Re: [squid-users] enabling X-Authenticated-user from Amos Jeffries on 2012-03-01 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 02 Mar 2012 00:41:11 +1300

On 02.03.2012 00:06, Michael Hendrie wrote:
> On 01/03/2012, at 7:32 PM, Amos Jeffries wrote:
>
>> On 01.03.2012 18:06, Brett Lymn wrote:
>>> On Thu, Mar 01, 2012 at 03:17:43PM +1030, Michael Hendrie wrote:
>>>>
<snip>
>>
>> I'm reluctant to add the header because the data is already
>> transmitted in the authentication headers.
>>
>> Squid does have a little issue automatically mapping
>> Kerberos/NTLM/Digest usernames into a Basic auth because we cannot
>> easily be sure if a fake password is acceptable or real one needed by
>> the upstream. I'm quite happy to accept patches which add that mapping
>> ability to Squid in a secure way.
>>
>> NP: an external_acl_type helper can return the key-pairs "user=X
>> password=Y" (both needed to do this) to associate some credentials to
>> the request. These are available to login=PASS for relay upstream in
>> the Basic auth format.
>>
>
> I would also like to see a feature for "insert_user_defined_header"
> not only of X-Authenticated-User but would be useful for other web
> apps I've come across (Google and YouTube) using non-standard HTTP
> header's that I've had to create patches for...see the following
> URLs:
>
> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854
> http://support.google.com/youtube/bin/answer.py?hl=en&answer=1686318

You really want to trust a tutorial which begins with "Enable SSL
interception on the proxy server."?

There really is no need for a proxy to use write-access to headers and
client requests. The servers have PICS labeling or other newer rating
systems available that the proxy can read and enforce site-wide policy
for far easier.
http://vancouver-webpages.com/PICS/HOWTO.html#tools

Too many different sized wheels on that old cart.

>
> If there were code submission to the dev mailing list would these get
> looked at or is there no chance of a "insert_user_defined_header"
> feature being included?
>

Looked at, yes. Argued over, probably. Accepted, depends on how the
audit and voting process goes. We are very democratic.

Personally I'm against the nasty uses naive people put it to without
considering the consequences more than the feature itself. Adding it is
the top of a slippery slope of feature requests we have managed to
mostly avoid so far.

Amos
Received on Thu Mar 01 2012 - 11:41:15 MST

This archive was generated by hypermail 2.2.0 : Fri Mar 02 2012 - 12:00:02 MST