Re: [squid-users] 401 Unauthorized

From: Amos Jeffries <>
Date: Mon, 24 May 2010 01:25:04 +1200

zongo saiba wrote:
> Hi,
> I am using Squid Version 2.7.STABLE7 with Ubuntu 10.04. Everything seems
> to be working fine but I have one issue which is to be able to pass on
> the credential windows to squid for one of my remote site.
> I have tried using cache_peer as such:
> cache_peer hostname sibling 80 0 login=PASS

  "sibling" ... you are passing the credentials to another proxy server
that listens on port 80 instead of a proxy port?

To pass to a web server use "parent" type and also the "originserver"

> But to no avail.
> I added this line --> cache_peer_access hostname allow all --> but to no
> avail

permitting requests to MAYBE go through the peer...

> Finally I tried this --> never_direct deny all --> Again, to no avail.

forcing all traffic to ALWAYS go through the peer...

> I decided to tried to create an acl for this particular domain as such:
> acl xxx dstdomain
> http_access allow xxx
> But again all this to no avail.

permitting the requests for this domain to go through your Squid.

> Then I realised that this might have something to do with HTT header. As
> per doc, basic authentication seems to use the WWW-Authenticate HTTP
> Header. I have that disable for security reasons. So I did find out why

So for security reasons you have to prevent all authentication passing
through your proxy?

Please explain these security reasons which lead you to disabling remote
websites security while still allowing general access to public websites
which have no security?

> the credentials window is not passed on the my browser. I decided to try

If by "credentials window" you mean the little popup box that browsers
themselves create when they need to supply credentials to a website but
do not have any stored for use already....

... then, yes you are removing all versions of the authentication
methods header. There are several of these headers added by web servers
advertising the many protocols they can use for auth.
  Without any of them at all the browser does not know what type of
credentials to send, so can't do anything but error out.

  Basic auth which you seem to be afraid of is only one protocol of many
which use these headers.

> to create a customer HTTP header for this site as such:
> acl cdnCustomHeader req_header ^
> http_access allow cdnCustomHeader


> This had the effect of reporting the 401 error on all the websites I was
> connecting.

"reporting" as in how? you mean the browsers suddenly started showing
error pages with "401 Authorization Required" status messages?

> I did try with this as well but again to no avail
> header_access WWW-Authenticate allow hostname.

WWW_Authenticate header does not contain a hostname of any such thing.

It usually contains one word from these: "Basic", "NTLM", "Negotiate",
"Digest", and maybe a custom auth protocol name for certain security agents.


Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.3
Received on Sun May 23 2010 - 13:25:11 MDT

This archive was generated by hypermail 2.2.0 : Sun May 23 2010 - 12:00:32 MDT