Hello All,
I have 2 squid servers that authenticate correctly when you point your browser to either of them. I'm using a negotiate_wrapper. I set it up following this (http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory)
I would like to set both servers behind a haproxy load balancer, however when you try to utilize the haproxy load balancer, it will not authenticate anymore. It just gives an error asking to authenticate.
Any ideas?
Thanks in advance.
##HAPROXY.CFG##
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
contimeout 5000
clitimeout 50000
srvtimeout 50000
# reverse proxy-squid
listen proxy 10.10.0.254:3128
mode http
cookie SERVERID insert indirect nocache
balance roundrobin
option httpclose
option forwardfor header X-Client
server squid1 10.10.0.253:3128 check inter 2000 rise 2 fall 5
server squid2 10.10.0.252:3128 check inter 2000 rise 2 fall 5
##SQUID.CONF##
#Kerberos and NTLM authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=****.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 30
auth_param negotiate keep_alive off
# LDAP authentication
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=****,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=****,DC=local" -w "****" -f sAMAccountName=%s -h 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193
auth_param basic children 150
auth_param basic realm Please enter your Domain credentials to continue
auth_param basic credentialsttl 1 hour
# AD group membership commands
external_acl_type ldap_group ttl=60 children-startup=10 children-max=50 children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=****,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=****,DC=local" -w "****" -f "(&(objectclass=person) (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL Groups,DC=****,DC=local))" -h dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local
acl auth proxy_auth REQUIRED
acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE PROXY-UNRESTRICTED PROXY-DEV PROXY-SALES
http_access deny !auth all
http_access deny !REQGROUPS all
Samuel Anderson | Information Technology Administrator | International Document Services
![]()
IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607
CONFIDENTIALITY NOTICE:
This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
