Redirect request to cache_peer using username and passwords

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Redirect request to cache_peer using username and passwords

Prem Chand

Hi,

I need to redirect my clients requests to different Cache_peers using username and passwords through my proxy. Below is the rough sketch. Can someone suggest to me how I can achieve this?

Client1(Username1:password1) ->Proxy:443 -> Cache_peer:3218
Client 2(Username2:password2)->Proxy:443-> Cache_peer:3219
.
.
.
.

This is my current configuration, I'm doing round robin through cache_peers when authenticated with a single username and password in /etc/squid/squidpasswdfile file

auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squidpasswdfile
auth_param basic realm proxy
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_access deny all
cache_peer Peer1 parent 3218 0 round-robin no-query weight=1 connect-fail-limit=1
cache_peer Peer2 parent 3219 0 round-robin no-query weight=1 connect-fail-limit=1
cache_peer Peer3 parent 3219 0 round-robin no-query weight=1 connect-fail-limit=1

Thanks & Regards
Premchand.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Redirect request to cache_peer using username and passwords

Amos Jeffries
Administrator
On 2/07/20 9:49 pm, Prem Chand wrote:
>
> Hi,
>
> I need to redirect my clients requests to different Cache_peers using
> username and passwords through my proxy. Below is the rough sketch. Can
> someone suggest to me how I can achieve this?


FYI: "redirect" is the wrong word, has a meaning in HTTP completely
different from what you are talking about.

Peers are for message *routing*.

>
> Client1(Username1:password1) ->Proxy:443 -> Cache_peer:3218
> Client 2(Username2:password2)->Proxy:443-> Cache_peer:3219
> .

That is possible.

However, what do you want to happen when that users dedicated peer is
unavailable?
 Stop all access for them?

 Failover to going "DIRECT" instead of through the peer?

 Use some other peer, and if so which one and based on what criteria?


>
> This is my current configuration, I'm doing round robin through
> cache_peers when authenticated with a single username and password in
> /etc/squid/squidpasswdfile file

Are you wanting to keep this behaviour?

You can select a group of peers that each user has access to and apply
round-robin to them. However, any peer that is used by more than one
user will have its RR calculation implemented by *both* to prevent overuse.
 So the RR behaviour will not be easily visible. Selected peer (single
only) will be whichever one the user is allowed to access *and*
currently had least traffic going there.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Redirect request to cache_peer using username and passwords

Prem Chand
In reply to this post by Prem Chand
Hi Amos,

Thanks for the response.

However, what do you want to happen when that user's dedicated peer is unavailable?
Can it be routed to another peer if a dedicated peer is unavailable? because each peer is accessed by a different username and password. If there is an option to route then I will keep a backup peer(Peer4) so if any one of the peers(Peer1,Peer2,Peer3) is unavailable it can route to the backup peer and once the unavailable peer become available then traffic should auto route to them from backup peer.

If there is no option that fits as I explained above then I want to stop all access for them.

Are you wanting to keep this behaviour?
I don't want to use the round-robin behaviour. I want to route requests to dedicated Peer/Client.

On Thu, Jul 2, 2020 at 3:19 PM Prem Chand <[hidden email]> wrote:

Hi,

I need to redirect my clients requests to different Cache_peers using username and passwords through my proxy. Below is the rough sketch. Can someone suggest to me how I can achieve this?

Client1(Username1:password1) ->Proxy:443 -> Cache_peer:3218
Client 2(Username2:password2)->Proxy:443-> Cache_peer:3219
.
.
.
.

This is my current configuration, I'm doing round robin through cache_peers when authenticated with a single username and password in /etc/squid/squidpasswdfile file

auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squidpasswdfile
auth_param basic realm proxy
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_access deny all
cache_peer Peer1 parent 3218 0 round-robin no-query weight=1 connect-fail-limit=1
cache_peer Peer2 parent 3219 0 round-robin no-query weight=1 connect-fail-limit=1
cache_peer Peer3 parent 3219 0 round-robin no-query weight=1 connect-fail-limit=1

Thanks & Regards
Premchand.


--
prem

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Redirect request to cache_peer using username and passwords

Amos Jeffries
Administrator
On 3/07/20 12:59 am, Prem Chand wrote:

> Hi Amos,
>
> Thanks for the response.
>
> However, what do you want to happen when that user's dedicated peer is
> unavailable?
> Can it be routed to another peer if a dedicated peer is unavailable?
> because each peer is accessed by a different username and password. If
> there is an option to route then I will keep a backup peer(Peer4) so if
> any one of the peers(Peer1,Peer2,Peer3) is unavailable it can route to
> the backup peer and once the unavailable peer become available then
> traffic should auto route to them from backup peer.
>
> If there is no option that fits as I explained above then I want to stop
> all access for them.
>
> Are you wanting to keep this behaviour?
> I don't want to use the round-robin behaviour. I want to route requests
> to dedicated Peer/Client.
>


