On 22/04/18 22:52, Panagiotis Bariamis wrote: >>LDAP is a database type, it is not specifically tied to the type of >>credentials used either. For example; have you looked into using >>Kerberos authentication? this over clear-text is similar or sometimes >>more secure than TLS. > > Unfortunately administrators of LDAP can only provide basic > authentication scheme, so I am stuck with TLS proxy Which is not supported by MSIE, so you are stuck with nothing at all for that traffic. :-( , plus there are 16 > squid boxes that a layer 7 load balancer routes the traffic depending on > the hash of the url , so I think even if the administrators of openldap > could provide me with kerberos or ntlm authentication I could not load > balance the traffic based on url . > If the LB are operating only at the TCP/IP level (most routing LB do) they will not have any effect on the TLS, HTTP, or HTTP auth layers. Negotiate and HTTPS will work fine (NTLM is just broken, do not go there unless forced to). OR, If the LB are really digging into the traffic sufficiently to see URLs (from inside the encryption?) then they are HTTP(S) proxies in their own right and need to be accounted for in your TLS-to-proxy plans. It may be that the LB is the entity(s) which need to be sending TLS to your Squid. With the browsers who can doing TLS to the LB proxy. That would get a portion LB<->Squid encrypted for MSIE even if the first bit cannot. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users