Hello Amos, thank you very much for your very helpful response! The vendor, while not helpful at all as they want our org to use their new application rather than proxy....Has stated they are only looking for email address and not password. But they likely mean they're looking for user.name@xxxxxxxxxxxxxx Thank you for tls-cafile= correction, as I do have GoGuardian's root certificate in that path and trusted on the Squid-hosted OS. For Login= I have been trying to pass credentials from Windows to Squid to GoGuardian. From your response, I believe you are stating to have a "machine" user account that will be static for all users passing through Squid. This setup would be fine for us, but we would prefer to have the unique user's "email" passed through so that on GoGuardian's end our reports reflect the correct user. I currently have Squid working with auth (when not handing off to GG), with Kerberos and NTLM. What I was hoping to achieve is handing this off to GG in the form of the username ("email"). I feel like I have http://www.squid-cache.org/Doc/config/cache_peer/ 's authentication options memorized, however it is possible I am using them (login=) incorrectly. The vendor refuses to look at logs on their end to troubleshoot, as they do not have access and the engineers who do aren't replying! Lovely... 1658160759.291 166 10.125.12.19 TCP_DENIED/407 4233 CONNECT abc.com:443 - HIER_NONE/- text/html "ws-iid=-" "ws-mac=00:00:00:00:00:00" "ws-duration=-" "ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-" "ws-trusted=-" "ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-" "ws-module=-" "ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-" "squid-gt-st=199" 1658160760.048 73 10.125.12.19 NONE_NONE/200 0 CONNECT abc.com:443 johnathan.hasty@xxxxxxxxxxxxxxxxxxxxxxx HIER_NONE/- - "ws-iid=94" "ws-mac=00:00:00:00:00:00" "ws-duration=2105" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=default" "ws-member=default" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=3220" 1658160760.165 117 10.125.12.19 TCP_TUNNEL/407 0 CONNECT abc.com:443 johnathan.hasty@xxxxxxxxxxxxxxxxxxxxxxx FIRSTUP_PARENT/52.44.107.1 - "ws-iid=95" "ws-mac=00:00:00:00:00:00" "ws-duration=63" "ws-timing=0" "ws-mtime=0" "ws-scanflags=63" "ws-categories=0" "ws-trusted=0" "ws-level=1" "ws-verdict=0" "ws-policy=default" "ws-member=default" "ws-module=2" "ws-msgtype=2" "ws-param1=None" "ws-param2=None" "ws-debug=None" "squid-gt-st=0" 1658160760.165 0 10.125.12.19 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- - "ws-iid=-" "ws-mac=-" "ws-duration=-" "ws-timing=-" "ws-mtime=-" "ws-scanflags=-" "ws-categories=-" "ws-trusted=-" "ws-level=-" "ws-verdict=-" "ws-policy=-" "ws-member=-" "ws-module=-" "ws-msgtype=-" "ws-param1=-" "ws-param2=-" "ws-debug=-" "squid-gt-st=517" ---------- CONNECT getpocket.cdn.mozilla.net:443 HTTP/1.1 Host: getpocket.cdn.mozilla.net:443 Via: 1.1 poc-websafety.usi.uncommonschools.org (squid/5.5) X-Forwarded-For: 10.125.12.19 Proxy-Authorization: Basic [redacted] Cache-Control: max-age=259200 Connection: close ---------- --------- HTTP/1.1 407 Proxy Authentication Required Proxy-Authenticate: Basic realm="Secure Browsing" Date: Mon, 18 Jul 2022 16:13:28 GMT Content-Length: 0 Connection: close ---------- Best Regards, Johnathan _______________________________________________________ Johnathan Hasty Senior DevOps Engineer Uncommon Schools C: 989.366.1672 Uncommon Schools | Change History Website | Facebook | Twitter | LinkedIn | Apply Now -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries Sent: Friday, July 15, 2022 1:27 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Upstream Proxy On 16/07/22 04:05, Johnathan Hasty wrote: >> What HTTP authentication method(s) or scheme(s) does your upstream proxy support or require? > > They're very vague and not helpful. It was said they look for email, but in reality it would be user@xxxxxxxxxxxxxxxx rather than user@xxxxxxxxxxx. > > > This is the only information I have for them. > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsupport.goguardian > .com%2fs%2farticle%2fDeploying-GoGuardian-Gateway-1629767892527&c=E,1, > kxoL6sN8CmL8UJVV7XAszjC5mA2VYXeLIYssH9544vgm37JbQ44M6EZogCrg-UmQilt1uk > BdNerDVyJj9CitYUk5aQX0P9NqNDjbcNYV-ImK&typo=1 > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fview.highspot.com% > 2fviewer%2f5f7241dd628ba24915723e85&c=E,1,dxC_Gqqw2wC0pGrZOpS7-THHKfgN > Utm5i8wjs5Ac9f2Jon2meVKJs0rNytWei3YbxnYP8cNbFntUm7e9E34E2dGHoyKwTvfmiM > MKCvRjnxg7&typo=1 > This document is providing some answers, but indeed are a bit obscure. The authentication is using LDAP service. Which means Squid should have its own account in LDAP registered as a machine account type (not a regular user, so it can avoid constant password update requirements). Those are the credentials you configure in the cache_peer line to be passed to GG. Make sure that you configure the full username string. Whether it be login=user@xxxxxxxxxxxxxxxx:password or login=user@xxxxxxxxxxx:password or login=user:password Also, cache_peer should not need sslcapath= option. Just 'tls' and ensure the Squid machine Trusted CA certs package is kept up to date. If GG has a special Server certificate based on some custom CA, then use the tls-cafile= option to load that custom public root cert. If you are still having issues, the contents of the PAC file generated for a test user account could have some more hints about what GG is expecting. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.squid-cache.org%2flistinfo%2fsquid-users&c=E,1,p0pIs1RkqwtsIzZ-qgPtXeEFoSfUyjivFLuTCVPZhVMDWCtYW2Nrlh1pGrW3jFWJYwsWZgEMtY8MTMjtg1bA-UDPcCY9hRhweJEdl7NdDScvjx-99Kir&typo=1 CAUTION : This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users