On Tue, 17 Aug 2010 14:00:57 -0500, "Dean Weimer" <dweimer@xxxxxxxxxxxx> wrote: > I know when using squid as an intercept proxy it can't do authentication > as the clients don't know it's there, but do any of you out there know if > you can use it with a parent proxy that requires authentication? > > The specific scenario I am considering is Squid in DMZ with WCCPv2 used in > conjunction with a Cisco ASA 5520 firewall and an external (Websense > filtering) proxy that requires authentication, both NTLM and basic > authentication is supported. > > Clients > | > Cisco ASA5520 -WCCPv2- Squid 3.1.6 (In DMZ) -- Secondary Internet > Connection -- Parent Proxy Service > | > Internet > > We are currently using auto-detect, but continually keep running into > applications that don't recognize auto-detect, or sometimes don't even have > the ability to read a configuration script. I am trying to come up with a > way to alleviate the user's issues, without losing our local cache. And > keeping the HR and Legal departments happy by continuing to filter websites > with content that some could find offensive, as well as blocking unsafe > (malware/spyware) websites. 1) IF the client thinks its talking to the parent proxy. cache_peer login=PASS (or login=PASSTHRU) will pass on the credentials without requiring auth within Squid. 2) IF Squid itself needs to login to the parent. cache_peer login= with username:password will insert the given login to relayed requests. NP: Older Squid only allow Basic auth protocol credentials to be added this way. 3.2 brings the ability to do Negotiate/Kerberos as well. NTLM remains a sticky problem. This login= is only relevant once on a cache_peer entry. So its one or the other can be used at once. #2 is probably better/simpler for you since the clients are not involved in the auth process. Hope this helps. Amos
