RE: CONNECT (https) child

From: David Richards <[email protected]>
Date: Fri, 01 May 1998 11:25:36 +1000 (EST)

Jason,

        The problem is not that simple. My cache is the first cache
requiring authentication. The hierachy has been working very well until
this problem. It works in "normal" operation, but the problem occurs when
the method is "CONNECT" rather than "GET", the "GET" passes authentication
from the client machine through the child proxy (child proxy does not use
it) and to my proxy. This is not the case with CONNECT, however, and want
to know why.

Dave.

-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
David Richards Ph: +61 7 3864 4347
Network Programmer Fax: +61 7 3864 5272
Computing Services E-mail: dj.richards@qut.edu.au
Queensland University of Technology
Brisbane, Australia
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-

On Thu, 30 Apr 1998, Armistead, Jason wrote:

> David
>
> As I read it, the HTTP 1.1 specification (RFC-2068) says on page 127 that
> Proxy-Authenticate (section 14.33) header information goes all the way down
> the proxy hierarchy to the client.
>
> But, the response Proxy-Authorization (section 14.34) header from the client
> gets gobbled up by the first cache requiring authentication (usually the one
> doing any initial authentication), and doesn't get passed along to upstream
> caches. Remember, there is no point passing these headers ad-infinitum up
> the cache hierarchy if the information is only good for the first (local)
> cache needing authentication. Think of what happens if it did happen -
> users base-64 (effectively plain-text) passwords could be obtained by a
> dubious cache operator somewhere upstream, and these might be the same
> passwords as used by NT, Unix or PAM methods, thus allowing access to a
> whole client operating system. A real security hole waiting to happen, and
> hence the reason HTTP 1.1 is written that way in terms of caches.
>
> The idea is that parent caches nominate who they trust as peers/children.
> But, as a downside, if both the local proxy and an upstream one requires
> authentication for the same page, by different administrators / policies
> being required, then you have a problem which can't apparently be resolved
> in HTTP 1.1.
>
> So, it's a case of Squid following the standard. On the flip-side, expect a
> non-conforming Microsoft Proxy version which will do what you want out real
> soon now !!! (LOL)
>
> Cheers
>
> Jason
>
> ----------
> From: David Richards[SMTP:dj.richards@qut.edu.au]
> Sent: Friday, 1 May 1998 9:52
> To: Squid Discussion List
