Re: [squid-users] Replay Auth

>
> What do you mean by "claim" ?

I would mean no banner

>
> The browser is expected to deliver credentials on every request and
> the
> proxy validate them. The credentialsttl is only about how often Squid
> has to query the backend to validate them. When the TTL expire the
> authenticator backend is checked, exactly the same as on a new login.
> If
> it says they are still OK then a new credentialsttl period is
> started.
> When auth works properly the browser is only ever challenged at
> the
> start of the users browsing session and not bothered again.
>

Yes, it's the point, with digest the user can revalidate with some options but not with basic

> To force a change in credentials midway through a series of
> transactions
> you need to cause the proxy to emit another auth challenge. Which can
> be
> done by denying one of the requests using an access control line
> ending
> with either an auth re-validation to the backend ("proxy_auth
> REQUIRED"), a check against explicit username (proxy_auth <name>) or
> with an external ACL that depends on %LOGIN.
>
> http://wiki.squid-cache.org/action/show/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F

Thank very much, I didn't find this, unfortunately it doesn't work right

with this at the end

acl my_auth proxy_auth REQUIRED
acl google_users proxy_auth user1 user2 user3 fred
acl google dstdomain .google.com
http_access deny google !google_users
http_access allow my_auth
http_access deny all

When I'm surfing (digest or basic) my auth is never re-validate

To be sure I removed "fred" form acl google_users and I'm denied and my browser show the banner
 
From the wiki "In this case if the user requests www.google.com then the first http_access line matches and triggers re-authentication unless the user is one of the listed users."

It's not completely right, I think the doc give the impression that it sequential (user1 banner, user2 banner, etc), but with acl google_users proxy_auth user1 user2 user3 fred no banner
With acl google_users proxy_auth user1 user2 user3, banner, and I need to change my user for userx
It cannot be used really used because you must change your user for another ...

But maybe I misunderstanding something

So thank very much, I know now that squid can force the revalidation (perhaps It only lacks one option like authenticate_disconnet) the question is how exactly ?

Fred
Received on Thu Nov 21 2013 - 09:36:36 MST