Re: Question ICAP-client

From: Henrik Nordstrom <>
Date: Sat, 24 Mar 2007 17:45:07 +0100

fre 2007-03-23 klockan 00:07 +0200 skrev Tsantilas Christos:

> Moreover we must not be absolutely sure that the icap servers will
> always be located at the same site as the proxy. Maybe in the future
> some icap-services will be public available for use by everyone......

Which reminds me why there is a login= option to cache_peer.

> The ICAP rfc something says about hop-by-hop headers. Now squid always
> forwards the Proxy-Authorization header for example to the icap server ...

And very many ICAP servers depend on these headers being forwarded,
lacking support for an official standard method of forwarding the
authenticated credentials.

There is even ICAP servers depending on being the entity processing the
Proxy-Authorization header itself with it's own notion of user database,
which is a bit of a mess...

I completely buy both sides of this discussion. But unlike peers the
boundary is not so clearly defined here so there needs to be some
differentiation in trust.

- Trusted to process user credentials (proxy and www)
- Trusted to rewrite requests, or only filter.


Received on Sat Mar 24 2007 - 10:45:16 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Apr 01 2007 - 12:00:01 MDT