Re: [squid-users] Proxy-Authenticate and WWW-Authenticate

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 30 Jul 2007 03:59:12 +0200

On tor, 2007-07-26 at 14:25 +1000, Matthew Smith wrote:

> Is it correct to say that a response can only have one authenticate in
> the headers? That a request containing a WWW-Authenticate cannot have a
> Proxy-Authenticate as well?

It can have both, and is required if both the proxy and the web server
requires authentication.

> If I have a site which requires authentication with a given scheme, am I
> right to assume that the only way a authenticating proxy between the
> site and the user can use authentication is if the authentication tokens
> sent by the user are the same for the proxy and the site?

Ofcourse not. Proxy authentication and web site authentication is
separate from each other.

The only limitation is that there may only be one of each.

> Is basic
> authentication the only auth system that can be chained in this way?

proxy authentication is a designed as hop-by-hop thing.. browser
authenticated to it's closest proxy which then authenticates to the
next-hop.

In Squid there is two means available to authenticate to the next-hop
proxy. Either static login:password, or passtrought of the information
provided by the browser.

It's only basic authentication that can be chained in a good manner, so
if you want each proxy to verify the credentials then basic needs to be
used.

It's possible chaining also works with NTLM/Negotiate due to the very
different way these authentication "schemes" works, but it's not
something I have tested.

> Lastly, assuming a proxy with no auth, is it now possible to have a
> WWW-Authenticate using the NTLM scheme pass though a squid proxy?

Yes, possible both with and without proxy authentication.

Regards
Henrik
Received on Sun Jul 29 2007 - 19:59:24 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:04 MDT