Re: squid-2.0.RELEASE: Authentication issues [patch]

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 05 Nov 1998 00:32:03 +0100

Duane Wessels wrote:

> We can hard-code special cases for the internal URLs.

I dislike hardcodings. They seem to never fit for everybody.
And some may be very upset if internal URLs is accessible
without proxy_auth...

I'll make a new version with authentication of accelerated
requests optional (#if), and which simply denies access to
authenticated accelerated requests if not enabled.
[updated patch attached & web updated].

> I am really against giving Squid every origin server feature.
> Am I the only one?

I respect your opinion, but we should either support HTTP
acceleration or not. If we are to support HTTP acceleration
then it should be done all the way. People running accelerators
already have to move some of the access controls to Squid as
the IP address is hidden (well, not really hidden, but origin
servers can rarely be changed to use a header for it), and
moving the authentication to Squid is a logical step if large
portions of the site is access protected. It also helps by
having all the access logs at a single place without the need
to merge logs from Squid and the origin server.

> Ok, I didn't think about dynamic IP addresses...
> I can live with adding this one... :-)

Fine.

> >Well. It was requested. The intended use is when your
> >organisation as a whole has a account to a service, but
> >you don't want every user in your organisation to have
> >to know the current login+password.
>
> I think its wrong. Any other opinions?

I have no opinion. It was requested and very easy to implement
with close to no impact on the rest of the code. It is a
self-contained if block with no vital dependencies.

We already parse the user:password part of http URLs elsewhere.

/Henrik

    [ Part 2: "Attached Text" ]

Index: squid/ChangeLog
diff -u squid/ChangeLog:1.1.1.34 squid/ChangeLog:1.1.1.34.2.3
--- squid/ChangeLog:1.1.1.34 Sat Oct 31 14:35:09 1998
+++ squid/ChangeLog Sun Nov 1 04:45:04 1998
@@ -48,6 +48,17 @@
           users. REQUIRED == any (same as ident ACL). ACL type user
           changed to ident since this is what it really is.
           (Henrik Nordstrom).
+ - Changed proxy_auth to work on internal objects and when in
+ accelerator mode. (Henrik Nordstrom)
+ - added login=user:password option to cache_peer directive to be
+ used from a dial-up cache where the parent requires proxy
+ authentication. (Henrik Nordstrom)
+ - If you want to "auto-login", then use a URL on the form
+ http://username:password@server/.... Squid now picks this up
+ when going direct, and turns it into basic WWW authentication.
+ It is also possible to do automatic login to certain servers by
+ using a redirector to add the needed authentication information.
+ (Henrik Nordstrom)
 
 Changes to Squid-2.0 (October 2, 1998):
 
Index: squid/src/acl.c
diff -u squid/src/acl.c:1.1.1.25.2.1 squid/src/acl.c:1.1.1.25.2.5
--- squid/src/acl.c:1.1.1.25.2.1 Sat Oct 31 15:39:17 1998
+++ squid/src/acl.c Thu Nov 5 00:20:29 1998
@@ -1075,7 +1075,13 @@
 
     assert(!checklist->auth_user);
 
- proxy_auth = httpHeaderGetStr(&checklist->request->header, HDR_PROXY_AUTHORIZATION);
+ if (!checklist->request->flags.accelerated) {
+ /* Proxy auth on proxy requests */
+ proxy_auth=httpHeaderGetStr(&checklist->request->header, HDR_PROXY_AUTHORIZATION);
+ } else {
+ /* WWW auth on accelerated requests */
+ proxy_auth=httpHeaderGetStr(&checklist->request->header, HDR_AUTHORIZATION);
+ }
     ok = aclDecodeProxyAuth(proxy_auth, &user, &password, login_buf, sizeof(login_buf));
     assert(ok); /* We should never get here unless the above succeeds in aclMatchProxyAuth */
 
