Re: CONNECT (https) child

I _suspect_ (Dancer <- not authoritative in this area) that CONNECT
isn't passing HTTP headers. I must admit to never having checked to see
if HTTP headers are valid with SSL tunneling.

From a purely notional standpoint, most or all HTTP headers would be
meaningless for an SSL tunnel. It's not cacheable, or anything like
that, it's just an end-to-end data pipe. It might be that the headers
aren't preserved for some reason, and because they are almost never
present in such requests, that we've never noticed that fact before.

D

David Richards wrote:
>
> Jason,
>
> The problem is not that simple. My cache is the first cache
> requiring authentication. The hierachy has been working very well until
> this problem. It works in "normal" operation, but the problem occurs when
> the method is "CONNECT" rather than "GET", the "GET" passes authentication
> from the client machine through the child proxy (child proxy does not use
> it) and to my proxy. This is not the case with CONNECT, however, and want
> to know why.
>
> Dave.
>
> -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
> David Richards Ph: +61 7 3864 4347
> Network Programmer Fax: +61 7 3864 5272
> Computing Services E-mail: dj.richards@qut.edu.au
> Queensland University of Technology
> Brisbane, Australia
> -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
>
> On Thu, 30 Apr 1998, Armistead, Jason wrote:
>
> > David
> >
> > As I read it, the HTTP 1.1 specification (RFC-2068) says on page 127 that
> > Proxy-Authenticate (section 14.33) header information goes all the way down
> > the proxy hierarchy to the client.
> >
> > But, the response Proxy-Authorization (section 14.34) header from the client
> > gets gobbled up by the first cache requiring authentication (usually the one
> > doing any initial authentication), and doesn't get passed along to upstream
> > caches. Remember, there is no point passing these headers ad-infinitum up
> > the cache hierarchy if the information is only good for the first (local)
> > cache needing authentication. Think of what happens if it did happen -
> > users base-64 (effectively plain-text) passwords could be obtained by a
> > dubious cache operator somewhere upstream, and these might be the same
> > passwords as used by NT, Unix or PAM methods, thus allowing access to a
> > whole client operating system. A real security hole waiting to happen, and
> > hence the reason HTTP 1.1 is written that way in terms of caches.
> >
> > The idea is that parent caches nominate who they trust as peers/children.
> > But, as a downside, if both the local proxy and an upstream one requires
> > authentication for the same page, by different administrators / policies
> > being required, then you have a problem which can't apparently be resolved
> > in HTTP 1.1.
> >
> > So, it's a case of Squid following the standard. On the flip-side, expect a
