Re: [squid-users] NTLM with a fall back to anonymous

From: Jason Fitzpatrick <jayfitzpatrick_at_gmail.com>
Date: Sun, 5 Feb 2012 13:33:31 +0000

Hi Henrik..

it is never easy is it ;0)

Looks like I will be maintaining whitelists for the foreseeable future!

Thanks for the reply

Jay

2012/2/4 Henrik Nordstr�m <henrik_at_henriknordstrom.net>:
> l�r 2012-02-04 klockan 13:23 +0000 skrev Jason Fitzpatrick:
>
>> I was hoping that if a client failed to authenticate then it would be
>> forwarded to the upstream and fall under what ever the default (un
>> authorized) ruleset is, known risky sites etc would be getting
>> filtered there,
>
> Unfortunately HTTP do not work in that way.
>
> Clients not supporting authentication sends requests without any
> credentials at all. Proxies (and servers) wanting to see authentication
> then rejects the request with an error "authentication required"
> challenging the client to present valid credentials.
>
> Clients supporting authentication also starts out by sending the request
> without any credentials at all like above. The difference is only how
> the client reacts to the received error. If the client supports
> authentication then it collects the needed user credentials and retries
> the same request but with user credentials this time.
>
> If the credentials is invalid then the authentication fails, which in
> most cases results in the exact same error as above to challenge the
> user to enter the correct credentials.
>
> Regards
> Henrik
>

--
"The only difference between saints and sinners is that every saint
has a past while every sinner has a future. "
� Oscar Wilde
Received on Sun Feb 05 2012 - 13:33:50 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 05 2012 - 12:00:02 MST