> Subject: CONNECT (https) child
>
> I have question ... :-)
>
> At QUT we have three main proxies, which everyone is forced to go through.
> These caches are authenticating squid v1.1.20 (QUT). The (QUT) means that
> is has been modified for our authentication procedure.
>
> Our problem, our child caches (departments and faculties) who are using
> squid also, are not passing authentication details for CONNECT type
> connections. So and page ^https://.* matching that fails if accessed
> through a child cache.
>
> Is this a configuration issue or a fundamental deficiency or is it
> deliberate?
>
> Thanks,
>
> Dave.
>
> -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
> David Richards Ph: +61 7 3864 4347
> Network Programmer Fax: +61 7 3864 5272
> Computing Services E-mail: dj.richards@qut.edu.au
> Queensland University of Technology
> Brisbane, Australia
> -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
>
>
>
> begin 600 winmail.dat
> M>)\^(@(``0:0"``$```````!``$``0>0!@`(````Y`0```````#H``$(@`<`
> M&````$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`06``P`.````S@<$`!X`
> M%``L````!``[`0$@@`,`#@```,X'!``>`!0`*@````0`.0$!"8`!`"$````W
> M1#4Q-44S,#,P1#E$,3$Q.4(P.#`P,#!&.#`S-3@P,0#'!@$$@`$`&@```%)%
> M.B!#3TY.14-4("AH='1P<RD@8VAI;&0`PP<!#8`$``(````"``(``0.0!@!P
> M"@``(0```$``.0``R`$[FG2]`0,`-@```````P`F```````>`'```0```!8`
> M``!#3TY.14-4("AH='1P<RD@8VAI;&0````"`7$``0```!L````!O722,V+K
> M@)MIX'@1T9J1`*`DHZ?'``&*GC\`'@`Q0`$````5````05535$Q!3BU!55-4
> M4$\M3UI--#0``````P`:0``````>`#!``0```!4```!!55-43$%.+4%54U10
> M3RU/6DTT-``````#`!E```````L`!0``````"P`U```````+``8,``````L`
> M%PP`````"P`"#``````"`0D0`0```!@'```4!P```PP``$Q:1G6J,M2+AP`*
> M`0T#0W1E>'0!]_\"I`/D!>L"@P!0`O,&M`*#)C(#Q0(`8V@*P'-EV'0P(`<3
> M`H!]"H`(SS\)V0*`"H0+-Q+"`=`@1'AA=FD+,0K!"H4*@$$)!"!)(!5`860@
> M:0!T+"!T:&4@2`!45%`@,2XQ(`QS<`60!I!I8V%T`FD"("`H4D9#+9$!T#8X
> M*1J@87D$((L;80JP9QH`,3(W&=$)&S`@4`-@>'DM05YU&>$",!L2&@`H$Z!C
> MP1M#,30N,S,<(!GPUQEP!)`9D&X"$'(`P!M#O&=O!Y$'0`,@&>)W'%"P(&1O
> M=P.@&>)P';*?'\`(D0K`$V`A\'1O&=.L8VP(D`(P+A@L0AX0?QG$%4`:L`(@
> M$Z`=F06P:?9Z&S4>ZC0?MP-2(\D@\#<3L`0@(0!B`F`)@"!U^'`@8B.!&?$;
> M`!.0!4!G&R`38"72<74KL`N`9\<A0!X8&U-U<W4A42M$[P(@&@`B$"S#;B'P
> M"X`9H/L',2S]*1G``'`9@"(0!Y#\;B<J$QRQ!!`JT0=``B!_+.`CH2L`*]`9
> M42E@+`-S]"X@!_!E!X`&T`20&</W%4`9D`0@;B.P)B`+@#(4GRS"&>$F41_4
> M(3%D+2!!_2^B=2E@*P$CTRP3(P@&D/\9TR!*-5$"("Y1(0`$<"D@VP6Q*V@H
> M%-`;(&P<("P$5R[0"8`LSVXT(50C`&ZV:QR`.<!W'6(3<'`:P#\&,3FQ&:`B
> M`!@`/]4@+1<J\!.@-T%B,D!E+3;.-!N``1$>\G9E+E$+4ZXM#O(<(#(R=P6P
> M9`0@N06@=6P9@#2@'(!B`9"7"X`JT2LQ82(`=6(;4'LN`"OU;QK`(S`CH`7`
> M<S\#<`?0-0,S-C$4-I1M:?QG:`5`10$9XAQ`!X!#^:<R0$&"1:-.5!G`50,`
