Robert Collins wrote:
> Henk-Jan,
> If you are willing to run up a test copy of squid on a spare machine,
for you to use (it's not stable code - it is likely to be
> part of squid 2.5) you could try the auth_rewrite branch of squid. It has
a bottom up rewrite of squid's internal authentication
> mechanisms. I left the basic specifics largely untouched, but I'm more
than happy to dig into them.. If you wanted to try it out
> it's available from http://squid.sourceforge.net/
>
> DO NOT replace your current production squid with it. I'm suggesting you
you up a local copy and that you test yourself against it
> to see how it goes.
>
> Rob
I will do that, if it works then: Is it save to trie it in production? I
also have a "test" production site (I can easily swicth, and between
christmas and new year I won't have too many users, so if it wokrs for
myself tommorow could I consider taking it in production?
2. Does it work on a 2.2.STABLE5.1 enviroment?
> Does the user need a challenge to get the password, or do they just type
in whats on the token at the time?
They just type in whats on the token at the time.
Henrik Nordstrom wrote:
> > Hmm.. maybe there are a proxy_auth cache defiency there. In theory the
> > first request carrying the new passphrase would be sent to the
> > authenticator, but maybe all are until the authenticator returns. Need
> > to check the code on this.
> >
>I have, and there sure is a small window when the ttl expires which
>allows for multiple lookups and possibly even a minor proxy_auth cache
>inconsistency (minor == might repair itself after a while and should
>have no bad effects apart from a few extra bytes of memory used).
How would it repair itself? Do I have to do something?
>It should be at least 3600 seconds from when the user user first was
>authorized (the proxy_auth helper last returned OK).
Looks like it.
>What you can do until a patch is provided is to further upper the TTL,
>which is probably a good thing anyway as HTTP is not really designed for
>password changes like this sporadically (every 3600 seconds) in the
>middle of a surfing session.
So it looks like to prblem ony occurs to my "heavy" internet users. (And
that's right!)
What would be the danger to set the authenticate_ttl to, let say, 8 hours?
>a) The browser is in the middle of fetching a page with X objects left
>to retreive
>b) The TTL expires, causing Squid to requery the authentication helper
>which will tell that the password is invalid (still the old password).
>Squid will then send "407 Proxy authentication required" to all those
>requests.
Looks like this!
>c) As the browser has multiple concurrent 407 replies from the proxy, it
>might well pop up several login dialogs to the user. But this is
>user-agent implementation details..
?
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Dec 22 2000 - 17:04:29 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:06 MST