RE: Username Header [PATCH] from Ben Herrick on 2002-01-04 (squid-dev)

From: Ben Herrick <bherrick@dont-contact.us>
Date: Fri, 4 Jan 2002 09:30:49 -0600

In our particular case, we want users to be required to log in to the proxy
in order to access the internet using it. We also have several intranet
sites that don't need strong authentication, but give different information
to different users based on username. This patch allows our users to log on
once and achieve both goals. It also allows us to have seperate
authentication, if necessary, for inter/intranet sites that are more
restricted.

Ben Herrick
Globalcom,Inc.
DNS Administrator
333 West Wacker Drive Suite 1500
Chicago, IL 60606-1231
Phone: 312.893.0176
Pager: 800.205.7564
Fax: 312.492.1414
Service: 800.589.1531
mailto:dnsadmin@global-com.com

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Thursday, January 03, 2002 9:21 PM
To: Ben Herrick; Squid Developers
Subject: Re: Username Header [PATCH]

Quick question: What is wrong with using basic authentication for forwarding

the username to the application(s)?

Such basic authentication can easily added to the request by redirectors or
and by per server cache_peer lines using the login= option.

Using basic authentication adds slightly more security, as the user do not
need to know the password.

Regards
Henrik

On Thursday 03 January 2002 00.06, Ben Herrick wrote:
> Hola Ladies and Gents,
> Below is a patch to squid-head-200201020000 which implements
> "Username Headers." The basic idea here is to specify a list of domain
> names which will receive a Proxy-Authenticated username. This is useful in
> my company as a unified logon, and may be useful to others as well.
>
> This feature adds one configuration option which is a list of domain
> suffixes to try to match against. By default the list is empty, and thus
> adds almost no overhead for folks who do not want this feature.
>
> If a list of domain names are present, the patch attempts to match the
> requested web page with any of the domains. If successful it will add an
> HTTP header like this:
>
> HTTP_X_PROXY_USERNAME: bherrick
>
> This is, of course, not even close to a secure way to authenticate users.
> However, in a small controlled intranet environment, it gives a useful
> hint for web scripts.
>
> Questions, comments and concerns are of course welcome. Please CC me on
> any traffic concerning this patch as I am not subscribed to the list.
Received on Fri Jan 04 2002 - 20:05:32 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:44 MST