Re: [SQU] Credentials forwarding?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 09 Jan 2001 01:59:15 +0100

Robert Collins wrote:

> > what about login=*:password. Looks better I think ;-)

> The problem is, it's vulnerable to replay attacks.

In what way is it more vulnerable than any Basic authentication going by
that path?

> Re: implementing
> -Sure as a quick hack it'll get the username to the upstream server,
> which then needs to be told something like
> acl foo proxy_auth PASSEDTHROUGH
> so that it doesn't try to authenticate externally every usercode, and
> instead trusts the downstrem.

Minor issue. The basic auth cache should build up pretty quickly anyway.

Only one thing: To be really useful, the forwarding must be able to
identify the downstream.

Something like
   login=*-downstream_unique_tag:password

should do quite nicely, as this allows a single ACL entry to match all
users on that downstream, and match it agains the known IP(s) of the
downstream server.

downstream:
  cache_peer ... login=*-downstream1:password

upstream:
  acl downstream1 src 192.168.1.2
  acl downstream1-users proxy_auth_regex -downstream1$

  http_access deny downstream1-users !downstream1

And if the helper protocol is extended to allow for the helpers to
change the effective (logger,forwarded) username then even better.

/Henrik
Received on Mon Jan 08 2001 - 18:04:44 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:14 MST