So what you want requires Squid-3.4 or later and looks something like this:


 auth_param ...
 acl authed proxy_auth REQUIRED
 http_access deny !authed
 http_access allow authed

 acl user1 note user username1
 acl user2 note user username2
 acl user3 note user username3

 # per-user peers first (preferred)
 cache_peer peer1 ...
 cache_peer_access peer1 allow user1
 cache_peer_access peer1 deny all

 cache_peer peer2 ...
 cache_peer_access peer2 allow user2
 cache_peer_access peer2 deny all

 cache_peer peer3 ...
 cache_peer_access peer3 allow user3
 cache_peer_access peer3 deny all

 # last peer for any user (if above are unavailable)
 cache_peer peer4 ...
 cache_peer_access allow all

 # forbid DIRECT traffic
 never_direct allow all



HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Redirect request to cache_peer using username and passwords

Prem Chand
In reply to this post by Prem Chand
Hi Amos,

I tried the configuration that you suggested but I'm getting below error. It seems the requests are not getting forward to cache_peer. I'm unable to figure out what is the cause of the issue. If I revert it to my previous configuration I'm not seeing any issue with  cache_peer's.

** Establish HTTP proxy tunnel to www.google.com:443
* Proxy auth using Basic with user 'username1'
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> Proxy-Authorization: Basic bGluZTE6dGVzdGluZw==
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 503 Service Unavailable
< Server: squid/3.5.27
< Mime-Version: 1.0
< Date: Mon, 06 Jul 2020 10:24:28 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3905
< X-Squid-Error: ERR_CANNOT_FORWARD 0
< Vary: Accept-Language
< Content-Language: en
<
* Received HTTP code 503 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 503 from proxy after CONNECT

On Thu, Jul 2, 2020 at 6:29 PM Prem Chand <[hidden email]> wrote:
Hi Amos,

Thanks for the response.

However, what do you want to happen when that user's dedicated peer is unavailable?
Can it be routed to another peer if a dedicated peer is unavailable? because each peer is accessed by a different username and password. If there is an option to route then I will keep a backup peer(Peer4) so if any one of the peers(Peer1,Peer2,Peer3) is unavailable it can route to the backup peer and once the unavailable peer become available then traffic should auto route to them from backup peer.

If there is no option that fits as I explained above then I want to stop all access for them.

Are you wanting to keep this behaviour?
I don't want to use the round-robin behaviour. I want to route requests to dedicated Peer/Client.

On Thu, Jul 2, 2020 at 3:19 PM Prem Chand <[hidden email]> wrote:

Hi,

I need to redirect my clients requests to different Cache_peers using username and passwords through my proxy. Below is the rough sketch. Can someone suggest to me how I can achieve this?

Client1(Username1:password1) ->Proxy:443 -> Cache_peer:3218
Client 2(Username2:password2)->Proxy:443-> Cache_peer:3219
.
.
.
.

This is my current configuration, I'm doing round robin through cache_peers when authenticated with a single username and password in /etc/squid/squidpasswdfile file

auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squidpasswdfile
auth_param basic realm proxy
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_access deny all
cache_peer Peer1 parent 3218 0 round-robin no-query weight=1 connect-fail-limit=1
cache_peer Peer2 parent 3219 0 round-robin no-query weight=1 connect-fail-limit=1
cache_peer Peer3 parent 3219 0 round-robin no-query weight=1 connect-fail-limit=1

Thanks & Regards
Premchand.


--
prem


--
prem

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Redirect request to cache_peer using username and passwords

Prem Chand
Hi Amos,

On further digging I understood that acl route  via cache_peer_access (cache_peer_access  Peer1 allow user1)  is not working hence requests are failing. I'm not sure the exact reason. Can you please suggest how to fix this?

acl user1 note user username1
cache_peer Peer1 parent 3218 0 round-robin no-query weight=1 connect-fail-limit=1 name=Peer1
cache_peer_access  Peer1 allow user1 
cache_peer_access deny all


On Mon, Jul 6, 2020 at 4:00 PM Prem Chand <[hidden email]> wrote:
Hi Amos,

I tried the configuration that you suggested but I'm getting below error. It seems the requests are not getting forward to cache_peer. I'm unable to figure out what is the cause of the issue. If I revert it to my previous configuration I'm not seeing any issue with  cache_peer's.

** Establish HTTP proxy tunnel to www.google.com:443
* Proxy auth using Basic with user 'username1'
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> Proxy-Authorization: Basic bGluZTE6dGVzdGluZw==
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 503 Service Unavailable
< Server: squid/3.5.27
< Mime-Version: 1.0
< Date: Mon, 06 Jul 2020 10:24:28 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3905
< X-Squid-Error: ERR_CANNOT_FORWARD 0
< Vary: Accept-Language
< Content-Language: en
<
* Received HTTP code 503 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 503 from proxy after CONNECT

On Thu, Jul 2, 2020 at 6:29 PM Prem Chand <[hidden email]> wrote:
Hi Amos,

Thanks for the response.

