Squid.conf to multiple proxies
-
Hello guys! help me!
I have a lot of PFsenses here, one in each branch office and one in the main office. All of them with Squid installed. Squid is authenticating throught NTLM with Active Directory Groups. Each branch office have one DC. Everything it´s working fine until now. But, I would like to build just one squid.conf and one ACL file to each rule, so that, all of the squid´s when reading their configuration will looking for the same squid.conf and therefore the same ACL files. Thus changing just one squid.conf I would made change in all of my proxies.
I thought in two ways to do that:- The first one is to mount a SMB share in each PFsense pointing to where are the squid.conf and the ACL´s and read from there. In this plan i have to:
- put the SMB on the FSTAB to start every time that PFsense restart;
- create a simbolic link pointing to the squid.conf and ACLs directory's;
To work fine I have to make sure my VPN it´s working fine, because if it stops working my Squid goes together (In case of a start or reload, of course);
- The second one is it to put the squid.conf and the ACLs in a web server and create a script that will download the them every time Squid start, restart or reload; I am planning to do this using WGET:
- When Squid start, restart or reload the WGET goes until the web server and check if the origin and destiny files are different based in time of change, and in a true case, download them to PFsense Overiding the actual files.
This looks better situation because i do not depend to the VPN, but, every Squid restart i need a new download. Also I have to change the Squid´s script to put the new code there.
Now you guys, i want know about you the following:
- Someone there already did this operation? How do you did?
- Someone there know another way easiest to do this? What and how?
- Someone there have any suggestions about how to enhance my two options?
- Someone there have any reasons why i should not do this?
Thank you!
-
- Someone there have any reasons why i should not do this?
If you are talking about pfSense, the the reason why you should NOT do this is very simple - squid.conf is generated on every package resync from configuration stored in config.xml; what you are suggesting will not work at all. You should use the XMLRPC sync feature instead to replicate configuration to other pfSense boxes. See the sync tab.
-
Wherei is the sync tab? I found it in new version of squid, but i am using PF 2.0.1 and i did not found it here. Of course i would like to update squid/pfsense, but the main reason why i am not considering this for now is that the newest pfsense's squid is not compiled with wbinfo_group.pl helper and i am not sure if i can authenticate with AD group with the helpers available. Have you any idea?
-
but i am using PF 2.0.1 … Have you any idea?
Yeah, I have a very good idea that using an unsupported firewall version that's ~6 years old is an absolutely horrible practice.
https://doc.pfsense.org/index.php/Versions_of_pfSense_and_FreeBSD
-
yeah, that´s i agree with you. But unfortunately i am here about two months and i can´t change a 6 years old´s system which is working perfectly… although i would like a lot. First I must to sure that the new version will work as fine as the current.
-
Of course with your suggestion i am thinking in try the authenticator in my cenario. If works fine it´s the better option update the versions and use the sync.