[squid-users] squid to pass http digest

From: Or Gerson <OrG_at_Websplanet.com>
Date: Thu, 14 Apr 2011 09:08:41 +0000

Hello,

I have two web servers running apache behind squid.
The application on the apache is php written and requests authentication which is passed by http digest.

When I try to get to the web servers directly the application works. But through squid I find that squid removes the http digest header and replaces it with its own basic authentication (proxy_auth is not enabled).

This is taken from squid access log:

http://squid-server/xadmin/mk.php - ROUNDROBIN_PARENT/squid-server text/html Host:%20squid-server%0D%0AUser-Agent:%20Mozilla/5.0%20(Windows;%20U;%20Windows%20NT%206.1;%20en-US;%20rv:1.9.2.16)%20Gecko/20110319%20Firefox/3.6.16%20GTB7.1%0D%0AAccept:%20text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8%0D%0AAccept-Language:%20en-us,en;q=0.5%0D%0AAccept-Encoding:%20gzip,deflate%0D%0AAccept-Charset:%20ISO-8859-1,utf-8;q=0.7,*;q=0.7%0D%0AKeep-Alive:%20115%0D%0AConnection:%20keep-alive%0D%0AAuthorization:%20Digest%20username=%22dev%22,%20realm=%22xadmin%22,%20nonce=%22b1ffe1477deafad5554a0632ad8fba1c%22,%20uri=%22/xadmin/mk.php%22,%20algorithm=MD5,%20response=%22625715996fe71c2fec61d4f6f1514150%22,%20opaque=%22d75db7b160fe72d1346d2bd1f67bfd10%22,%20qop=auth,%20nc=00000001,%20cnonce=%227dad729a5d7d6eae%22%0D%0A

This is the header that gets to the web server:

      0x0040: 6d6b 2e70 6870 2048 5454 502f 312e 300d mk.php.HTTP/1.0.
        0x0050: 0a48 6f73 743a 2061 7474 2e71 612e 7770 .Host:.squid-server
       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ..User-
        0x0070: 4167 656e 743a 204d 6f7a 696c 6c61 2f35 Agent:.Mozilla/5
        0x0080: 2e30 2028 5769 6e64 6f77 733b 2055 3b20 .0.(Windows;.U;.
        0x0090: 5769 6e64 6f77 7320 4e54 2036 2e31 3b20 Windows.NT.6.1;.
        0x00a0: 656e 2d55 533b 2072 763a 312e 392e 322e en-US;.rv:1.9.2.
        0x00b0: 3136 2920 4765 636b 6f2f 3230 3131 3033 16).Gecko/201103
        0x00c0: 3139 2046 6972 6566 6f78 2f33 2e36 2e31 19.Firefox/3.6.1
        0x00d0: 3620 4754 4237 2e31 0d0a 4163 6365 7074 6.GTB7.1..Accept
        0x00e0: 3a20 7465 7874 2f68 746d 6c2c 6170 706c :.text/html,appl
        0x00f0: 6963 6174 696f 6e2f 7868 746d 6c2b 786d ication/xhtml+xm
        0x0100: 6c2c 6170 706c 6963 6174 696f 6e2f 786d l,application/xm
        0x0110: 6c3b 713d 302e 392c 2a2f 2a3b 713d 302e l;q=0.9,*/*;q=0.
        0x0120: 380d 0a41 6363 6570 742d 4c61 6e67 7561 8..Accept-Langua
        0x0130: 6765 3a20 656e 2d75 732c 656e 3b71 3d30 ge:.en-us,en;q=0
        0x0140: 2e35 0d0a 4163 6365 7074 2d45 6e63 6f64 .5..Accept-Encod
        0x0150: 696e 673a 2067 7a69 702c 6465 666c 6174 ing:.gzip,deflat
        0x0160: 650d 0a41 6363 6570 742d 4368 6172 7365 e..Accept-Charse
        0x0170: 743a 2049 534f 2d38 3835 392d 312c 7574 t:.ISO-8859-1,ut
        0x0180: 662d 383b 713d 302e 372c 2a3b 713d 302e f-8;q=0.7,*;q=0.
        0x0190: 370d 0a56 6961 3a20 312e 3120 6174 7471 7..Via:.1.1.xxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.(squid/
        0x01b0: 322e 362e 5354 4142 4c45 3231 290d 0a58 2.6.STABLE21)..X
        0x01c0: 2d46 6f72 7761 7264 6564 2d46 6f72 3a20 -Forwarded-For:.
        0x01d0: 3139 322e 3136 382e 302e 3731 0d0a 5072 192.168.0.71..Pr
        0x01e0: 6f78 792d 4175 7468 6f72 697a 6174 696f oxy-Authorizatio
        0x01f0: 6e3a 2042 6173 6963 2055 4546 5455 3152 n:.Basic.UEFTU1R
        0x0200: 4955 6c55 3d0d 0a41 7574 686f 7269 7a61 IUlU=..Authoriza
        0x0210: 7469 6f6e 3a20 4261 7369 6320 5545 4654 tion:.Basic.UEFT
        0x0220: 5531 5249 556c 553d 0d0a 4361 6368 652d U1RIUlU=..Cache-
        0x0230: 436f 6e74 726f 6c3a 206d 6178 2d61 6765 Control:.max-age
        0x0240: 3d32 3539 3230 300d 0a0d 0a =259200....

This is squid config:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname attqalb
coredump_dir /var/spool/squid
cache_dir null /null
http_port 192.168.68.167:80 vhost
cache_peer 192.168.68.155 parent 80 0 no-query connection-auth=off login=PASSTHRU originserver round-robin name=web1
cache_peer 192.168.68.156 parent 80 0 no-query connection-auth=off login=PASSTHRU originserver round-robin name=web2
cache deny all
server_persistent_connections on
http_access allow all

please help.

This message, together with its attachments, contains information from WebsPlanet Ltd., which is privileged and confidential. If you are not the intended recipient or you have received this message in error, then please notify us immediately by e-mail to info_at_websplanet.com, and delete all copies of this message and its attachments.
Received on Thu Apr 14 2011 - 09:13:54 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 14 2011 - 12:00:03 MDT