Re: [SQU] Credentials forwarding?

----- Original Message -----
From: "Chemolli Francesco (USI)" <ChemolliF@GruppoCredit.it>
To: "'Robert Collins'" <robert.collins@itdomain.com.au>; "squid users mailing list" <squid-users@ircache.net>
Sent: Saturday, December 02, 2000 12:27 AM
Subject: RE: [SQU] Credentials forwarding?

<SNIP original concept>
> Okay, let's change that.
>
> First, what I'd like to do.
> Suppose I have a proxy chain done like this:
>
> child1 +
> child2 +
> child3 +---> parent_cache
> ... +
> childn +
>
>
> What I'd like to do is set it up so that load is split
> among the caches: the child caches do credentials checking,
> ACL checking and very lightweight caching. The parent cache
> does just forwarding and heavyweight caching, but I'd like
> to use it to log accesses, INCLUDING credentials.
>
> A nice solution would be in having the child caches forward
> a request's username, and then have maybe some shared secret
> with the parent cache and a protocol extension telling it
> "okay, trust me. I've already checked and this user is what
> it claims to be. Just log it.".
>
> --
> /kinkie
>

Henrik/Duane/other design gods may have a better view on this... but I'd look at
adding a new header X-Squid-Username or some such. In the content put

MD5(strcat(MD5(sharedsecret), url, client username) client_username

Then you can check for X-Squid-Username, and verify that it was put there by the cache, not by a hacking user.

This is modelled of off digest authentication.

There may be an http protocol extension for hierarchical caches already, but I'm not sure....
Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html