Re: [squid-users] Forwarding Apache .htaccess authentication

From: Chris Robertson <crobertson_at_gci.net>
Date: Wed, 14 Oct 2009 11:31:57 -0800

Kaya Saman wrote:
> Hi,
>
> this is my first post although been running Squid for a little while
> am still very new to it as I'm just transitioning between being an
> ex-student to a junior professional with UNIX stuff :-)
>
> Basically here's the issue:
>
> I would like to access some services in my network protected by
> .htaccess uname/passwd authentication, however when I enter the
> uname/passwd combo I get kicked out and the enter uname/passwd dialog
> box comes up again.... I have come to believe that this is a Squid
> issue as Apache works fine internally on my intranet with this
> authentication method/procedure.
>
> No logs in Apache claim that there has been an error so I'm reckoning
> that Squid cannot forward the http authentication headers somehow.
>
> I have been instructed on the Apache users mailing list to check up
> auth basic realm only I couldn't find and understand exactly what I
> need to do as in Squid config file there is something which says:
> #auth_param basic realm Squid proxy-caching web server
>
> I have enabled this option and restarted Squid only to have no
> effect!!!
>
> Squid is being used as a reverse proxy so I am really stuck on what
> to do....

From http://www.squid-cache.org/Versions/v2/2.6/cfgman/cache_peer.html...

use 'login=PASS' if users must authenticate against the upstream proxy
or in the case of a reverse proxy configuration, the origin web server.
This will pass the users credentials as they are to the peer. Note: To
combine this with local authentication the Basic authentication scheme
must be used, and both servers must share the same user database as HTTP
only allows for a single login (one for proxy, one for origin server).
Also be warned this will expose your users proxy password to the peer.
USE WITH CAUTION

>
> Someone on the Apache mailing list gave me a plugin for firefox to
> detect http headers and save them of which the relevant output is
> this:
>
> [code] ----------------------------------------------------------
> http://zeta-ray.optiplex-networks.com/munin/
>
> GET /munin/ HTTP/1.1 Host: zeta-ray.optiplex-networks.com User-Agent:
> Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.14) Gecko/2009090
> 217 Ubuntu/9.04 (jaunty) Firefox/3.0.14 Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300
> Connection: keep-alive Authorization: Basic YWRtaW46U2NscjExWFA5OQ==

And change that password everywhere it's used. :o) Basic
authentication just encodes the credentials using Base64, which is
reversible.

>
> HTTP/1.x 401 Unauthorized Date: Wed, 14 Oct 2009 09:57:23 GMT Server:
> Apache/2.2.3 (Red Hat) WWW-Authenticate: Basic realm="Restricted
> Files" Content-Length: 497 Content-Type: text/html;
> charset=iso-8859-1 X-Cache: MISS from NetraT1-Proxy Via: 1.0
> NetraT1-Proxy:80 (squid/2.6.STABLE15) Connection: close
> ---------------------------------------------------------- [/code]
>
> It seems like Squid isn't parsing anything to the Apache server
> behind it!
>
> Can anyone help me on what's going on???
>
> Many thanks!

Chris
Received on Wed Oct 14 2009 - 19:32:11 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 15 2009 - 12:00:03 MDT