RE: CONNECT (https) child

From: Armistead, Jason <ARMISTEJ@dont-contact.us>
Date: Thu, 30 Apr 1998 20:44:00 -0400

David

As I read it, the HTTP 1.1 specification (RFC-2068) says on page 127 that
Proxy-Authenticate (section 14.33) header information goes all the way down
the proxy hierarchy to the client.

But, the response Proxy-Authorization (section 14.34) header from the client
gets gobbled up by the first cache requiring authentication (usually the one
doing any initial authentication), and doesn't get passed along to upstream
caches. Remember, there is no point passing these headers ad-infinitum up
the cache hierarchy if the information is only good for the first (local)
cache needing authentication. Think of what happens if it did happen -
users base-64 (effectively plain-text) passwords could be obtained by a
dubious cache operator somewhere upstream, and these might be the same
passwords as used by NT, Unix or PAM methods, thus allowing access to a
whole client operating system. A real security hole waiting to happen, and
hence the reason HTTP 1.1 is written that way in terms of caches.

The idea is that parent caches nominate who they trust as peers/children.
But, as a downside, if both the local proxy and an upstream one requires
authentication for the same page, by different administrators / policies
being required, then you have a problem which can't apparently be resolved
in HTTP 1.1.

So, it's a case of Squid following the standard. On the flip-side, expect a
non-conforming Microsoft Proxy version which will do what you want out real
soon now !!! (LOL)

Cheers

Jason

----------
From: David Richards[SMTP:dj.richards@qut.edu.au]
Sent: Friday, 1 May 1998 9:52
To: Squid Discussion List
Subject: CONNECT (https) child

I have question ... :-)

At QUT we have three main proxies, which everyone is forced to go through.
These caches are authenticating squid v1.1.20 (QUT). The (QUT) means that
is has been modified for our authentication procedure.

Our problem, our child caches (departments and faculties) who are using
squid also, are not passing authentication details for CONNECT type
connections. So and page ^https://.* matching that fails if accessed
through a child cache.

Is this a configuration issue or a fundamental deficiency or is it
deliberate?

Thanks,

Dave.

-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
David Richards Ph: +61 7 3864 4347
Network Programmer Fax: +61 7 3864 5272
Computing Services E-mail: dj.richards@qut.edu.au
Queensland University of Technology
Brisbane, Australia
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-

