop.
Note that to serve anything at all from the cache is a complete break of
semantic transparency anyway. So you will not be possible to have both a
cache and a semantically transparent proxy. Particularly if
authentication is going to be involved at any point of the
request/response chain.
Sounds like time we (the developers) discussed whether there are any
side effects to passing auth through unaltered on transparent requests.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
Current Beta Squid 3.1.0.10 or 3.1.0.11
