Re: User Authentiction from Henrik Nordstrom on 2002-05-19 (squid-dev)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 19 May 2002 19:10:11 +0200

On Thursday 16 May 2002 14:47, Joey Coco wrote:

> > Just allow certain destinations without proxy auth.
>
> True on both accounts, and that would prolly work for most people
> that want to authenticate when going to a few pre-defined
> destinations. But it won't really work for me, because we're not
> restricting access by using ACL's.

But unfortunately this is somewhat enforced by HTTP.

The user-agent (browser) authenticates to the proxy on each and every
request.

As an optimization most browsers assumes that if the proxy has
requested authentication for one destination, then it will for any
other destination. However, this assumption can only be made for
"Basic" authentication. When using NTLM or Digest the situation is
different, and there may well occur situations where the browser
stops sending the user credentials unless the proxy really asks for
it.

> I really just need to trigger proxy_auth on demand.

Then you need to define "on demand" in a manner that makes sense from
a HTTP perspective.

We can do it on a specific URL, but this will only force the browser
to authenticate in order to reach this specific URL.

Quite likely you can rely on the browses authenticaiton state cache
to perform the "on demand" thingy by looking for the
"Proxy-Authorization" header if you are using Basic authentication. A
generic HTTP header matching ACL springs to mind here as a viable
design for detecting this...

  acl mynetwork src ...
  acl authenticated proxy_auth REQUIRED
  acl has_auth http_header_regex Proxy-Authorization .*

http_access allow mynetwork has_auth authenticated
http_access allow mynetwork

Note: the acl type http_header_regex do not exists, but can easily be
implemented.

But as said above, there may be situations where the browser stops
indicating that the user is logged in unless being explicitly asked
for user credentials, so you really need to come up with a good
definition for "proxy_auth on demand" in terms of HTTP.

Regards
Henrik
Received on Sun May 19 2002 - 17:09:58 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:15:28 MST