RE: [squid-users] squid to pass http digest

From: Or Gerson <OrG_at_Websplanet.com>
Date: Thu, 14 Apr 2011 13:57:36 +0000

Thanks for quick reply. i have added the "PASSTHRU" only after I have had the problem.
Without it (I removed the entire login directive), it seems that squid strips away the entire Authorization digest:

4sG^GET./xadmin/
mk.php.HTTP/1.0.
.Host:xxxxxx..User-
Agent:.Mozilla/5
.0.(Windows;.U;.
Windows.NT.6.1;.
en-US;.rv:1.9.2.
16).Gecko/201103
19.Firefox/3.6.1
6.GTB7.1..Accept
:.text/html,appl
ication/xhtml+xm
l,application/xm
l;q=0.9,*/*;q=0.
8..Accept-Langua
ge:.en-us,en;q=0
.5..Accept-Encod
ing:.gzip,deflat
e..Accept-Charse
t:.ISO-8859-1,ut
f-8;q=0.7,*;q=0.
7..Via:.1.1.squid-server:3128.(squid/
2.6.STABLE21)..X
-Forwarded-For:.
192.168.0.71..Ca
che-Control:.max
-age=259200..Con
nection:.keep-al

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Thursday, April 14, 2011 1:13 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] squid to pass http digest

On 14/04/11 21:08, Or Gerson wrote:
> Hello,
>
> I have two web servers running apache behind squid.
> The application on the apache is php written and requests authentication which is passed by http digest.
>
> When I try to get to the web servers directly the application works. But through squid I find that squid removes the http digest header and replaces it with its own basic authentication (proxy_auth is not enabled).
>

Exactly as you have configured to happen.

> This is taken from squid access log:
>
> http://squid-server/xadmin/mk.php - ROUNDROBIN_PARENT/squid-server text/html Host:%20squid-server%0D%0AUser-Agent:%20Mozilla/5.0%20(Windows;%20U;%20Windows%20NT%206.1;%20en-US;%20rv:1.9.2.16)%20Gecko/20110319%20Firefox/3.6.16%20GTB7.1%0D%0AAccept:%20text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8%0D%0AAccept-Language:%20en-us,en;q=0.5%0D%0AAccept-Encoding:%20gzip,deflate%0D%0AAccept-Charset:%20ISO-8859-1,utf-8;q=0.7,*;q=0.7%0D%0AKeep-Alive:%20115%0D%0AConnection:%20keep-alive%0D%0AAuthorization:%20Digest%20username=%22dev%22,%20realm=%22xadmin%22,%20nonce=%22b1ffe1477deafad5554a0632ad8fba1c%22,%20uri=%22/xadmin/mk.php%22,%20algorithm=MD5,%20response=%22625715996fe71c2fec61d4f6f1514150%22,%20opaque=%22d75db7b160fe72d1346d2bd1f67bfd10%22,%20qop=auth,%20nc=00000001,%20cnonce=%227dad729a5d7d6eae%22%0D%0A
>
> This is the header that gets to the web server:
>

<erasing the binary copy we get...>

...mk.php.HTTP/1.0
Host:.squid-server
User-Agent:.Mozilla/5.0.(Windows;.U;.Windows.NT.6.1;.en-US;.rv:1.9.2.16).Gecko/20110319.Firefox/3.6.16.GTB7.1
Accept:.text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:.en-us,en;q=0.5
Accept-Encoding:.gzip,deflate
Accept-Charset:.ISO-8859-1,utf-8;q=0.7,*;q=0.7
Via:.1.1.xxxxx.(squid/2.6.STABLE21)
X-Forwarded-For:.192.168.0.71
Proxy-Authorization:.Basic.UEFTU1RIUlU=
Authorization:.Basic.UEFTU1RIUlU=
Cache-Control:.max-age=259200

>
> This is squid config:
>

> http_port 3128

> http_port 192.168.68.167:80 vhost
> cache_peer 192.168.68.155 parent 80 0 no-query connection-auth=off login=PASSTHRU originserver round-robin name=web1
> cache_peer 192.168.68.156 parent 80 0 no-query connection-auth=off login=PASSTHRU originserver round-robin name=web2

There are two headers involved:
  Proxy-Authorization and Authorization.

  "Proxy-Authorization:" is only relevant on forward-proxy requests to
the proxy being talked to. Squid will normally strip these and requires
login=PASS to pass them on in Basic format.
   Your server peers DO NOT NEED IT. So the normal hop cleanup is the
right thing to happen.

  "Authorization:" is end-to-end web server auth. and contains the login
for a web server. Squid does not touch them unless some very narrow
circumstances are occuring.

Which brings us to the only auth-related thing your Squid is doing being
login=PASSTHRU.

"PASSTHRU" is a new option available in 3.2 series Squid. 2.6 series
treat it as the "username:password" value to be relayed on in Basic auth
format.

SOLUTION:
  remove the login= option from your config.

Amos

--
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.6
This message, together with its attachments, contains information from WebsPlanet Ltd., which is privileged and confidential. If you are not the intended recipient or you have received this message in error, then please notify us immediately by e-mail to info_at_websplanet.com, and delete all copies of this message and its attachments.
Received on Thu Apr 14 2011 - 14:02:51 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 15 2011 - 12:00:03 MDT