Re: RES: Integrar o SQUID com o AD "durante o logon"
On Thu, 2005-11-24 at 10:22 -0200, Augusto Hagiro Pascutti - TBON3
wrote:
> Bom Dia,
'dia!
Obrigado por responder! Eu não assino mais a D-U-P, portanto agradeço se
vocês responderem Cc para mim :-)
> A questão da transparência e de setar o proxy no navegador é a mesma
> coisa; você precisa redirecionar a porta 80 para a porta que você
> configurou no squid através de IPtables; se eu não me engano, fica
> algo assim:
Ah sim, eu ja fiz isso! O problema é que a autenticação não funciona
quando você tem um proxy transparente... é uma coisa OU outra :-(
Andei pesquisando sobre isso e achei uns links que talvez interesses a
vocês, porém, minha interpretação não foi muito boa... gostaria que
vocês interpretassem isso:
=======================================================================
Authentication in accelerator mode [1]
Authentication is by default disabled in acceleartor mode in Squid-2.X
due to conflicts with transparent interception. To enable this feature,
at the top of acl.c add the following line:
#define AUTH_ON_ACCELERATION 1
Then "make install".
This feature is somewhat hidden because
* It hasn't been fully thought over yet. There are issues in
caching when combined with authentication, and more so when
there is also authentication to the backend servers..
* It easilly collides with transparent proxying, and many people
simply refuses to read warnings that a feature cannot be used in
a transparent proxy and try so anyhow.
The whole concept of "acceleration" in Squid is currently being reworked
for the Squid-3.0 release to fix this and a number of other issues.
=======================================================================
Lembrando que ativamos o proxy transparente com essas linhas:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
E tenho umas linhas nos logs assim:
aclAuthenticated: authentication not applicable on accelerated requests.
Lendo o ReleaseNotes[2] do Squid 3.0 Beta, achei isso:
=======================================================================
Cleanup of the relation between accelerated request and transparently
intercepted request. The two are now handled separately from each other.
This fixes two issues:
* Transparently intercepted requests is no longer under the
restrictions of accelerated requests in peering relations etc..
* No risk of confusion in authentication. Authentication is now
allowed for accelerated requests but not transparently
intercepted requests.
* Accelerator mode cleaned up, using the design from the rproxy
development branch
* The httpd_accel_* directives is now gone, replaced by
http(s)_port options and cache_peer based request forwarding.
* The http(s)_port options has a list of new options for
controlling the type and mode of port created with respect to
* transparent proxying
* plain acceleration
* host header based acceleration
* normal proxying (default)
* To enforce a reasonable level of security in accelerators,
accelerated requests are denied to go direct unless forced by
always_direct.
=======================================================================
Bom, pelo o que eu entendi... não vale a pena compilar esse beta doido
(que não tem no ports ainda) porque vai continuar não funcionando...
será que é isso mesmo? :^)
[1] http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.6
[2]
http://www.squid-cache.org/Versions/v3/3.0/squid-3.0-PRE3-20051030-RELEASENOTES.html
Reply to: