2011/10/18 E.S. Rosenberg <esr+squid@xxxxxxxxxxx>: > Hi all, > We currently have a setup with proxies that use NTLM authentication > (we hope to upgrade to kerberos in the future) and based on the > username send the user to one of several parent proxies, to improve > caching we would like to instead route all traffic through one proxy > that is heavily optimized for caching (has it's own large storage > etc.). > > I saw in the documentation that it is possible to pass the > authentication to the parent, as far as I can tell I can 'tell' the > parent in several ways how to route the client: > - I can pass the username to the parent > - I can 'NAT' the users connection as it leaves the child proxy (src > ip rewrite rules) and have source IP based rules on the parent. > - I could setup multiple instances of the same parent with different > login details and 'route' based on username to each of said 'parents' > > It seems to me that the second option would result in better > performance on the one hand but on the other hand it would add more > obfuscation, however performance is more important to me. > > Am I correct in my analysis? Is passing the username to parent a lot > slower, would it require another ntlm-auth binary running on the > parent or can the username just pass cleartext between the proxies > and therefor the whole 'authentication' is a lot faster.... > > Thanks for your brain-cycles, > Eli > Just wondering, why you need to pass username to 2nd layer proxy. I mean, 1rst layer, the one who does authentication does also filtering permitions. LD http://www.twitter.com/ldlq