Re: squid-2.0.RELEASE: Authentication issues [patch]

From: Duane Wessels <wessels@dont-contact.us>
Date: Wed, 04 Nov 1998 10:45:28 -0700

>> >+ - Changed proxy_auth to work when in accelerator mode. proxy_auth
>> >+ probably should be renamed to auth and not proxy_auth. (Henrik
>> >+ Nordstrom)
>>
>> Regarding the first, I don't like it that Squid is becoming more and
>> more like an origin server. Squid should be a proxy and people should
>> use Apache for an origin server. Just like I think Apache makes a bad
>> proxy, I think Squid makes a bad origin server (accelerator,
>> whatever). Will it never stop?
>
>This change has two reasons:
>
>1. When you are accelerating a HTTP server then there is a big gain in
>moving the authentication from the origin server to Squid where
>possible. Otherwise you effectively can't accelerate a authenticated
>server as the authentication needs to be rewalidated on each request.
>
>2. Access to /squid-internalXXX does not work without this in a
>proxy_auth environment.

We can hard-code special cases for the internal URLs.

I am really against giving Squid every origin server feature.
Am I the only one?

Are Henrik and I the only ones who read this list?

>> >+ - added login=user:password option to cache_peer directive to be
>> >+ used when your parent requires proxy authentication and you
>> >+ don't want your users to be required to authenticate manually.
>> >+ (Henrik Nordstrom)
>
>> Regarding the second, this seems overly complicated. Why doesn't the
>> peer just always allow requests from this cache's IP address? We can
>> already fix this with existing access controls instead of adding more
>> configuration options.
>
>Not if you are a leaf cache on a dial up connection and similar, where
>you can't have a IP based access to your parent.

Ok, I didn't think about dynamic IP addresses...
I can live with adding this one... :-)

>> >+ - If you want to "auto-login" on certain servers, then use a
>> >+ redirector that rewrites the URL to the form
>> >+ http://username:password@server/.... and configure your Squid
>> >+ to go direct to that server. Squid now picks this up when
>> >+ going direct, and turns it into basic WWW authentication.
>> >+ (Henrik Nordstrom)
>>
>> Auto-login to a server? Is this needed? Seems to me that
>> authentication is an END-TO-END characteristic of HTTP.
>> Having proxies insert authentication in the middle breaks that.
>
>Well. It was requested. The intended use is when your organisation
>as a whole has a account to a service, but you don't want every user in
>your organisation to have to know the current login+password.

I think its wrong. Any other opinions?

Duane W.
Received on Tue Jul 29 2003 - 13:15:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:11:57 MST