Can squid automatically remove a cache_peer from the round-robin list if its proxy auth fails

authenticationPROXYsquid

I have a squid instance that is configured to forward to a set of upstream proxy servers in a round-robin fashion. Here's the relevant config:

cache_peer x.x.x.1 parent 3128 0 round-robin no-query proxy-only login=user:pass
cache_peer x.x.x.2 parent 3128 0 round-robin no-query proxy-only login=user:pass
cache_peer x.x.x.3 parent 3128 0 round-robin no-query proxy-only login=user:pass

The problem I'm having is that occasionally one (or more) of these upstream proxies changes its authentication without telling me, and users of my squid proxy start getting the 'Proxy authentication' popup in their browsers.

Is there a way to make squid think a '407 proxy auth required' response actually means the server is dead and should be removed from the round-robin list?

Thanks.

Best Answer

You probably want to setup a monitorurl= for the cache_peer, more information on that here:

http://www.visolve.com/squid/squid26/neighboursel.php#cache_peer

Basically have the monitorurl be a script that tests the login. You could have the monitorurl point to a local test script or have it live on the cache_peers and test other things as well (we have ours test for available resources as well).

Related Solutions

Routing and authenticating all access through squid

Think your DHCP options may be off... From: http://www.wlug.org.nz/WPAD

Add the following to your /etc/dhcpd.conf:

option option-252
"http://wpad.host.co.nz/proxy.pac";

With ISC DHCP v3+, option-# options don't work. You have to do this in the global section of your configuration:

option wpad-url code 252 = text;
(define a new option)

And add this in either the global or appropriate subnet section(s) of your configuration:

option wpad-url
"http://wpad.my.domain.tld/proxy.pac\n"; (use new option)

Also, you will find that auth in transparent mode in squid is not really possible. Some commercial web filters do work around this (indeed I work for SmoothWall, one such filter).

Using both domain users and local users for Squid authentication

Now, I need a way to allow access to users which don't have a domain account. Can this be done?

Yes.

How?

You can use an "external" ACL helper, which allows you to roll your own mechanism. See the Squid wiki "Multiple Source" entry for more details. This bit of pseudo-code lifted straight from there:

auth_param basic program /usr/local/bin/my-auth.pl
external_acl_type myAclType %SRC %LOGIN %{Proxy-Authorization} /usr/local/bin/my-acl.pl
acl MyAcl external myAclType
http_access allow MyAcl

... where my-auth.pl is a bit of perl script that performs the actual authentication, and returns OK or ERR as the result.

Best Answer

Related Solutions

Routing and authenticating all access through squid

Using both domain users and local users for Squid authentication

Related Topic