RE: Authenticating Sibling Problem

David

A similar "problem" exists for upstream proxies too (if they have
authentication enabled).

So, the right way to do it is to create an ACL on each proxy which
allows the OTHER sibling (or any downstream proxies) to access Squid
without authentication.

We're using Squid V1.1.11 with proxy_auth patch added.

e.g.

acl thor src 153.14.79.102/255.255.255.255 <===== This is downstream
# 1
acl netra src 153.14.79.129/255.255.255.255 <===== This is downstream
# 2

acl std_password proxy_auth /disk2/squid/etc/squid.pass <======== This
is our password ACL

http_access allow thor
http_access allow netra
http_access allow all std_password

This way, the sibling gets allowed BEFORE the password acl is
encountered (remember as soon as an ALLOW rule works, it gets straight
through and doesn't process any further down the list)

I found for some reason that "icp_access allow all" wasn't enough by
itself (it just allows the queries, but not the GETs themselves).

This is a good FAQ candidate IMHO.

Cheers

Jason

>---------
>From: David Richards[SMTP:dave@marvin.cs.dis.qut.edu.au]
>Sent: Thursday, 4 December 1997 13:06
>To: Squid Discussion List
>Cc: Alan Agnew; Squid Bugs
>Subject: Authenticating Sibling Problem
>
>Hi,
>
> I have a pretty major problem, it invovles two authenticating
>squid proxies, version 1.1.16. Here is the situation:
>
> [ Parents ]
> / \
> / \
> [ Proxy A ] --- [ Proxy B ]
> |
> |
> USER
>
> The problem occurs when the USER makes a request to Proxy A. The
>object is not in Proxy A but is in Proxy B, the users gets back the
>message, "Proxy Authorization failed, Retry?". This is happening due to
>the following situation.
>
> Proxy A queries Proxy B about the object, Proxy B replies with a
>"YES, I have it". Proxy A performs a HTTP GET on behalf of the user, but
>does not pass on the authentication details, therefore the HTTP GET from
>Proxy A fails. This argument is supported by the following logs, created
>during the testing procedure:
>
>PROXY A:
>
>131.181.124.200 richard2 - [04/Dec/1997:11:31:20 +1000] "GET
> http://www.catalog.att.com/bmd/images/burst.gif" TCP_MISS:SIBLING_HIT 799
>
>PROXY B:
>
>131.181.127.42 - - [04/Dec/1997:11:31:20 +1000] "ICP_QUERY
> http://www.catalog.att.com/bmd/images/burst.gif" UDP_HIT:NONE 68
>131.181.127.42 - - [04/Dec/1997:11:31:20 +1000] "GET
> http://www.catalog.att.com/bmd/images/burst.gif" ERR_PROXY_DENIED:NONE 799
>
>
> I suppose the real question is, is there any easy way to fix this,
>or has this problem been fixed in later versions??
>
>Thanks,
>
>Dave.
>
>-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
>David Richards Ph: +61 7 3864 4347
>Network Programmer Fax: +61 7 3864 5272
>Computing Services E-mail: dj.richards@qut.edu.au
>Queensland University of Technology
>Brisbane, Australia
>-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
>
>
Received on Wed Dec 03 1997 - 19:33:55 MST