Re: [squid-users] maybe I can use proxy_auth with interception if ....

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 27 Feb 2003 20:12:09 +0100

On Thursday 27 February 2003 17.39, Lucas Brasilino wrote:
> Hi all, specially squid developers:
>
>
> For me it's clear like cristal the explanation why I can't
> use proxy_auth with interception shown at
> http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.15
>
> Ok. that's fine.
>
> But if I modify squid behavior to _NOT_ send
> "HTTP/1.0 407 Proxy Authentication Required"
> but
> "HTTP/1.0 401 Unauthorized"
> the client should think that it is talking with the original
> server. It should do the trick, shouldn't it ??
>
> Well.. maybe you say "go to hell Lucas!! Are you against RFC2616's
> standards ??" :-))
>
> No, I'm not. But this trick seems to be useful, isn't it ??
> Comments, please.... :)

Would not call it useful in a proxy. It is useful in accelerators but
there the functionality is already available in Squid (a hidden
define needs to be set in Squid-2.5 and earlier.. only to make it
harder to find to make sure people who run transparent proxies do not
think this is good for a transparent proxy, as it is not)

This will as you say make the browser think it is the web site who
requires authentication. This has a number of implications:

 a) As you are now using the authentication protocol meant to be user
by web sites, no web sites will be able to use authentication via
your proxy.

 b) The browser will request again for the password on each new web
site requested.

 c) Your users proxy login+password will most likely leak out in plain
text on the Internet unless you take special action to prevent this
by making sure the Authorization header is not forwarded.

Regards
Henrik
Received on Thu Feb 27 2003 - 12:10:55 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:45 MST