> > It depends. It must be fd-to-fd in case of NTLM-to-NTLM bridging.
> > It SHOULD be user-to-fd in case of basic-to-NTLM bridging
> > (not that it wouldn't work otherwise, it would just be much
> > less efficient).
>
> NTLM to NTLM? Do you mean tunnel mode?. NTLM to NTLM needs a
> co-operative user directory again!. (Same as digest-basic or
> NTLM-basic).
yes, that's tunnel mode. Squid knows nothing about authentication,
it just understands that it must keepalive as much as possible
and pin and reserve up- and downstream FDs.
> > > My take on the scenarios:
> > >
> > > 2 proxies, 4 clients.
> > >
> > > 1, 2 proxy, child, parent
> > > a,b clients of 1
> > > c,d clients of 2.
> > >
> > > if 2 support NTLM, it gateways to basic. 1 only sees basic
> > > requests. No
> > > issue there.
> > > if 2 doesn't support NTLM, c,d are in trouble... but if 1
> > > does and can
> > > make CONNECT requests and then insert the user request into the
> tunnel
> > > a,b can work properly.
> > > if 2 and 1 doen't support NTLM, everything the way it is today.
> >
> >
> > Most CONNECT security settings would refuse dest ports other than
> > 443. Other than this, it might work (to the dismal of 2's
> administrator
> > which wouldn't be able to log accesses):-)
>
> Make proxy 1 use basic auth to 2 to get permission to CONNECT
> to port 80
> :]
> That should be easy enough compared to getting the connect
> functionality
> going in the first palce.
Hehe.
-- /kinkieReceived on Fri Apr 13 2001 - 06:45:22 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:46 MST