[squid-users] squid and authentication

From: Eugene M. Zheganin <emz_at_norma.perm.ru>
Date: Thu, 09 Aug 2012 23:59:20 +0600


I'm using squid for more than 10 years for now.
I wrote a couple of articles about it.

But there are still some basic things about it that I don't understand.
Or, I don't know, some things about proxy authentication.
I know I will look silly, but I still decided to ask.
I decided to ask here, not because I'm sure it's a squid issue (I guess
it's not) but because I think you guys have answered a lot of stupid
questions "why my authentication does'nt work".

So. I imagine I have set up some authentication schemes. Basic, NTLM,
doesn't matter.
Imagine I have mozilla on some UNIX operating system. I launch it, I see
that it's NTLM since it doesn't show the realm (and basic of course
does) then I enter my credentials (I guess it's okay for unix, as
mozilla on windows domain machine doesn't ask for it, so it must be some
issue in NTLM/mozilla/samba or whatever), then it's okay until some
point. But sooner or later Firefox (and Mozilla previously) will reask
about my credentials. This happens a lot on UNIX OSes, and mostly with
Mozilla. This happens though with Chrome, but not that often.

What is it ? How long the credentials do stay in squid's cache ? I know
about 'credentialsttl' for basic scheme, but there's no such option for
NTLM. I've read the RFC 2617 and I dumped the HTTP sessions of client
browsers with my proxy, but I didn't find the answer on a question "why
the authentication popup reappears" - the RFC says nothing about
reasking or keeping the explicit cache. One more question - why the
browser cannot simply and silently resend the authentication, - all the
browsers I've seen show the authentication popup again, so I think this
is some common approach and not the browser developer conspiracy.

Received on Thu Aug 09 2012 - 17:59:39 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 10 2012 - 12:00:02 MDT