RE: [squid-users] Is Squid an option for me? <newbie>

I'm also interested in seeing if this is possible, at least from the basic
auth angle.

I don't know much about SSL issues regarding Squid, other than there might
be some support in development versions, but I'm betting that would likely
work.

I'm also very interested in the idea of sharing basic auth between the proxy
and the back end servers behind an accelerator. I compiled Squid in accel
mode to support proxy_auth, and find this will be suitable to an access
gateway project I am working on, but I would ideally like for the basic auth
info to be passed to the back-end servers as well, if possible, since I
would authenticate off the same LDAP or relational databases anyway.

Since basic auth is just a header, there is a question as to whether or not
this header info is stripped in the request as it is sent by Squid to the
back-end web servers in accel mode, provided you are not caching... Any of
the gurus out there know if this is possible?

More specifically, I would want to:
- Initially authenticate via challenge from Squid
- Rest of session: both squid and app server on back-end evaluate the same
basic auth header info
- (optionally) figure out a way to do basic auth login via an html web-form
instead of a default browser dialog (that is, prempt the auth challenge
response, even if this only can be done via client-side scripting on capible
browsers).

Thoughts?

Sean

-----Original Message-----
From: Yanek Korff [mailto:yanek@cigital.com]
Sent: Wednesday, September 19, 2001 1:40 PM
To: 'squid-users@squid-cache.org'
Subject: [squid-users] Is Squid an option for me? <newbie>

General newbie question here. I'm trying to deploy a 2-tier authentication
scheme to provide authentication over SSL before allowing access to other
servers. Like this:

User connects to proxy from outside, via SSL, say to
https://foobar.mydomain.com/in1. Password auth cleartext (or not, whatever)
over SSL.
Proxy confirms authentication OK, continues to pass ALL SUBSEQUENT DATA to
another server based on URL (in this case, in1.mydomain.com). In most
cases, in1 will again immediately ask for basic auth, different auth
database this time, though.

Is this possible with Squid? I have managed to get this set up with apache
to a point... except when the internal server prompts for basic auth, and I
send back auth information, the proxy machine thinks IT is the recipient and
rejects it, or loops if I'm using digest on the proxy and trying to send
basic to the internal server.

-Yanek.
Received on Wed Sep 19 2001 - 15:54:10 MDT