On 16/03/2015 11:26 a.m., Alex Samad wrote: > Hi > > Sorry gmail sent before I could finish > > On 16 March 2015 at 09:24, Alex Samad <alex@xxxxxxxxxxxx> wrote: >> Hi >> >> I have 2 squid boxes that exist in my 2 DC. >> >> They are on the same vlan/ ip network and i use dns round robin >> >> cache_peer <other> sibling 3128 3130 proxy-only >> >> in addition to this I added in >> >> >> # ICP ALLOW >> acl icp_allowed src 10.3.2.1/32 << the ip of the other squid box to allow icp >> >> >> http_access allow icp_allowed << need to allow this so that squid -a >> can request from squid-b with out authenticating (do I need todo this) >> >> icp_port 3130 >> icp_access allow icp_allowed >> icp_access deny all >> >> these are running squid-3.1.10-29.el6.x86_64 >> >> my new box (in the office) is running >> squid-3.4.10-1.el6.x86_64 >> >> cache_peer squid-b parent 3128 0 weighted-round-robin weight=5 >> cache_peer squid-a parent 3128 0 weighted-round-robin weight=2 >> >> I had to turn on ICP I kept seeing error of not allowed ! >> >> We have authenticated access to the proxy, usually via ntlm so all >> requests are logged against a user. >> >> I do have some boxes that need unauthenticated access >> >> Config questions >> 1) how to I get user authentication to flow through >> if a user requests from squid-a and it takes it from squid-b. I >> would like the user id's logged on both >> if a user requests from new squid to either squid-a or squid-b. I >> would like the auth (which would be done on new-squid) to flow through >> to either squid-a or squid-b. This is not possible with NTLM authentication. NTLM is authenticating the TCP connection between client and proxy underneath the HTTP layer and has a complex handshake setting up security token per-connection with the DC server. The TCP connection outbound from the proxy is a different connection, and also is not from the client. Its possible with Negotiate/Kerberos or Basic auth. Even though Negotiate is also authenticating the TCP connection the handshake is simpler and the token can be relayed to the peer proxy. NP: Though be careful in an environment using NTLM. You may get Negotiate/NTLM tokens flowing around, which wont work any more than NTLM does. > 2) how do I setup ICP to work properly Use HTCP for better HIT ratio with less false positives in HTTP/1.1. > 3) is the cache_peer to squid-a squid-b from new-squid type parent ? No. But to get the authentication to work you will need login=PASSTHRU parameter (and be using Basic or Negotiate/Kerberos). > 4) do I need to allow ICP clients full access, this is the squid-a to > squid-b link ? You should not have to. However, it also should not matter - when the first proxy is doing auth you kow the traffic coming out of it is authenticated. Not doing auth twice is faster. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
