Sorry forgot to add to Amos'es answer - use haproxy to handle *tcp* connections and let the sslbump/authentication run on the cluster of squids - thus you would get working auth on squid side and use keepalived/haproxy on the client side. I do not see any reason why it cannot work unless you specifically desire to use some haproxy's features for l7 loadbalancing. Best regards, Rafael Akchurin Diladele B.V. -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Klaus Brandl Sent: Friday, July 24, 2020 10:45 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Problem with HAProxy + Squid 4.11 + Kerberos authentication Hi Brett, but then you have a single point of failure, if your loadbalancer is down, nothing will work. We need a solution, that each system can work by itself. So at the moment we merge the keytabs of each system together, and we are able to takeover the addresses of the other systems. Then we have no loadbalancing, but a fallback solution, what is more important on our systems. On Friday 24 July 2020 09:53:03 Brett Lymn wrote: > On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote: > > But if anyone knows a solution, i will spread my ears :) > > What we do is: > > 1) create a user account in AD that will be used for the HA front end, > set a password and export the keytab for this user > 2) Use ktadmin to import the keytab entries for the user created in step > 1 into the keytab for squid on the squid servers. > 3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user > created in 1 > > The SPN (service principal name) tells kerberos to use the user details > set up in step 1 to authenticate http requests. This works for us, has > been for years. > > One thing, if you want to know the IP addresses of your clients in the > squid logs you will need to do some extra stuff because all accesses > will appear to come from the HA loadbalancer. We have configured our > load balancers to insert the X-Forwarded-For header into the http > traffic and then modified the logging to log both the loadblancer and > client IP. Klaus --- genua GmbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Matthias Ochs, Marc Tesch Amtsgericht Muenchen HRB 98238 genua ist ein Unternehmen der Bundesdruckerei-Gruppe. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users