Re: Username Header [PATCH]

And so does the redirector or cache_peer login= approach.. main
difference is that instead of the application being configured to look
for the custom header it needs to be configured for Basic HTTP
authentication with the (unknown to the user) password set by the
redirector.

Regards
Henrik

Ben Herrick wrote:
>
> In our particular case, we want users to be required to log in to the proxy
> in order to access the internet using it. We also have several intranet
> sites that don't need strong authentication, but give different information
> to different users based on username. This patch allows our users to log on
> once and achieve both goals. It also allows us to have seperate
> authentication, if necessary, for inter/intranet sites that are more
> restricted.
>
> Ben Herrick
> Globalcom,Inc.
> DNS Administrator
> 333 West Wacker Drive Suite 1500
> Chicago, IL 60606-1231
> Phone: 312.893.0176
> Pager: 800.205.7564
> Fax: 312.492.1414
> Service: 800.589.1531
> mailto:dnsadmin@global-com.com
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Thursday, January 03, 2002 9:21 PM
> To: Ben Herrick; Squid Developers
> Subject: Re: Username Header [PATCH]
>
> Quick question: What is wrong with using basic authentication for forwarding
>
> the username to the application(s)?
>
> Such basic authentication can easily added to the request by redirectors or
> and by per server cache_peer lines using the login= option.
>
> Using basic authentication adds slightly more security, as the user do not
> need to know the password.
>
> Regards
> Henrik
>
> On Thursday 03 January 2002 00.06, Ben Herrick wrote:
> > Hola Ladies and Gents,
> > Below is a patch to squid-head-200201020000 which implements
> > "Username Headers." The basic idea here is to specify a list of domain
> > names which will receive a Proxy-Authenticated username. This is useful in
> > my company as a unified logon, and may be useful to others as well.
> >
> > This feature adds one configuration option which is a list of domain
> > suffixes to try to match against. By default the list is empty, and thus
> > adds almost no overhead for folks who do not want this feature.
> >
> > If a list of domain names are present, the patch attempts to match the
> > requested web page with any of the domains. If successful it will add an
> > HTTP header like this:
> >
> > HTTP_X_PROXY_USERNAME: bherrick
> >
> > This is, of course, not even close to a secure way to authenticate users.
> > However, in a small controlled intranet environment, it gives a useful
> > hint for web scripts.
> >
> > Questions, comments and concerns are of course welcome. Please CC me on
> > any traffic concerning this patch as I am not subscribed to the list.
Received on Fri Jan 04 2002 - 20:45:13 MST