[squid-users] Re: Project for someone (Was Re: [squid-users] transproxy + auth on parent proxy)

From: Colin Campbell <sgcccdc@dont-contact.us>
Date: Thu, 7 Feb 2002 14:26:57 +1000 (EST)


On 7 Feb 2002, Robert Collins wrote:

> Yes :}. As an interesting intellectual diversion, the following allows
> transparent, authenticated web sessions - to a certain extent.
> 1) A HTTP/1.1 conformant squid (or at least supporting chunked encoding,
> and pretending for the rest). I've had this running, but it's not
> stable. (this isn't strictly required, but removes a _lot_ of overhead
> and some instances where this won't work without..., so is very much
> recommended.)
> 2) New connections return an immediate redirect, to a virtual web server
> 'authserver.proxycanonical.com/', after storing the original URL in the
> connection state.
> 3) authserver.proxycanonical.com then returns a 401!
> 4) The client authenticates to the authserver.proxycanonical.com (which
> is still the proxy server).
> 5) The proxy then issues another redirect, back to the stored original
> URL.
> 6) The connection is authenticated, much like NTLM.

The definition of "new connections" could be somewhat problematical
couldn't it? You don't want to have to authenticate for *every*
connection. Apart from that, no authentication information would be passed
with subsequent connections. Also has problems with a multi-user machine
where it would be difficult to distinguish between users.


Colin Campbell
Unix Support/Postmaster/Hostmaster
+61 7 3006 4710
Received on Wed Feb 06 2002 - 21:27:09 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:11 MST