> MQG@<@`7`4$%-25`3L'\G$$1P&<)&82%1(B`]LV/^8P>0!"`CH47P/Y`&\"FG
> M6T;T/;)S'&`.\&TT(4'O&4(#(![A"'%T(N%/(B'0_R_!,M0_Y#$4'C%.8"6E
> M,D#W&V$:)S51=U&Q#O`B0AUQ[R'2"X`9T`20;1QQ.<`SQ?\8+#\`-3$!`$7P
> M-5$=4PJQ[RGR,\0U<4E@;AZ23P$9TGTC@7(N``5`2R$:P#<Q+_L38`,09%GA
> M-"$E8TLA1?'_(B$`D`$`&<`YL0;@&>`9T_\\HR*5,3(#D3,W+L(L9"$B_RT<
> M.[9*-1S@&<`K,3V@0I%_6>,9<%K!!``S8$<R!"`O?S6A)"`:X`>1-*`]LF%E
> M9/L9PP.@>0A@/]%"\$7A(J'_*K$I8#^0&Q!?`!L@,;(_\?]9TRY110$E\0;P
> M0O`9@52XR21]4V]>@70G7<(;(/LF43]A4RR!.Y)-QDGS`9!7,4`+$30A3R)$
> M9B0@</XM7D0/`!K!7`$U<4.`!:#[(%,]LDT;$`-@1X`!@!V4_B!"\!.0&U)I
> M!`/P(6$B$/\_A&?2(=!/HAX0414[<`.@&S6`!^`A=O`;@$Q/3+HI&"Q#&?`W
> M,1@L2E2"K1@L+7K7&"5&`V$Z`S`?`9$7Q`?P:2$+$7-;4\)-&D`Z9&HN!1!]
> M%$Y`+(`D8`F`=2XM`%W_;&8>07PE>^`8`!Q0&<`:D`)-(>$Q.3DX(#EL.C42
> MP%A5;WPE;@1$[P0`49`V,1MA3&4Q;&9&(`9J'O%\)4-/3DY%[$-4&X!)D'0S
> M0#SQ7,*_&"P9,&@3+(`'D!M#+HB@*"`Z+7=]005`457]A=!W-M%H(AG@"=%)
> M4`MQ[R*39D$9P&D$97.19]`NT?\U42!A3F!(X2.P(0"*T@A@_TF`)'98L291
> M6C59T2S[4$*M;A-V:[(7H2B*(2D^T_\>L9'R3,$&(AU2&"4U41-P_V9B04$$
> M81KQ*M$[L@AA+/[7(J&-<0AP921]3Y6Q:(5O&<"5HERS6B8H`0`*L73O!X`"
> M,"$Q,4%F`-!$P!M`_P>0'"!;,H_2+@`]L1@ED03_!T!'@#$1-2$U@#7X+0T!
> M`/]%49V@.Z.%=E'0&L`8)7'AOR[0'P,T$FS0,2,<PUZ&`Z`Z+R\N*HLQ=%RQ
> M_S9C'7&;0*`B.;%.1`F`&"7OCA5M4IEX)'U)65(U46UA_W'Q27`(<#J&+A`N
> MH97!*2#^=6]QFJ(O\0$!9B)3X"'P_P6Q-5$9H!@E`0`D(#2A'I'V/U?>`'!K
> M33`8+!?1EU[\+2.Q?[*/LY^TKWMF?)R3?$.W/5!H?"4K-AJ0J1TP,SA"030H
> M@#<8)?T'P'1$03]`':$)P#.0!X"B<K<]1F%XN)\@@;#W`<!W]@-P<!X0GK(&
> M81?PDTYAMSU%+8M!;#I\0_=]WW[C&"51"E!`(0M@,4&O3!%SDU'1/V%4!9!H
> M-8#9%-!G>23V!1!S0?`NT.\9P!X`94(D(&&Q#\??R.\7R?^U3Q@L?<T@0`!(
> M``#(`3N:=+T!`@'Y/P$```!=`````````-RG0,C`0A`:M+D(`"LOX8(!````
> M`````"]//5540R]/53U/5$%534E.+T-./4U3($U!24P@4D5#25!)14Y44R`O
> M0TX]05535$Q!3BU!55-44$\M3UI--#0`````'@#X/P$````1````07)M:7-T
> M96%D+"!*87-O;@`````>`#A``0```!4```!!55-43$%.+4%54U103RU/6DTT
> M-``````"`?L_`0```%T`````````W*=`R,!"$!JTN0@`*R_A@@$`````````
> M+T\]551#+T]5/4]4055-24XO0TX]35,@34%)3"!214-)4$E%3E13("]#3CU!
> M55-43$%.+4%54U103RU/6DTT-``````>`/H_`0```!$```!!<FUI<W1E860L
> M($IA<V]N`````!X`.4`!````%0```$%54U1,04XM05535%!/+4]:330T````
> M`$``!S"P`([SF72]`4``"#!@\KOSF72]`1X`/0`!````!0```%)%.B``````
> M'@`=#@$````6````0T].3D5#5"`H:'1T<',I(&-H:6QD````"P`I```````+
> M`",```````,`!A#`"M[8`P`'$#,(```#`!`0``````,`$1``````'@`($`$`
> M``!E````1$%6241!4TE214%$250L5$A%2%144#$Q4U!%0TE&24-!5$E/3BA2
> M1D,M,C`V."E305E33TY004=%,3(W5$A!5%!23UA9+4%55$A%3E1)0T%412A3
> 614-424].,30S,RE(14%$10````#B'@==
> `
> end
>
Received on Thu Apr 30 1998 - 18:41:13 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:40:00 MST