Re: NTLM and proxying

From: Robert Collins <robert.collins@dont-contact.us>
Date: Fri, 13 Apr 2001 18:21:53 +1000

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: <squid-dev@squid-cache.org>
Sent: Friday, April 13, 2001 6:20 PM
Subject: Re: NTLM and proxying

> Robert Collins wrote:
>
> > Sorry - I missed a bit.
> >
> > WWW authentication collides with "proxy" authentication when
transparent
> > mode is running. What I meant was if the proxy has proxy_auth acls
> > configured for a given request and the reply comes back with an
> > Authentication header, then strip it or send a warning page.
>
> Squid should not accept looking for proxy_auth on "accelerated"
requests
> unless authentication for accelerated requests has been explicitly
> enabled. If not enabled then any proxy_auth acl MUST return FALSE, and
a
> warning sent to cache.log.
>
> > Basically fail gracefully when transparent mode and auth acls are
> > combined instead of the current "seem to work until you hit an
> > authenticated site".
>
> This is something you changed in auth_rewrite. Before auth_rewrite
squid
> had to be recompiled with a hidden define to at all look for WWW
> authentication because of this collision.

Uhmm, I changed very little of that "entry point" logic. That define is
still there. (acl.c line 1611). Sorry for bringing up a solved problem
:].

> Proposal: Add a squid.conf directive for enabling WWW Authentication
in
> accelerators. Default to "off", and have a big fat warning that this
> MUST NOT be enabled in transparent proxies.
>
> / Henrik
>
Received on Fri Apr 13 2001 - 02:22:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:45 MST