Re: transparent proxy with authentication

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 18 Jul 1998 01:14:02 +0200

Julian Elischer wrote:

> anyhow I have 2 comments.. in 1.1.21, the port number squid takes
> as being the target, is not inherritted from the original request
> but is instead a static number. is this because of some problem that
> (maybe)Linux has? does not a getsockname() return the original
> destination port?

The Squid code is written with server acceleration in mind, not
transparent proxying. And running a transparent HTTP proxy for other
ports than 80 does not make much sense so there has never been any
reason to change it. But now that you have mentioned it maybe I'll do it
in 1.2beta (accel port 0 == accepted port number).

No, linux has no problem with this. It returns the original destination
address,port in getsockname().

> It Seems impossible to forward packets to Squid, and have it demand
> authentication from the user, unless the user has his browser
> already doing proxying, which makes the point of transparent proxy
> rather moot.

This is a limitation of HTTP, not Squid.

Squid happily sends out proxy authentication requests, but the browsers
only know how to handle this when configured to use a proxy.

> Is there some setting that can force authentication?

You can build it in some other way than using proxy authentication.
There are peple that have done it by forcing people to authenticate
using a cgi-bin program before their IP address is allowed to access the
proxy.

---
Henrik Nordström
Sparetime Squid Hacker
Received on Fri Jul 17 1998 - 23:22:58 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:09 MST