Re: squid-2.0.RELEASE: Authentication issues [patch]

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 30 Oct 1998 09:21:13 +0100

Duane Wessels wrote:
>
> Henrik Nordstrom writes:
>
> >+ - Changed proxy_auth to work when in accelerator mode. proxy_auth
> >+ probably should be renamed to auth and not proxy_auth. (Henrik
> >+ Nordstrom)
> >+ - added login=user:password option to cache_peer directive to be
> >+ used when your parent requires proxy authentication and you
> >+ don't want your users to be required to authenticate manually.
> >+ (Henrik Nordstrom)
> >+ - If you want to "auto-login" on certain servers, then use a
> >+ redirector that rewrites the URL to the form
> >+ http://username:password@server/.... and configure your Squid
> >+ to go direct to that server. Squid now picks this up when
> >+ going direct, and turns it into basic WWW authentication.
> >+ (Henrik Nordstrom)
>
> I guess I'm going to go into jerkbutt mode for a bit here.

Ok.

> I don't really like any of these changes.

I do. Most of them anyway ;-)
 
> Regarding the first, I don't like it that Squid is becoming more and
> more like an origin server. Squid should be a proxy and people should
> use Apache for an origin server. Just like I think Apache makes a bad
> proxy, I think Squid makes a bad origin server (accelerator,
> whatever). Will it never stop?

This change has two reasons:

1. When you are accelerating a HTTP server then there is a big gain in
moving the authentication from the origin server to Squid where
possible. Otherwise you effectively can't accelerate a authenticated
server as the authentication needs to be rewalidated on each request.

2. Access to /squid-internalXXX does not work without this in a
proxy_auth environment.

> Regarding the second, this seems overly complicated. Why doesn't the
> peer just always allow requests from this cache's IP address? We can
> already fix this with existing access controls instead of adding more
> configuration options.

Not if you are a leaf cache on a dial up connection and similar, where
you can't have a IP based access to your parent.

> Auto-login to a server? Is this needed? Seems to me that
> authentication is an END-TO-END characteristic of HTTP.
> Having proxies insert authentication in the middle breaks that.

Well. It was requested. The intended use is when your organisation
as a whole has a account to a service, but you don't want every user in
your organisation to have to know the current login+password.

/Henrik
Received on Tue Jul 29 2003 - 13:15:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:11:57 MST