As I understand from the squid.conf documentation login=PASSTHRU:
"Send login details received from client to this peer. Both Proxy- and
WWW-Authorization headers are passed without alteration to the peer."
But as I mentioned in my previous messages proxy-authenticate headers
sent from the proxy are removed before sent to the client (unless
login=PASS is configured).
Is that how the PASSTHRU should behave?
In any case I also set the connection-auth=on for that peer.
On Mon, May 23, 2011 at 4:27 PM, Tsachi <tsachi.kimel_at_gmail.com> wrote:
> Thanks for your replay,
> I have tried the PASSTHRU before but it didn’t work for me with NTLM.
> It seems that http "proxy-authenticate: XXXXX" headers are removed in
> the client replay if the login is configured not to be PASS.
>
> clientReplyContext::buildReplyHeader()
> if ( !(request->peer_login && strcmp(request->peer_login,"PASS") ==0))
> reply->header.delById(HDR_PROXY_AUTHENTICATE);
>
> Removing this condition seems to overcome this.
>
> But it seems to be asking for user and password quite occasionally.
>
> Is the connection pinning is already fully integrated to 3.2?
>
>
> On Mon, May 23, 2011 at 3:13 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 23/05/11 23:59, Tsachi wrote:
>>>
>>> Hey I am checkig Squid 3.2.0.5.
>>> I have a question regarding some behavior I noticed.
>>> Configuring a parent proxy with login=PASS.
>>> No user or passwords are configured in ACL.
>>>
>>> A client makes a normal http request without any authorization header.
>>> Squid process the request and sends it to the parent proxy with the
>>> header field "proxy-authorization: Basic xxxxx"
>>>
>>> I guess this is because the httpFixupAuthentication (http.cc) is
>>> called and reach the end and set httpHeaderPutStrf(hdr_out, header,
>>> "Basic %s",base64_encode(orig_request->peer_login));
>>>
>>> Is that how it is suppose to be?
>>
>> Yes. "login=PASS" *requires* login to be sent and goes to some lengths to
>> locate a login for passing on.
>>
>>> Am I missing here something?
>>
>> If you need Squid to pass the exact login/non-login state of requests
>> through to a peer use "login=PASSTHRU" which was added in 3.2. This will
>> make Squid transparent regarding the Proxy-Auth headers.
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE9 or 3.1.12
>> Beta testers wanted for 3.2.0.7 and 3.1.12.1
>>
>
Received on Tue May 24 2011 - 14:00:12 MDT
This archive was generated by hypermail 2.2.0 : Wed May 25 2011 - 12:00:05 MDT