Re: Squid 3.2 Parent proxy login=PASS

From: Tsachi <tsachi.kimel_at_gmail.com>
Date: Mon, 23 May 2011 16:27:43 +0300

Thanks for your replay,
I have tried the PASSTHRU before but it didn’t work for me with NTLM.
It seems that http "proxy-authenticate: XXXXX" headers are removed in
the client replay if the login is configured not to be PASS.

clientReplyContext::buildReplyHeader()
if ( !(request->peer_login && strcmp(request->peer_login,"PASS") ==0))
        reply->header.delById(HDR_PROXY_AUTHENTICATE);

Removing this condition seems to overcome this.

But it seems to be asking for user and password quite occasionally.

Is the connection pinning is already fully integrated to 3.2?

On Mon, May 23, 2011 at 3:13 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 23/05/11 23:59, Tsachi wrote:
>>
>> Hey I am checkig Squid 3.2.0.5.
>> I have a question regarding some behavior I noticed.
>> Configuring a parent proxy with login=PASS.
>> No user or passwords are configured in ACL.
>>
>> A client makes a normal http request without any authorization header.
>> Squid process the request and sends it to the parent proxy with the
>> header field "proxy-authorization: Basic xxxxx"
>>
>> I guess this is because the httpFixupAuthentication  (http.cc) is
>> called and reach the end and set    httpHeaderPutStrf(hdr_out, header,
>> "Basic %s",base64_encode(orig_request->peer_login));
>>
>> Is that how it is suppose to be?
>
> Yes. "login=PASS" *requires* login to be sent and goes to some lengths to
> locate a login for passing on.
>
>> Am I missing here something?
>
> If you need Squid to pass the exact login/non-login state of requests
> through to a peer use "login=PASSTHRU" which was added in 3.2. This will
> make Squid transparent regarding the Proxy-Auth headers.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>  Beta testers wanted for 3.2.0.7 and 3.1.12.1
>
Received on Mon May 23 2011 - 13:27:50 MDT

This archive was generated by hypermail 2.2.0 : Tue May 24 2011 - 12:00:05 MDT