Chemolli Francesco (USI) wrote:
>
> > > It depends. It must be fd-to-fd in case of NTLM-to-NTLM bridging.
> > > It SHOULD be user-to-fd in case of basic-to-NTLM bridging
> > > (not that it wouldn't work otherwise, it would just be much
> > > less efficient).
> >
> > NTLM to NTLM? Do you mean tunnel mode?. NTLM to NTLM needs a
> > co-operative user directory again!. (Same as digest-basic or
> > NTLM-basic).
>
> yes, that's tunnel mode. Squid knows nothing about authentication,
> it just understands that it must keepalive as much as possible
> and pin and reserve up- and downstream FDs.
The intermediary Squid can perfectly well understand NTLM and even
extract information from the exchanges being forwarded for logging
purposes or whatever. Only thing is that it cannot perform the actual
NTLM verification as the challenge is generated by the origin server (or
upstream proxy if proxying NTLM proxy auth).
This does not require the proxy to enter tunnel mode. It can still act
as a proxy. It only adds some requirements in connection management.
Tunnel mode is quite different from proxying, and only meant to be used
when the proxy cannot understand the request or how to down/upgrade it
but wishes to forward the request regardless.
CONNECT is a special case of tunnel mode, where the method forces the
proxy to enter tunnel mode to a server for the duration of that
connection. Normal tunnel mode is slightly different in function (does
not exists in Squid).
-- HenrikReceived on Fri Apr 13 2001 - 06:11:37 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:46 MST