@@ -1280,8 +1286,21 @@
         return aclMatchRegex(ae->data, checklist->browser);
         /* NOTREACHED */
     case ACL_PROXY_AUTH:
- k = aclMatchProxyAuth(httpHeaderGetStr(&checklist->request->header,
- HDR_PROXY_AUTHORIZATION), checklist->auth_user, checklist);
+ if ( !r->flags.accelerated) {
+ /* Proxy authorization on proxy requests */
+ k = aclMatchProxyAuth(httpHeaderGetStr(&checklist->request->header, HDR_PROXY_AUTHORIZATION), checklist->auth_user, checklist);
+ } else if (r->flags.internal) {
+ /* WWW authorization on accelerated internal requests */
+ k = aclMatchProxyAuth(httpHeaderGetStr(&checklist->request->header, HDR_AUTHORIZATION), checklist->auth_user, checklist);
+ } else {
+#if AUTH_ON_ACCELERATION
+ /* WWW authorization on accelerated requests */
+ k = aclMatchProxyAuth(httpHeaderGetStr(&checklist->request->header, HDR_AUTHORIZATION), checklist->auth_user, checklist);
+#else
+ debug(28, 1) ("aclMatchAcl: proxy_auth %s not applicable on accelerated requests.\n", ae->name);
+ return -1;
+#endif
+ }
         if (k == 0) {
             /* no such user OR we need a proxy authentication header */
             checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED;
Index: squid/src/cache_cf.c
diff -u squid/src/cache_cf.c:1.1.1.25 squid/src/cache_cf.c:1.1.1.25.2.1
--- squid/src/cache_cf.c:1.1.1.25 Sat Oct 31 14:36:01 1998
+++ squid/src/cache_cf.c Sun Nov 1 03:27:07 1998
@@ -796,6 +796,8 @@
         } else if (!strcasecmp(token, "no-delay")) {
             p->options.no_delay = 1;
 #endif
+ } else if (!strncasecmp(token, "login=", 6)) {
+ p->login = xstrdup(token + 6);
         } else {
             debug(3, 0) ("parse_peer: token='%s'\n", token);
             self_destruct();
Index: squid/src/cf.data.pre
diff -u squid/src/cf.data.pre:1.1.1.27.2.2 squid/src/cf.data.pre:1.1.1.27.2.3
--- squid/src/cf.data.pre:1.1.1.27.2.2 Sun Nov 1 03:01:24 1998
+++ squid/src/cf.data.pre Sun Nov 1 03:27:08 1998
@@ -213,6 +213,7 @@
                      no-digest
                      no-netdb-exchange
                      no-delay
+ login=user:password
 
                      use 'proxy-only' to specify that objects fetched
                      from this cache should not be saved locally.
@@ -258,6 +259,9 @@
                      use 'no-delay' to prevent access to this neighbor
                      from influencing the delay pools.
 
+ use 'login=user:password' if this is a personal/workgroup
+ proxy and your parent requires proxy authentication.
+
         NOTE: non-ICP neighbors must be specified as 'parent'.
 
 cache_peer hostname type 3128 3130
@@ -1437,6 +1441,10 @@
           # NOTE: proxy_auth requires a EXTERNAL authentication program to
           # check username/password combinations (see authenticate_program).
           #
+ # WARNING: proxy_auth can't be used in a transparent proxy. It
+ # collides with any authentication done by origin servers. It may
+ # seem like it works at first, but it doesn't.
+
 
 Examples:
 acl myexample dst_as 1241
Index: squid/src/client_side.c
diff -u squid/src/client_side.c:1.1.1.33.2.2 squid/src/client_side.c:1.1.1.33.2.6
--- squid/src/client_side.c:1.1.1.33.2.2 Sun Nov 1 02:52:11 1998
+++ squid/src/client_side.c Wed Nov 4 23:39:23 1998
@@ -146,13 +146,26 @@
 static HttpReply *
 clientConstructProxyAuthReply(clientHttpRequest * http)
 {
- ErrorState *err = errorCon(ERR_CACHE_ACCESS_DENIED, HTTP_PROXY_AUTHENTICATION_REQUIRED);
+ ErrorState *err;
     HttpReply *rep;
+ if (!http->flags.accel) {
+ /* Proxy authorisation needed */
+ err = errorCon(ERR_CACHE_ACCESS_DENIED, HTTP_PROXY_AUTHENTICATION_REQUIRED);
+ } else {
+ /* WWW authorisation needed */
+ err = errorCon(ERR_CACHE_ACCESS_DENIED, HTTP_UNAUTHORIZED);
+ }
     err->request = requestLink(http->request);
     rep = errorBuildReply(err);
     errorStateFree(err);
     /* add Authenticate header */
- httpHeaderPutStrf(&rep->header, HDR_PROXY_AUTHENTICATE, proxy_auth_challenge_fmt, Config.proxyAuthRealm);
+ if (!http->flags.accel) {
+ /* Proxy authorisation needed */
+ httpHeaderPutStrf(&rep->header, HDR_PROXY_AUTHENTICATE, proxy_auth_challenge_fmt, Config.proxyAuthRealm);
+ } else {
+ /* WWW Authorisation needed */
+ httpHeaderPutStrf(&rep->header, HDR_WWW_AUTHENTICATE, proxy_auth_challenge_fmt, Config.proxyAuthRealm);
+ }
     return rep;
 }
 
