Re: [squid-users] reverse proxy + authentication from Henrik Nordstrom on 2007-03-06 (squid-users)

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Tue, 06 Mar 2007 21:35:39 +0100

tis 2007-03-06 klockan 16:44 +0100 skrev Alberto Dondana:

> my reverse proxy for OWA with squid2.6stable9 on RH ES4.U1 works fine.
>
> Now I'm trying to add an authentication but I see an unusual behaviour
> For that I'm using squid3 (daily auto-generated released last friday)

You can only have one level of web server authentication in a
reasonablemanner. A reverse proxy is a surrogate for the web server it
sits infront of.

In HTTP there is one slot for proxy authentication where the browser can
authenticate to the configured proxy, and one slot for web server
authentication.

> What happens: two authentication level seems working fine, but
> immediately my reverse proxy start sending OWA one packet with right
> user 'alberto.dondana', the second with wrong user 'tce', then 'right
> user again and so on... as seen in access.log below:
>
> 10.10.145.1 - alberto.dondana [06/Mar/2007:16:14:02 +0100] "GET
> https://dondy.tc-express.it/exchange
> <https://dondy.tc-express.it/exchange> HTTP/1.1" 401 2805
> TCP_DENIED:NONE

This was denied by the proxy as an invalid login.

> 10.10.145.1 - tce [06/Mar/2007:16:14:02 +0100] "GET
> https://dondy.tc-express.it/exchange
> <https://dondy.tc-express.it/exchange> HTTP/1.1" 401 412
> TCP_MISS:FIRST_UP_PARENT

Sent to OWA, but rejected there as an invalid login..

> 10.10.145.1 - alberto.dondana [06/Mar/2007:16:14:02 +0100] "GET
> https://dondy.tc-express.it/exchange
> <https://dondy.tc-express.it/exchange> HTTP/1.1" 401 2805
> TCP_DENIED:NONE

Denied by the proxy again.. (expected).

> 10.10.145.1 - tce [06/Mar/2007:16:14:02 +0100] "GET
> https://dondy.tc-express.it/exchange
> <https://dondy.tc-express.it/exchange> HTTP/1.1" 401 412
> TCP_MISS:FIRST_UP_PARENT

And denied by OWA (also expected).

> If I'm using pam and locally in squid server I added a user with same
> credentials of OWA one (but I use a different user for first squid
> authentication) every works well..

It works well because you then authenticate as the OWA user both to
Squid and OWA.

HTTP is stateless, and the authentication is per request. So this is the
same as logging in with the OWA user immeditely.

Regards
Henrik

application/pgp-signature attachment: Detta är en digitalt signerad meddelandedel

Received on Tue Mar 06 2007 - 13:35:49 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:01 MDT