Dancer wrote:
> > >From draft-ietf-http-v11-spec-rev-06, section 13.5.1:
> > ...
> > The following HTTP/1.1 headers are hop-by-hop headers:
> > ...
> > . Proxy-Authenticate
> > . Proxy-Authorization
> Hmm. I checked further down in the spec, and it _does_ say that a proxy
> which has no proxy-auth credentials MAY forward the challenge to the
> user, and submit _their_ credentials. Squid obviously does this, and
> MS-proxy obviously doesn't. Both are correct according to that spec. It
> still means I'm screwed though :(
Not exacly. The spec says that an intermediade proxy may relay the
authentication credentials to a cooperating proxy. All challanges MUST
be consumed at each proxy.
I think the correct path is
1. Only forward Proxy-Authorization credentials to peers configured for
cooperating authentication.
2. When receiving a Proxy-Authenticate challange from a peer configured
for cooperating authentication and there is no other means for fetching
the object, then send a Proxy-Authenticate challange to the calling
client as if proxy authentication was required for this proxy (possibly
with a note that it was initiated by the peer).
--- Henrik Nordstrom Spare time Squid hackerReceived on Tue Jul 29 2003 - 13:15:57 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:04 MST