On Wed, 24 Feb 2010 16:27:44 +0100, Bastian Spanneberg <bastian.spanneberg@xxxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Thx again for the help, Henrik > >> localhost is not in your list of sites/domains to forward to the >> SERVICES cache_peer... >> >> but most do not want this.. they want localhost services to be >> restricted to browsers running on the same box, not random clients out >> anywhere on the net.. >> > > That was mainly intended for test purposes, but meanwhile, I just edited > my /etc/hosts for testing, and my current setup seems to work nice > concerning this. > >> You need to tell Squid that the peer is trusted for forwarding login >> credentials. See the login= option to cache_peer. >> > > That was exactly what was missing, and this works nice now, too. > But I'm still not finished yet :) > > Now, I added a parent proxy and proxy-authentication to the forwarding > proxy configuration, and the new problem is, that when I use the > instance as proxy now, I'm prompted for authentication for every host I > visit/connect to. > > It looks like the browser (Firefox) sees the proxy authentication as > basic HTTP authentication on every site. > > Here are the importan parts of my current configuration: > > http_port 80 accel > > cache_peer 127.0.0.1 parent 7070 0 no-query originserver login=PASS > name=SERVICES > acl FOO dstdomain www.example.net > cache_peer_access SERVICES allow FOO > cache_peer_access SERVICES deny all > acl CONNECT method CONNECT > never_direct allow FOO !CONNECT > > auth_param basic program /usr/lib/squid/db_auth --user user --password > pass --plaintext --persist > auth_param basic children 5 > auth_param basic realm Proxy-Auth > auth_param basic credentialsttl 1 minute > auth_param basic casesensitive off > acl db-auth proxy_auth REQUIRED > > [...] > > http_access allow db-auth > http_access allow localhost > http_access deny all NP: none of the http_access rules below "deny all" will work. > http_access deny purge > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access deny all > icp_access allow all > > cache_peer 127.0.0.1 parent 9090 0 no-query name=PROXY > cache_peer_access PROXY allow db-auth > > Any ideas why the authentication is regarded as basic HTTP by the browser ? Because the "accel" flag tells Squid to behave like th authoritative web server for all incoming requests. When it needs auth it sends a web-server auth challenge (linked to domain name by the browser to prevent XSS credential loss). Not a proxy challenge (linked to the proxy IP or user session by the browser). To require a second http_port line without "accel" that browsers are configured to connect to for regular proxy access. Amos