begin 600 winmail.dat
M>)\^(@(``0:0"``$```````!``$``0>0!@`(````Y`0```````#H``$(@`<`
M&````$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`06``P`.````S@<$`!X`
M%``L````!``[`0$@@`,`#@```,X'!``>`!0`*@````0`.0$!"8`!`"$````W
M1#4Q-44S,#,P1#E$,3$Q.4(P.#`P,#!&.#`S-3@P,0#'!@$$@`$`&@```%)%
M.B!#3TY.14-4("AH='1P<RD@8VAI;&0`PP<!#8`$``(````"``(``0.0!@!P
M"@``(0```$``.0``R`$[FG2]`0,`-@```````P`F```````>`'```0```!8`
M``!#3TY.14-4("AH='1P<RD@8VAI;&0````"`7$``0```!L````!O722,V+K
M@)MIX'@1T9J1`*`DHZ?'``&*GC\`'@`Q0`$````5````05535$Q!3BU!55-4
M4$\M3UI--#0``````P`:0``````>`#!``0```!4```!!55-43$%.+4%54U10
M3RU/6DTT-``````#`!E```````L`!0``````"P`U```````+``8,``````L`
M%PP`````"P`"#``````"`0D0`0```!@'```4!P```PP``$Q:1G6J,M2+AP`*
M`0T#0W1E>'0!]_\"I`/D!>L"@P!0`O,&M`*#)C(#Q0(`8V@*P'-EV'0P(`<3
M`H!]"H`(SS\)V0*`"H0+-Q+"`=`@1'AA=FD+,0K!"H4*@$$)!"!)(!5`860@
M:0!T+"!T:&4@2`!45%`@,2XQ(`QS<`60!I!I8V%T`FD"("`H4D9#+9$!T#8X
M*1J@87D$((L;80JP9QH`,3(W&=$)&S`@4`-@>'DM05YU&>$",!L2&@`H$Z!C
MP1M#,30N,S,<(!GPUQEP!)`9D&X"$'(`P!M#O&=O!Y$'0`,@&>)W'%"P(&1O
M=P.@&>)P';*?'\`(D0K`$V`A\'1O&=.L8VP(D`(P+A@L0AX0?QG$%4`:L`(@
M$Z`=F06P:?9Z&S4>ZC0?MP-2(\D@\#<3L`0@(0!B`F`)@"!U^'`@8B.!&?$;
M`!.0!4!G&R`38"72<74KL`N`9\<A0!X8&U-U<W4A42M$[P(@&@`B$"S#;B'P
M"X`9H/L',2S]*1G``'`9@"(0!Y#\;B<J$QRQ!!`JT0=``B!_+.`CH2L`*]`9
M42E@+`-S]"X@!_!E!X`&T`20&</W%4`9D`0@;B.P)B`+@#(4GRS"&>$F41_4
M(3%D+2!!_2^B=2E@*P$CTRP3(P@&D/\9TR!*-5$"("Y1(0`$<"D@VP6Q*V@H
M%-`;(&P<("P$5R[0"8`LSVXT(50C`&ZV:QR`.<!W'6(3<'`:P#\&,3FQ&:`B
M`!@`/]4@+1<J\!.@-T%B,D!E+3;.-!N``1$>\G9E+E$+4ZXM#O(<(#(R=P6P
M9`0@N06@=6P9@#2@'(!B`9"7"X`JT2LQ82(`=6(;4'LN`"OU;QK`(S`CH`7`
M<S\#<`?0-0,S-C$4-I1M:?QG:`5`10$9XAQ`!X!#^:<R0$&"1:-.5!G`50,`
MQG@<@`7`4$%-25`3L'\G$$1P&<)&82%1(B`]LV/^8P>0!"`CH47P/Y`&\"FG
M6T;T/;)S'&`.\&TT(4'O&4(#(![A"'%T(N%/(B'0_R_!,M0_Y#$4'C%.8"6E
M,D#W&V$:)S51=U&Q#O`B0AUQ[R'2"X`9T`20;1QQ.<`SQ?\8+#\`-3$!`$7P
M-5$=4PJQ[RGR,\0U<4E@;AZ23P$9TGTC@7(N``5`2R$:P#<Q+_L38`,09%GA
M-"$E8TLA1?'_(B$`D`$`&<`YL0;@&>`9T_\\HR*5,3(#D3,W+L(L9"$B_RT<
M.[9*-1S@&<`K,3V@0I%_6>,9<%K!!``S8$<R!"`O?S6A)"`:X`>1-*`]LF%E
M9/L9PP.@>0A@/]%"\$7A(J'_*K$I8#^0&Q!?`!L@,;(_\?]9TRY110$E\0;P
M0O`9@52XR21]4V]>@70G7<(;(/LF43]A4RR!.Y)-QDGS`9!7,4`+$30A3R)$
M9B0@</XM7D0/`!K!7`$U<4.`!:#[(%,]LDT;$`-@1X`!@!V4_B!"\!.0&U)I
M!`/P(6$B$/\_A&?2(=!/HAX0414[<`.@&S6`!^`A=O`;@$Q/3+HI&"Q#&?`W
M,1@L2E2"K1@L+7K7&"5&`V$Z`S`?`9$7Q`?P:2$+$7-;4\)-&D`Z9&HN!1!]
M%$Y`+(`D8`F`=2XM`%W_;&8>07PE>^`8`!Q0&<`:D`)-(>$Q.3DX(#EL.C42
MP%A5;WPE;@1$[P0`49`V,1MA3&4Q;&9&(`9J'O%\)4-/3DY%[$-4&X!)D'0S
M0#SQ7,*_&"P9,&@3+(`'D!M#+HB@*"`Z+7=]005`457]A=!W-M%H(AG@"=%)
M4`MQ[R*39D$9P&D$97.19]`NT?\U42!A3F!(X2.P(0"*T@A@_TF`)'98L291
M6C59T2S[4$*M;A-V:[(7H2B*(2D^T_\>L9'R3,$&(AU2&"4U41-P_V9B04$$
M81KQ*M$[L@AA+/[7(J&-<0AP921]3Y6Q:(5O&<"5HERS6B8H`0`*L73O!X`"
M,"$Q,4%F`-!$P!M`_P>0'"!;,H_2+@`]L1@ED03_!T!'@#$1-2$U@#7X+0T!
M`/]%49V@.Z.%=E'0&L`8)7'AOR[0'P,T$FS0,2,<PUZ&`Z`Z+R\N*HLQ=%RQ
M_S9C'7&;0*`B.;%.1`F`&"7OCA5M4IEX)'U)65(U46UA_W'Q27`(<#J&+A`N
MH97!*2#^=6]QFJ(O\0$!9B)3X"'P_P6Q-5$9H!@E`0`D(#2A'I'V/U?>`'!K
M33`8+!?1EU[\+2.Q?[*/LY^TKWMF?)R3?$.W/5!H?"4K-AJ0J1TP,SA"030H
M@#<8)?T'P'1$03]`':$)P#.0!X"B<K<]1F%XN)\@@;#W`<!W]@-P<!X0GK(&
M81?PDTYAMSU%+8M!;#I\0_=]WW[C&"51"E!`(0M@,4&O3!%SDU'1/V%4!9!H
M-8#9%-!G>23V!1!S0?`NT.\9P!X`94(D(&&Q#\??R.\7R?^U3Q@L?<T@0`!(
M``#(`3N:=+T!`@'Y/P$```!=`````````-RG0,C`0A`:M+D(`"LOX8(!````
M`````"]//5540R]/53U/5$%534E.+T-./4U3($U!24P@4D5#25!)14Y44R`O
M0TX]05535$Q!3BU!55-44$\M3UI--#0`````'@#X/P$````1````07)M:7-T
M96%D+"!*87-O;@`````>`#A``0```!4```!!55-43$%.+4%54U103RU/6DTT
M-``````"`?L_`0```%T`````````W*=`R,!"$!JTN0@`*R_A@@$`````````
M+T\]551#+T]5/4]4055-24XO0TX]35,@34%)3"!214-)4$E%3E13("]#3CU!
M55-43$%.+4%54U103RU/6DTT-``````>`/H_`0```!$```!!<FUI<W1E860L
M($IA<V]N`````!X`.4`!````%0```$%54U1,04XM05535%!/+4]:330T````
M`$``!S"P`([SF72]`4``"#!@\KOSF72]`1X`/0`!````!0```%)%.B``````
M'@`=#@$````6````0T].3D5#5"`H:'1T<',I(&-H:6QD````"P`I```````+
M`",```````,`!A#`"M[8`P`'$#,(```#`!`0``````,`$1``````'@`($`$`
M``!E````1$%6241!4TE214%$250L5$A%2%144#$Q4U!%0TE&24-!5$E/3BA2
M1D,M,C`V."E305E33TY004=%,3(W5$A!5%!23UA9+4%55$A%3E1)0T%412A3
614-424].,30S,RE(14%$10````#B'@==
`
end
Received on Thu Apr 30 1998 - 18:08:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:59 MST