Re: /bzr/squid3/trunk/ r9933: Fully transparent PASSTHRU option for authentication to peers.

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Tue, 25 Aug 2009 15:05:17 +0200

>From what I can tell the difference between the PASSTHRU and PASS is
only that PASSTHRU do not add any injected credentials from
external_acl, right?

Imho there is no need for more than two of these options.

PASS -> WWW+Proxy authentication passed along as-is if present.
external_acl auth added as basic Proxy-Auth if none present.

PROXYPASS -> WWW+Proxy authentication passed along as-is. Proxy
authentication converted to WWW authentication if WWW auth not present.
If neither proxy of WWW authentication present then external_acl auth
added as basic WWW auth (maybe this should have higher priority than
proxy auth here...)

If peer is an origin server then we should perhaps strip Proxy auth from
the outgoing request. Could also do this by default in PROXYPASS to make
the difference between the two more obvious, making the rules as follow:

!originserver+PASS: Proxy & WWW auth passed along as-is. If not
Proxy-auth present then add external acl auth credentials as basic proxy
auth.

originserver+PASS: WWW auth pased along as-is. Maybe external_acl
credentials as well (priority?)

originserver+nothing set: No auth passed along (not trusted).

PROXYPASS: WWW-auth passed along as-is. If no WWW-auth present then
convert either Proxy-Auth or external acl credentials to Basic WWW auth.

Regards
Henrik
Received on Tue Aug 25 2009 - 13:05:25 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 25 2009 - 12:00:06 MDT