> > non-conforming Microsoft Proxy version which will do what you want out real
> > soon now !!! (LOL)
> >
> > Cheers
> >
> > Jason
> >
> > ----------
> > From: David Richards[SMTP:dj.richards@qut.edu.au]
> > Sent: Friday, 1 May 1998 9:52
> > To: Squid Discussion List
> > Subject: CONNECT (https) child
> >
> > I have question ... :-)
> >
> > At QUT we have three main proxies, which everyone is forced to go through.
> > These caches are authenticating squid v1.1.20 (QUT). The (QUT) means that
> > is has been modified for our authentication procedure.
> >
> > Our problem, our child caches (departments and faculties) who are using
> > squid also, are not passing authentication details for CONNECT type
> > connections. So and page ^https://.* matching that fails if accessed
> > through a child cache.
> >
> > Is this a configuration issue or a fundamental deficiency or is it
> > deliberate?
> >
> > Thanks,
> >
> > Dave.
> >
> > -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
> > David Richards Ph: +61 7 3864 4347
> > Network Programmer Fax: +61 7 3864 5272
> > Computing Services E-mail: dj.richards@qut.edu.au
> > Queensland University of Technology
> > Brisbane, Australia
> > -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
> >
> >
> >
> > begin 600 winmail.dat
> > M>)\^(@(``0:0"``$```````!``$``0>0!@`(````Y`0```````#H``$(@`<`
> > M&````$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`06``P`.````S@<$`!X`
> > M%``L````!``[`0$@@`,`#@```,X'!``>`!0`*@````0`.0$!"8`!`"$````W
> > M1#4Q-44S,#,P1#E$,3$Q.4(P.#`P,#!&.#`S-3@P,0#'!@$$@`$`&@```%)%
> > M.B!#3TY.14-4("AH='1P<RD@8VAI;&0`PP<!#8`$``(````"``(``0.0!@!P
> > M"@``(0```$``.0``R`$[FG2]`0,`-@```````P`F```````>`'```0```!8`
> > M``!#3TY.14-4("AH='1P<RD@8VAI;&0````"`7$``0```!L````!O722,V+K
> > M@)MIX'@1T9J1`*`DHZ?'``&*GC\`'@`Q0`$````5````05535$Q!3BU!55-4
> > M4$\M3UI--#0``````P`:0``````>`#!``0```!4```!!55-43$%.+4%54U10
> > M3RU/6DTT-``````#`!E```````L`!0``````"P`U```````+``8,``````L`
> > M%PP`````"P`"#``````"`0D0`0```!@'```4!P```PP``$Q:1G6J,M2+AP`*
> > M`0T#0W1E>'0!]_\"I`/D!>L"@P!0`O,&M`*#)C(#Q0(`8V@*P'-EV'0P(`<3
> > M`H!]"H`(SS\)V0*`"H0+-Q+"`=`@1'AA=FD+,0K!"H4*@$$)!"!)(!5`860@
> > M:0!T+"!T:&4@2`!45%`@,2XQ(`QS<`60!I!I8V%T`FD"("`H4D9#+9$!T#8X
> > M*1J@87D$((L;80JP9QH`,3(W&=$)&S`@4`-@>'DM05YU&>$",!L2&@`H$Z!C
> > MP1M#,30N,S,<(!GPUQEP!)`9D&X"$'(`P!M#O&=O!Y$'0`,@&>)W'%"P(&1O
> > M=P.@&>)P';*?'\`(D0K`$V`A\'1O&=.L8VP(D`(P+A@L0AX0?QG$%4`:L`(@
> > M$Z`=F06P:?9Z&S4>ZC0?MP-2(\D@\#<3L`0@(0!B`F`)@"!U^'`@8B.!&?$;
> > M`!.0!4!G&R`38"72<74KL`N`9\<A0!X8&U-U<W4A42M$[P(@&@`B$"S#;B'P
> > M"X`9H/L',2S]*1G``'`9@"(0!Y#\;B<J$QRQ!!`JT0=``B!_+.`CH2L`*]`9
> > M42E@+`-S]"X@!_!E!X`&T`20&</W%4`9D`0@;B.P)B`+@#(4GRS"&>$F41_4
> > M(3%D+2!!_2^B=2E@*P$CTRP3(P@&D/\9TR!*-5$"("Y1(0`$<"D@VP6Q*V@H
> > M%-`;(&P<("P$5R[0"8`LSVXT(50C`&ZV:QR`.<!W'6(3<'`:P#\&,3FQ&:`B
> > M`!@`/]4@+1<J\!.@-T%B,D!E+3;.-!N``1$>\G9E+E$+4ZXM#O(<(#(R=P6P
