Re: [squid-users] 2 squid on the same server

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 30 Apr 2011 15:20:11 +1200

On 30/04/11 07:38, J. Webster wrote:
>
> If by "forwarded" you mean NAT. Authentication is not possible. See the
>> FAQ about why.
>> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F
>>
>>>
>>> Are there any examples for having 2 authentication methods run at
>>> once? Does this mean the user would have to pick an option when
>>
>> The *user* does not know anything or need to. Their browser does it.
>>
>>> connecting to the server? I don;t think that will work for iPads,
>>> xboxes, DVD players, etc accessing a proxy server as they connect
>>> automatically without interaction. My current version is 2.6 - will
>>> this work with that?
>
> So,
> Connection route A: Direct to proxy listening on port 80 and port 8080 with ncsa auth.
> Ports 80, 8080, 443 will continue to be accessed with ncsa auth.
>
> Connection route B: VPN with squid logging the websites.
> Squid listening on port xxx1.
> The logs will only contain an IP address from connections form port xxx1?

The logs contains what you can grab. Sometimes IDENT protocol is
available to get the machines main user login name. That is not
authentication though and has some big limits around reliability.
  Likewise side-band auth using external ACL helpers to figure out who
the user is from things other than credentials can provide a username in
some situations.
  So you can take bits of info and do a fairly good expert "guess" that
the client is a certain user. Just short of actual validated authentication.

> I need to make a change in iptables to block outside connections to port xxx1 and only allow port xxx1 to be accessed form the VPN network.
> What do I do with port 443 in this instance? Do I need to make a new https port on squid and forward VPN:443 to squid:xxx?

443 cannot be intercepted by Squid yet. ssl-bump opens a few options in
this area, but only works reliably with the non-intercepted traffic.
  Best option is to bypass the proxy for port 443.

>
> Connection route C: Direct to proxy listening on port xxx2 with IP address auth.
> You mentioned in the earlier email chain that if I setup IP auth as well as ncsa auth then this will mess up the authentication mechanism.
> Is there no other way to have 2 authentication methods running at the same time?

How they interact is entirely up to you and your configuration.
The http_access lists are a full-blown boolean programming language with
hundreds of ACL permutations and paths you can configure.

It is perfectly possible to configure in a way where they don't
interact, BUT you need to configure that to happen.
   Simply listing a check for NCSA auth then an external ACL check for
IP auth one after the other will case problems. Checking the client
subnet earlier on the access line can skip one or other auth test and
avoid a clash.
  This config separation is possible for the external ACL vs auth_param
checks. Two auth_param types must combine and do the advert thing.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Sat Apr 30 2011 - 03:20:17 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 30 2011 - 12:00:04 MDT