Re: [squid-users] transparent proxy with authentication

From: Merton Campbell Crockett <[email protected]>
Date: Mon, 24 Oct 2005 19:47:09 -0700

On Monday 24 October 2005 18:36, Chin Kah Yi wrote:
> Dearest squid expert out there,
>
> Don't mind me being asking again - but why was authentication designed
> not to work with wccp? If transparent proxy design is required together
> with authentication, is there any alternative I could work on?

With WCCP you are intercepting the HTTP request from the HTTP client. The
HTTP client assumes that it is communicating with the HTTP server. If the
HTTP intercept proxy were to request authentication, you would have one of
the following problems.

   (1) The HTTP client would present the credentials that it saved from
        the last time that it accessed the HTTP server to the HTTP intercept
        proxy. These credentials would fail the authentication tests and
        access would be denied.
   (2) If the HTTP client did not have any credentials saved, the user would
        present the credentials requested by the HTTP intercept proxy. The HTTP
        client would save the authenticated credentials. If the HTTP server does
        not require authentication, there is no problem.
   (3) If the HTTP server requires authentication, the HTTP client would
        present the credentials required by the HTTP intercept proxy. The
        authentication would fail and the HTTP client would be prompted to
        provide new credentials.

Obviously, this leads to a condition where the HTTP client needs to supply
multiple credentials on every access. It is important to note that not all
HTTP clients are browsers (Firefox, Internet Explorer, Netscape, Safari,
etc.). Many are applications or services such as AIM, Jabber, Real Audio,
etc.

It might be possible to implement authentication in an HTTP intercept proxy
were realms consistently used and understood by all HTTP clients and servers.
However, the last time that I looked at this problem (ca. 1999), I discovered
that while HTTP clients tended to deal with realms correctly there was a wide
variance in the way realms were implemented in HTTP servers with Microsoft
IIS being the biggest problem.

Merton Campbell Crockett

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard
Received on Mon Oct 24 2005 - 20:52:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:05 MST