> > M9`0@N06@=6P9@#2@'(!B`9"7"X`JT2LQ82(`=6(;4'LN`"OU;QK`(S`CH`7`
> > M<S\#<`?0-0,S-C$4-I1M:?QG:`5`10$9XAQ`!X!#^:<R0$&"1:-.5!G`50,`
> > MQG@<@`7`4$%-25`3L'\G$$1P&<)&82%1(B`]LV/^8P>0!"`CH47P/Y`&\"FG
> > M6T;T/;)S'&`.\&TT(4'O&4(#(![A"'%T(N%/(B'0_R_!,M0_Y#$4'C%.8"6E
> > M,D#W&V$:)S51=U&Q#O`B0AUQ[R'2"X`9T`20;1QQ.<`SQ?\8+#\`-3$!`$7P
> > M-5$=4PJQ[RGR,\0U<4E@;AZ23P$9TGTC@7(N``5`2R$:P#<Q+_L38`,09%GA
> > M-"$E8TLA1?'_(B$`D`$`&<`YL0;@&>`9T_\\HR*5,3(#D3,W+L(L9"$B_RT<
> > M.[9*-1S@&<`K,3V@0I%_6>,9<%K!!``S8$<R!"`O?S6A)"`:X`>1-*`]LF%E
> > M9/L9PP.@>0A@/]%"\$7A(J'_*K$I8#^0&Q!?`!L@,;(_\?]9TRY110$E\0;P
> > M0O`9@52XR21]4V]>@70G7<(;(/LF43]A4RR!.Y)-QDGS`9!7,4`+$30A3R)$
> > M9B0@</XM7D0/`!K!7`$U<4.`!:#[(%,]LDT;$`-@1X`!@!V4_B!"\!.0&U)I
> > M!`/P(6$B$/\_A&?2(=!/HAX0414[<`.@&S6`!^`A=O`;@$Q/3+HI&"Q#&?`W
> > M,1@L2E2"K1@L+7K7&"5&`V$Z`S`?`9$7Q`?P:2$+$7-;4\)-&D`Z9&HN!1!]
> > M%$Y`+(`D8`F`=2XM`%W_;&8>07PE>^`8`!Q0&<`:D`)-(>$Q.3DX(#EL.C42
> > MP%A5;WPE;@1$[P0`49`V,1MA3&4Q;&9&(`9J'O%\)4-/3DY%[$-4&X!)D'0S
> > M0#SQ7,*_&"P9,&@3+(`'D!M#+HB@*"`Z+7=]005`457]A=!W-M%H(AG@"=%)
> > M4`MQ[R*39D$9P&D$97.19]`NT?\U42!A3F!(X2.P(0"*T@A@_TF`)'98L291
> > M6C59T2S[4$*M;A-V:[(7H2B*(2D^T_\>L9'R3,$&(AU2&"4U41-P_V9B04$$
> > M81KQ*M$[L@AA+/[7(J&-<0AP921]3Y6Q:(5O&<"5HERS6B8H`0`*L73O!X`"
> > M,"$Q,4%F`-!$P!M`_P>0'"!;,H_2+@`]L1@ED03_!T!'@#$1-2$U@#7X+0T!
> > M`/]%49V@.Z.%=E'0&L`8)7'AOR[0'P,T$FS0,2,<PUZ&`Z`Z+R\N*HLQ=%RQ
> > M_S9C'7&;0*`B.;%.1`F`&"7OCA5M4IEX)'U)65(U46UA_W'Q27`(<#J&+A`N
> > MH97!*2#^=6]QFJ(O\0$!9B)3X"'P_P6Q-5$9H!@E`0`D(#2A'I'V/U?>`'!K
> > M33`8+!?1EU[\+2.Q?[*/LY^TKWMF?)R3?$.W/5!H?"4K-AJ0J1TP,SA"030H
> > M@#<8)?T'P'1$03]`':$)P#.0!X"B<K<]1F%XN)\@@;#W`<!W]@-P<!X0GK(&
> > M81?PDTYAMSU%+8M!;#I\0_=]WW[C&"51"E!`(0M@,4&O3!%SDU'1/V%4!9!H
> > M-8#9%-!G>23V!1!S0?`NT.\9P!X`94(D(&&Q#\??R.\7R?^U3Q@L?<T@0`!(
> > M``#(`3N:=+T!`@'Y/P$```!=`````````-RG0,C`0A`:M+D(`"LOX8(!````
> > M`````"]//5540R]/53U/5$%534E.+T-./4U3($U!24P@4D5#25!)14Y44R`O
> > M0TX]05535$Q!3BU!55-44$\M3UI--#0`````'@#X/P$````1````07)M:7-T
> > M96%D+"!*87-O;@`````>`#A``0```!4```!!55-43$%.+4%54U103RU/6DTT
> > M-``````"`?L_`0```%T`````````W*=`R,!"$!JTN0@`*R_A@@$`````````
> > M+T\]551#+T]5/4]4055-24XO0TX]35,@34%)3"!214-)4$E%3E13("]#3CU!
> > M55-43$%.+4%54U103RU/6DTT-``````>`/H_`0```!$```!!<FUI<W1E860L
> > M($IA<V]N`````!X`.4`!````%0```$%54U1,04XM05535%!/+4]:330T````
> > M`$``!S"P`([SF72]`4``"#!@\KOSF72]`1X`/0`!````!0```%)%.B``````
> > M'@`=#@$````6````0T].3D5#5"`H:'1T<',I(&-H:6QD````"P`I```````+
> > M`",```````,`!A#`"M[8`P`'$#,(```#`!`0``````,`$1``````'@`($`$`
> > M``!E````1$%6241!4TE214%$250L5$A%2%144#$Q4U!%0TE&24-!5$E/3BA2
> > M1D,M,C`V."E305E33TY004=%,3(W5$A!5%!23UA9+4%55$A%3E1)0T%412A3
> > 614-424].,30S,RE(14%$10````#B'@==
> > `
> > end
> >

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT d- s++: a C++++$ UL++++B+++S+++C++H++U++V+++$ P+++$ L+++ E-
W+++(--)$ N++ w++$>--- t+ 5++ X+() R+ tv b++++ DI+++ e- h-@ 
------END GEEK CODE BLOCK------