auth_rewrite

Well,
    The auth_rewrite is nearly done. In fact it is testable and useable for
anyone who has a few minutes. It's not complete but the missing features are
related to long-term operation (cache expiry on reconfigures, squid.conf
entries for the odd magic number and such like), however I don't guarantee
it won't walk your hard drive out of the room :-]

Oh and fake_auth can get confused at the moment - but the problem is in
fake_auth not the squid code. It gets confused after a cache expiry
happens - I suspect a request order issue of some sort. You should only see
this when you let the user cache expire and then try another request. So by
default that needs 2+ hours of inactivity from a user. (As I said - testable
not perfect :])

Short list of "why this is better"

* authentication details moved to authenticate.c
* generic acl match caching available (used by this code)
* acl match caching for proxy_auth and proxy_auth_regex with authenticated
users.
   (as a point of interest kinkie reported a 20% cpu decrease with splay
trees - well the caching code is not optimised (just a linked list) but it
will bring the same benefit to the regex checks as well.
* user cache expiry. (we use more memory with NTLM and also with acl match
caching.
* multiplexed ntlm helper requests. fake_auth has been updated, I'm not sure
whether the NTLMSSP helper will respond 'optimally' to this or not. It
should work though (I can't test it :-[)
* IP address restrictions affect NTLM and basic authentcation equally.
(shared code now).
* NTLM authenticated user timeouts.
* (hopefully) generally cleaner interfaces internally, should be a lot
easier to add digest et al in the future.

If anyone has the time/interest to play with this I'd really appreciate
any/all feedback. Now I've removed the last segfault I was getting I expect
to finish it all off this week... and I shouldn't break what's in CVS :-].

Rob
Received on Tue Nov 07 2000 - 05:33:38 MST