Hello all,
Please skip to below if you want the question right away, first is some
background.
We have set up a reverse proxy server for some 20 internal servers. We use
squid as the SSL end-point and have it do basic HTTP authentication (with
the appropriate #define). We have an external perl helper authenticating
against an ACS server. The purpose is allowing employees to access our
intranet from home.
All this works fine, except users have to authenticate for every fqdn they
visit through squid. This is of course because the browser wont send their
user/pass combination to the next domain name.
We've been trying to get around this by using digest authentication. It
works. The user only has to log on once. The problem is that I dont see
how this is done. I dont think squids digest code has any way for me to
give it a 'domain="host1,host2,host3"' pair. I can give it a realm but the
realmname I enter has no hostname in it. This was only tested with IE so
is it broken or what am I missing?
Sadly we can not use digest authentication because we need the cleartext
username/password to authenticate against the ACS server.
We have also tried to set up our hosts as shown here, in the hope that the
browser might resend the basic authenticaton username/password if the
hostname remained the same:
http://host1:80 https://host1:443 intranet1
http://host1:81 https://host1:444 intranet2
This did not work (and rightly so I suppose).
Is there anything we have missed? Is there any other way to have squid
authenticate users for multiple reverse-proxied domains (whilst still
using SSL) ? We have been thinking about having squid use cookies somehow
and telling the clients browser to send the session cookie for every host
in our domain. Then our perl authentication script (by then only 1) might
keep these session cookies in memory for users that have authenticated
from certain IP's, where the cookies would of course be expired after 30
minutes. Can anybody see how this might work?
Kind regards,
Hopingforfeedback
Received on Tue Jan 07 2003 - 11:37:59 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:29 MST