Reverse Proxy Basic Authentication

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Reverse Proxy Basic Authentication

Brad Taylor-3
We use both Squid 2.5 and 2.6 as reverse proxies for our production web
site. 2.5 seem to pass basic authentication without an issue. We can not
get this to work in 2.6. Looking at the release notes it is not clear to
me what if anything would need to be changed in the config file to allow
this to work with 2.6. Here is my config file:

http_port 80 defaultsite=10.10.1.145
https_port 443 cert=/etc/squid/8-22-08.pem key=/etc/squid/8-22-08key.pem
options=NO_SSLv2 cipher=DEFAULT:!EXPORT:!LOW defaultsite=10.10.1.145
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl JS url_regex .js$
no_cache deny JS
acl CSS url_regex .css$
no_cache deny CSS
acl ASMX url_regex .asmx
no_cache deny ASMX
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#Suggested default:
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
refresh_pattern -i \.jpg$       0 100% 10080
refresh_pattern -i \.gif$       0 100% 10080
refresh_pattern -i \.png$       0 100% 10080
refresh_pattern -i \.bmp$       0 100% 10080
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl CONNECT method CONNECT
acl port80 myport 80
acl port443 port 443
acl port563 port 563
acl TheOriginServer dst 10.10.1.145
#Recommended minimum configuration:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access allow port563
http_access allow port443
http_access allow port80
http_access allow TheOriginServer
http_access deny all
http_reply_access allow all
icp_access allow all
cache_peer 10.10.1.145 parent 80 0 no-query originserver
deny_info https://www.example.com/ port80
coredump_dir /var/spool/squid
visible_hostname https://www.example.com/
logfile_rotate 9
negative_ttl 0 minutes
Reply | Threaded
Open this post in threaded view
|

Re: Reverse Proxy Basic Authentication

Bert Moorthaemer
Hi Brad,

I had simliar problems, but I eventually managed to solve them (thx to
Henrik)

Try this for 2.6 (note I use client certs for authentication *before* the
basic authentication starts off)

https_port A.B.C.D:443 \
        defaultsite=anyhost.anydomain.tld vhost \
        cert=/usr/local/etc/squid/certs/anyhost.anydomain.tld.pem \
        clientca=/etc/CA/ssl/public/ca.pem \
        crlfile=/etc/CA/ssl/public/crl.pem \
        options=ALL \
        capath=/etc/CA/ssl/public

cache_peer W.X.Y.Y parent 80 0 no-query originserver \
        front-end-https proxy-only no-digest login=PASS connection-auth=off
cache_peer_domain W.X.Y.Z anyhost.anydomain.tld

/Cheers

Bert.



Reply | Threaded
Open this post in threaded view
|

Re: Reverse Proxy Basic Authentication

Henrik Nordström
In reply to this post by Brad Taylor-3
On tor, 2007-09-06 at 11:44 -0400, Brad Taylor wrote:
> We use both Squid 2.5 and 2.6 as reverse proxies for our production web
> site. 2.5 seem to pass basic authentication without an issue. We can not
> get this to work in 2.6.

http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-c59962b21bb8e2a437beb149bcce3190ee1c03fd


> Looking at the release notes it is not clear to
> me what if anything would need to be changed in the config file to allow
> this to work with 2.6.

Right.. release notes a bit too silent about this change.

Regards
Henrik

signature.asc (316 bytes) Download Attachment