Re: [squid-users] NTLM with a fall back to anonymous

From: Henrik Nordstr�m <henrik_at_henriknordstrom.net>
Date: Sat, 04 Feb 2012 22:59:35 +0100

lör 2012-02-04 klockan 13:23 +0000 skrev Jason Fitzpatrick:

> I was hoping that if a client failed to authenticate then it would be
> forwarded to the upstream and fall under what ever the default (un
> authorized) ruleset is, known risky sites etc would be getting
> filtered there,

Unfortunately HTTP do not work in that way.

Clients not supporting authentication sends requests without any
credentials at all. Proxies (and servers) wanting to see authentication
then rejects the request with an error "authentication required"
challenging the client to present valid credentials.

Clients supporting authentication also starts out by sending the request
without any credentials at all like above. The difference is only how
the client reacts to the received error. If the client supports
authentication then it collects the needed user credentials and retries
the same request but with user credentials this time.

If the credentials is invalid then the authentication fails, which in
most cases results in the exact same error as above to challenge the
user to enter the correct credentials.

Regards
Henrik
Received on Sat Feb 04 2012 - 22:00:14 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 05 2012 - 12:00:02 MST