However, what do you want to happen when that user's dedicated peer is unavailable?
Can it be routed to another peer if a dedicated peer is unavailable? because each peer is accessed by a different username and password. If there is an option to route then I will keep a backup peer(Peer4) so if any one of the peers(Peer1,Peer2,Peer3) is unavailable it can route to the backup peer and once the unavailable peer become available then traffic should auto route to them from backup peer.

If there is no option that fits as I explained above then I want to stop all access for them.

Are you wanting to keep this behaviour?
I don't want to use the round-robin behaviour. I want to route requests to dedicated Peer/Client.

On Thu, Jul 2, 2020 at 3:19 PM Prem Chand <[hidden email]> wrote:

Hi,

I need to redirect my clients requests to different Cache_peers using username and passwords through my proxy. Below is the rough sketch. Can someone suggest to me how I can achieve this?

Client1(Username1:password1) ->Proxy:443 -> Cache_peer:3218
Client 2(Username2:password2)->Proxy:443-> Cache_peer:3219
.
.
.
.

This is my current configuration, I'm doing round robin through cache_peers when authenticated with a single username and password in /etc/squid/squidpasswdfile file

auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squidpasswdfile
auth_param basic realm proxy
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_access deny all
cache_peer Peer1 parent 3218 0 round-robin no-query weight=1 connect-fail-limit=1
cache_peer Peer2 parent 3219 0 round-robin no-query weight=1 connect-fail-limit=1
cache_peer Peer3 parent 3219 0 round-robin no-query weight=1 connect-fail-limit=1

Thanks & Regards
Premchand.


--
prem


--
prem


--
prem

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Redirect request to cache_peer using username and passwords

Prem Chand
Below is the right config that I updated in my squid.conf file

acl user1 note user username1
cache_peer Peer1 parent 3218 0  no-query  connect-fail-limit=1 name=Peer1
cache_peer_access  Peer1 allow user1 
cache_peer_access  Peer1 deny all

On Mon, Jul 6, 2020 at 9:28 PM Prem Chand <[hidden email]> wrote:
Hi Amos,

On further digging I understood that acl route  via cache_peer_access (cache_peer_access  Peer1 allow user1)  is not working hence requests are failing. I'm not sure the exact reason. Can you please suggest how to fix this?

acl user1 note user username1
cache_peer Peer1 parent 3218 0 round-robin no-query weight=1 connect-fail-limit=1 name=Peer1
cache_peer_access  Peer1 allow user1 
cache_peer_access deny all


On Mon, Jul 6, 2020 at 4:00 PM Prem Chand <[hidden email]> wrote:
Hi Amos,

I tried the configuration that you suggested but I'm getting below error. It seems the requests are not getting forward to cache_peer. I'm unable to figure out what is the cause of the issue. If I revert it to my previous configuration I'm not seeing any issue with  cache_peer's.

** Establish HTTP proxy tunnel to www.google.com:443
* Proxy auth using Basic with user 'username1'
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> Proxy-Authorization: Basic bGluZTE6dGVzdGluZw==
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 503 Service Unavailable
< Server: squid/3.5.27
< Mime-Version: 1.0
< Date: Mon, 06 Jul 2020 10:24:28 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3905
< X-Squid-Error: ERR_CANNOT_FORWARD 0
< Vary: Accept-Language
< Content-Language: en
<
* Received HTTP code 503 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 503 from proxy after CONNECT

On Thu, Jul 2, 2020 at 6:29 PM Prem Chand <[hidden email]> wrote:
Hi Amos,

Thanks for the response.

However, what do you want to happen when that user's dedicated peer is unavailable?
Can it be routed to another peer if a dedicated peer is unavailable? because each peer is accessed by a different username and password. If there is an option to route then I will keep a backup peer(Peer4) so if any one of the peers(Peer1,Peer2,Peer3) is unavailable it can route to the backup peer and once the unavailable peer become available then traffic should auto route to them from backup peer.

If there is no option that fits as I explained above then I want to stop all access for them.

Are you wanting to keep this behaviour?
I don't want to use the round-robin behaviour. I want to route requests to dedicated Peer/Client.

On Thu, Jul 2, 2020 at 3:19 PM Prem Chand <[hidden email]> wrote:

Hi,

I need to redirect my clients requests to different Cache_peers using username and passwords through my proxy. Below is the rough sketch. Can someone suggest to me how I can achieve this?

Client1(Username1:password1) ->Proxy:443 -> Cache_peer:3218
Client 2(Username2:password2)->Proxy:443-> Cache_peer:3219
.
.
.
.

This is my current configuration, I'm doing round robin through cache_peers when authenticated with a single username and password in /etc/squid/squidpasswdfile file

auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squidpasswdfile
auth_param basic realm proxy
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_access deny all
cache_peer Peer1 parent 3218 0 round-robin no-query weight=1 connect-fail-limit=1
cache_peer Peer2 parent 3219 0 round-robin no-query weight=1 connect-fail-limit=1
cache_peer Peer3 parent 3219 0 round-robin no-query weight=1 connect-fail-limit=1

Thanks & Regards
Premchand.


--
prem


--
prem


--
prem


--
prem

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users