Re: [squid-users] Squid, HTTP/1.0, and HTTP/1.1

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Sun, 25 Jun 2006 11:47:13 +0200

lör 2006-06-24 klockan 20:51 -0700 skrev Merton Campbell Crockett:

> In this instance, Squid received an HTTP/1.1 response from the IIS
> 6.x server with a status of 401. Included in the HTTP response
> header were the following fields.
>
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM
>
> Squid returned an HTTP/1.0 response to the IE client. The above were
> not included in the HTTP response header. As the WWW-Authentic is
> required in both HTTP/1.0 and HTTP/1.1 specifications, Squid is
> returning an invalid response header. It I understand your response
> correctly, this is intentional.

Correct, as returning the above two HTTP-violating headers makes more
damage than good. (well, the headers as such is not HTTP violations, but
their implementations of the NTLM, Negotiate and Kerberos schemes ontop
of HTTP is)

This filter was added to prevent major security issues from relaying
these non-HTTP authentication methods via a RFC compliant HTTP proxy
such as Squid.

At about the same time Microsoft added their own filters to MSIE
ignoring these headers when using a proxy for the exact same reasons,
and published a document on how proxies can announce to MSIE that the
proxy does support the deviations from the HTTP protocol required to
support these authentication schemes. This extension to HTTP is
supported in Squid-2.6 and later.

Regards
Henrik

Received on Sun Jun 25 2006 - 03:47:17 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Jul 01 2006 - 12:00:02 MDT