David Richards writes:
>Hi,
>
> There is a problem that I have brought up a few releases ago with
>authentication and neighbours. The problem is, that when a cache asks
>it's sibling for an object in it's cache, it also expects authentication.
>Now, the RFC says that a username/password pair may only be used by one
>server, and it may not pass these details along.
>
> The result is that you can not have authenticating siblings.
>However, we have put in a 'fix' until someone decides they want to have a
>go at fixing the real problem.
what is the real problem again?
As you note, the HTTP standard allows only one cache to consume
proxy-authentication headers.
As far as I know, you can use access controls to always allow
requests from your siblings.
>
> This is what we do:
>
> if Request is from a recognised neigbour
> then
> return Authentication is OK
> else
> Do authentication stuff and return result.
>
> The way we decide if it is a recognised sibling is if it is
>registered as one of our peers. How do we do this?? Well, this is the
>code, placed in neighbors.c :
>
>peer *
>neighborFindByAddr(const char *address)
>{
> in_addr_t comparee;
> peer *e = NULL;
> comparee = inet_addr( address );
> for (e = Peers.peers_head; e; e = e->next) {
> if (comparee == e->in_addr.sin_addr.s_addr )
> break;
> }
>
> return e;
>}
How is this function called? From where?
Are you using squid-1.2?
there is already a function similar to yours, whichPeer(), which
takes a sockaddr_in * argument instead of a string. Why can't you
use that one?
> I suppose in the end I am begging someone to look at this problem
>seriously and come up with a decent solution.
What is wrong with using access controls? What makes them not a
decent solution?
Duane W.
Received on Tue Jul 29 2003 - 13:15:53 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:11:55 MST