Re: [squid-users] squid to pass http digest

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 14 Apr 2011 22:13:24 +1200

On 14/04/11 21:08, Or Gerson wrote:
> Hello,
>
> I have two web servers running apache behind squid.
> The application on the apache is php written and requests authentication which is passed by http digest.
>
> When I try to get to the web servers directly the application works. But through squid I find that squid removes the http digest header and replaces it with its own basic authentication (proxy_auth is not enabled).
>

Exactly as you have configured to happen.

> This is taken from squid access log:
>
> http://squid-server/xadmin/mk.php - ROUNDROBIN_PARENT/squid-server text/html Host:%20squid-server%0D%0AUser-Agent:%20Mozilla/5.0%20(Windows;%20U;%20Windows%20NT%206.1;%20en-US;%20rv:1.9.2.16)%20Gecko/20110319%20Firefox/3.6.16%20GTB7.1%0D%0AAccept:%20text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8%0D%0AAccept-Language:%20en-us,en;q=0.5%0D%0AAccept-Encoding:%20gzip,deflate%0D%0AAccept-Charset:%20ISO-8859-1,utf-8;q=0.7,*;q=0.7%0D%0AKeep-Alive:%20115%0D%0AConnection:%20keep-alive%0D%0AAuthorization:%20Digest%20username=%22dev%22,%20realm=%22xadmin%22,%20nonce=%22b1ffe1477deafad5554a0632ad8fba1c%22,%20uri=%22/xadmin/mk.php%22,%20algorithm=MD5,%20response=%22625715996fe71c2fec61d4f6f1514150%22,%20opaque=%22d75db7b160fe72d1346d2bd1f67bfd10%22,%20qop=auth,%20nc=00000001,%20cnonce=%227dad729a5d7d6eae%22%0D%0A
>
> This is the header that gets to the web server:
>

<erasing the binary copy we get...>

...mk.php.HTTP/1.0
Host:.squid-server
User-Agent:.Mozilla/5.0.(Windows;.U;.Windows.NT.6.1;.en-US;.rv:1.9.2.16).Gecko/20110319.Firefox/3.6.16.GTB7.1
Accept:.text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:.en-us,en;q=0.5
Accept-Encoding:.gzip,deflate
Accept-Charset:.ISO-8859-1,utf-8;q=0.7,*;q=0.7
Via:.1.1.xxxxx.(squid/2.6.STABLE21)
X-Forwarded-For:.192.168.0.71
Proxy-Authorization:.Basic.UEFTU1RIUlU=
Authorization:.Basic.UEFTU1RIUlU=
Cache-Control:.max-age=259200

>
> This is squid config:
>

> http_port 3128

> http_port 192.168.68.167:80 vhost
> cache_peer 192.168.68.155 parent 80 0 no-query connection-auth=off login=PASSTHRU originserver round-robin name=web1
> cache_peer 192.168.68.156 parent 80 0 no-query connection-auth=off login=PASSTHRU originserver round-robin name=web2

There are two headers involved:
  Proxy-Authorization and Authorization.

  "Proxy-Authorization:" is only relevant on forward-proxy requests to
the proxy being talked to. Squid will normally strip these and requires
login=PASS to pass them on in Basic format.
   Your server peers DO NOT NEED IT. So the normal hop cleanup is the
right thing to happen.

  "Authorization:" is end-to-end web server auth. and contains the login
for a web server. Squid does not touch them unless some very narrow
circumstances are occuring.

Which brings us to the only auth-related thing your Squid is doing being
login=PASSTHRU.

"PASSTHRU" is a new option available in 3.2 series Squid. 2.6 series
treat it as the "username:password" value to be relayed on in Basic auth
format.

SOLUTION:
  remove the login= option from your config.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.6
Received on Thu Apr 14 2011 - 10:13:31 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 14 2011 - 12:00:03 MDT