On 01.03.2012 14:32, Brett Lymn wrote:
> I have an application that pays attention to the X-Authenticated-User
> header.
Why? what does it do?
> I need to use this application as an upstream proxy and need to
> have the user authentication passed from squid through to this
> application.
What happens to the user if Squid accepts the credentials and
authenticates them. But the other proxy does not? important.
> I know about the login=PASS cache_peer directive but I am
> wondering how that plays with negotiated authentication schemes like
> kerberos.
In HTTP proxy-auth credentials are decided at each and every hop down
the chain servers. login= is the way Squid uses to determine what
credentials are valid for the next peer. The same directive can also
completely replace the downstream credentials, wholly or partially and
send a new set upstream.
Kerberos connection-based nature forces this fact right up into your
face. Needing a new keytab token at every proxy. Squid 3.2+ supports
login=NEGOTIATE to send your Squid's Kerberos credentials to the next
proxy down the chain.
Login from user to web servers is irrelevant to this whole process.
They are passed down untouched. Although some auth frameworks like
NTLM/Kerberos/Negotiate make several bad assumptions and need persistent
connection pinning hacks (Squid 2.6, 2.7, and 3.1+ supported) in place
to work over HTTP.
If your other proxy needs to play with the users website login it is
fully responsible for breaking into the authentication itself. Squid is
not going to help with that abuse.
> Is there a configuration item I can enable to get the header?
> A bit of a search showed up nothing apart from some ICAP related
> stuff.
> I cannot use ICAP for this application, I simply need the header.
> Would
> the squid developers consider a patch if I developed one to add this?
No the header is not part of HTTP or any other protocol specification.
It is an experimental header created for the use of ICAP plugins to
Squid until such time as Squid can be re-written to use proper
authentication to ICAP or ICAP helpers to not depend on the existence of
a "user" label.
Amos
Received on Thu Mar 01 2012 - 02:07:46 MST
This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 12:00:05 MST