Search squid archive

Re: Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry forgot to add to Amos'es answer - use haproxy to handle *tcp* connections and let the sslbump/authentication run on the cluster of squids - thus you would get working auth on squid side and use keepalived/haproxy on the client side.

I do not see any reason why it cannot work unless you specifically desire to use some haproxy's features for l7 loadbalancing.

Best regards,
Rafael Akchurin
Diladele B.V.

-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Klaus Brandl
Sent: Friday, July 24, 2020 10:45 AM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  Problem with HAProxy + Squid 4.11 + Kerberos authentication

Hi Brett,

but then you have a single point of failure, if your loadbalancer is down, 
nothing will work. We need a solution, that each system can work by itself. So 
at the moment we merge the keytabs of each system together, and we are able to 
takeover the addresses of the other systems. Then we have no loadbalancing, 
but a fallback solution, what is more important on our systems.

On Friday 24 July 2020 09:53:03 Brett Lymn wrote:
> On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> > But if anyone knows a solution, i will spread my ears :)
> 
> What we do is:
> 
> 1) create a user account in AD that will be used for the HA front end,
> set a password and export the keytab for this user
> 2) Use ktadmin to import the keytab entries for the user created in step
> 1 into the keytab for squid on the squid servers.
> 3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user
> created in 1
> 
> The SPN (service principal name) tells kerberos to use the user details
> set up in step 1 to authenticate http requests.  This works for us, has
> been for years.
> 
> One thing, if you want to know the IP addresses of your clients in the
> squid logs you will need to do some extra stuff because all accesses
> will appear to come from the HA loadbalancer.  We have configured our
> load balancers to insert the X-Forwarded-For header into the http
> traffic and then modified the logging to log both the loadblancer and
> client IP.

Klaus

---

genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux