Re: Sibling GET with Authentication

From: Duane Wessels <>
Date: Tue, 08 Sep 1998 11:09:31 -0600

David Richards writes:

> There is a problem that I have brought up a few releases ago with
>authentication and neighbours. The problem is, that when a cache asks
>it's sibling for an object in it's cache, it also expects authentication.
>Now, the RFC says that a username/password pair may only be used by one
>server, and it may not pass these details along.
> The result is that you can not have authenticating siblings.
>However, we have put in a 'fix' until someone decides they want to have a
>go at fixing the real problem.

what is the real problem again?

As you note, the HTTP standard allows only one cache to consume
proxy-authentication headers.

As far as I know, you can use access controls to always allow
requests from your siblings.

> This is what we do:
> if Request is from a recognised neigbour
> then
> return Authentication is OK
> else
> Do authentication stuff and return result.
> The way we decide if it is a recognised sibling is if it is
>registered as one of our peers. How do we do this?? Well, this is the
>code, placed in neighbors.c :
>peer *
>neighborFindByAddr(const char *address)
> in_addr_t comparee;
> peer *e = NULL;
> comparee = inet_addr( address );
> for (e = Peers.peers_head; e; e = e->next) {
> if (comparee == e->in_addr.sin_addr.s_addr )
> break;
> }
> return e;

How is this function called? From where?

Are you using squid-1.2?

there is already a function similar to yours, whichPeer(), which
takes a sockaddr_in * argument instead of a string. Why can't you
use that one?

> I suppose in the end I am begging someone to look at this problem
>seriously and come up with a decent solution.

What is wrong with using access controls? What makes them not a
decent solution?

Duane W.
Received on Tue Jul 29 2003 - 13:15:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:11:55 MST