[squid-users] Re: Project for someone (Was Re: [squid-users] transproxy + auth on parent proxy)

From: Robert Collins <[email protected]>
Date: 07 Feb 2002 15:22:53 +1100

On Thu, 2002-02-07 at 15:26, Colin Campbell wrote:
> Hi,

>
> The definition of "new connections" could be somewhat problematical
> couldn't it?

Not really. Accept() is a pretty good way to define "new connections".
:}.

> You don't want to have to authenticate for *every*
> connection.

Yes, you do. You can only examine the www-authentication header when the
authentication is for the virtual server, so you cannot get 'something'
added to every request to indicate it's authenticated. Thus you can only
authenticate on IP (which with smart ident daemons has the trust issue
as the transparent proxy does for http) or on TCP connection.

> Apart from that, no authentication information would be passed
> with subsequent connections.

Which is why *every* connection gets the initial redirect, and the
browser will automatically provide the credentials after the user enters
them the first time.

> Also has problems with a multi-user machine
> where it would be difficult to distinguish between users.

Not a problem - each connection is unique.

Do I like this compared to RFC2617 Digest with non-intercepting proxies?
No.
Do I like intercepting proxies?
No.
Is this a feasible workaround?
IMO, Yes.

Rob
Received on Wed Feb 06 2002 - 21:37:30 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:12 MST