On 25/05/2012 8:37 p.m., Alan wrote:
> Hello,
>
> I'm implementing a proxy server that authenticates users via radius,
> and then based on the source ip, login and the destination, grants
> access or not to the requested objects.
>
> The relevant section of squid.conf is:
>
> auth_param basic program /usr/lib/squid/squid_radius_auth -f
> /etc/squid/radius.conf -t 5
> auth_param basic children 5
> auth_param basic realm Web Proxy
> auth_param basic credentialsttl 1 hour
> external_acl_type my_acl_type %SRC %LOGIN %DST /var/www/htdocs/acl.php
> acl my_acl external my_acl_type
> http_access allow my_acl
> http_access deny all
>
> Both IE and Firefox have the same behavior: they popup the
> authentication prompt, then they can make requests for a while, and
> randomly popup the authentication prompt again. I type the same
> username and password, and it works fine.
> In Konqueror there is no popup, I guess it tries again one more time
> with the last username and password before prompting the user.
>
> A network capture reveals that the client is always sending the right
> Proxy-Authentication header with it's requests, but squid randomly
> replies with a 407 status code, without even asking the radius server
> (the authentication result is presumably still cached).
>
> In squid 3.2.0.17 this problem is gone and I don't get the
> authentication prompts anymore, but since it is labeled Beta instead
> of Stable, I wonder if this can be solved in the 3.1 series.
>
> Has anybody else been affected by this?
Very likely.
The 3.2 code has had a near complete re-write to resolve a large number
of mysterious little bugs in pointer reference handling. That change is
BIG, still being debugged itself, and I'm not willing to repeat the
years voluntary work spent on fixing 3.2. So the auth bug fixes are not
going to be automatically ported to 3.1 like most others are. Patches
are welcome though if you wish to spend the time or money to locate and
fix 3.1.
Amos
Received on Sun May 27 2012 - 09:41:43 MDT
This archive was generated by hypermail 2.2.0 : Sun May 27 2012 - 12:00:04 MDT