@@ -2009,6 +2023,7 @@
         /* prepend our name & port */
         http->uri = xstrdup(internalLocalUri(NULL, url));
         http->flags.internal = 1;
+ http->flags.accel = 1;
     }
     /* see if we running in Config2.Accel.on, if so got to convert it to URL */
     else if (Config2.Accel.on && *url == '/') {
@@ -2232,6 +2247,7 @@
                         http->uri, prefix);
                 /* continue anyway? */
             }
+ request->flags.accelerated = http->flags.accel;
             if (!http->flags.internal) {
                 if (internalCheck(strBuf(request->urlpath))) {
                     if (0 == strcasecmp(request->host, internalHostname())) {
@@ -2244,6 +2260,7 @@
                     }
                 }
             }
+ request->flags.internal = http->flags.internal;
             safe_free(prefix);
             safe_free(http->log_uri);
             http->log_uri = xstrdup(urlCanonicalClean(request));
Index: squid/src/http.c
diff -u squid/src/http.c:1.1.1.27.2.1 squid/src/http.c:1.1.1.27.2.3
--- squid/src/http.c:1.1.1.27.2.1 Sun Nov 1 03:01:24 1998
+++ squid/src/http.c Sun Nov 1 04:16:38 1998
@@ -604,10 +604,17 @@
             continue;
         switch (e->id) {
         case HDR_PROXY_AUTHORIZATION:
- /* If we're not going to do proxy auth, then it must be passed on */
+ /* If we're not doing proxy auth, then it must be passed on */
             if (!request->flags.used_proxy_auth)
                 httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
             break;
+ case HDR_AUTHORIZATION:
+ /* If we're not doing www auth, then it must be passed on */
+ if (!request->flags.accelerated || !request->flags.used_proxy_auth)
+ httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
+ else
+ request->flags.auth = 0; /* We have used the authentication */
+ break;
         case HDR_HOST:
             /* Don't use client's Host: header for redirected requests */
             if (!request->flags.redirected || !Config.onoff.redir_rewrites_host)
@@ -676,6 +683,21 @@
                 orig_request->host, (int) orig_request->port);
         }
     }
+ /* append Authorization if known in URL, not in header and going direct */
+ if (!httpHeaderHas(hdr_out, HDR_AUTHORIZATION)) {
+ if (!request->flags.proxying && *request->login) {
+ httpHeaderPutStrf(hdr_out, HDR_AUTHORIZATION, "Basic %s",
+ base64_encode(request->login));
+ }
+ }
+ /* append Proxy-Authorization if configured for peer, and proxying */
+ if (!httpHeaderHas(hdr_out, HDR_PROXY_AUTHORIZATION)) {
+ if (request->flags.proxying && request->peer_login) {
+ httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
+ base64_encode(request->peer_login));
+ }
+ }
+
     /* append Cache-Control, add max-age if not there already */
     {
         HttpHdrCc *cc = httpHeaderGetCc(hdr_in);
@@ -800,6 +822,7 @@
         xstrncpy(proxy_req->host, httpState->peer->host, SQUIDHOSTNAMELEN);
         proxy_req->port = httpState->peer->http_port;
         proxy_req->flags = orig_req->flags;
+ proxy_req->peer_login = httpState->peer->login;
         httpState->request = requestLink(proxy_req);
         httpState->orig_request = requestLink(orig_req);
         proxy_req->flags.proxying = 1;
Index: squid/src/neighbors.c
diff -u squid/src/neighbors.c:1.1.1.25 squid/src/neighbors.c:1.1.1.25.4.1
--- squid/src/neighbors.c:1.1.1.25 Thu Oct 22 20:48:52 1998
+++ squid/src/neighbors.c Sun Nov 1 03:27:12 1998
@@ -1116,6 +1116,8 @@
     if (p->options.no_delay)
         storeAppendPrintf(sentry, " no-delay");
 #endif
+ if (p->login)
+ storeAppendPrintf(sentry, " login=%s", p->login);
     if (p->mcast.ttl > 0)
         storeAppendPrintf(sentry, " ttl=%d", p->mcast.ttl);
     storeAppendPrintf(sentry, "\n");
Index: squid/src/structs.h
diff -u squid/src/structs.h:1.1.1.32.2.1 squid/src/structs.h:1.1.1.32.2.3
--- squid/src/structs.h:1.1.1.32.2.1 Sun Nov 1 03:01:25 1998
+++ squid/src/structs.h Wed Nov 4 23:39:25 1998
@@ -1059,6 +1059,7 @@
         float load_factor;
     } carp;
 #endif
+ char *login; /* Proxy authorization */
 };
 
 struct _net_db_name {
@@ -1271,6 +1272,8 @@
 #if HTTP_VIOLATIONS
     unsigned int nocache_hack:1; /* for changing/ignoring no-cache requests */
 #endif
+ unsigned int accelerated:1;
+ unsigned int internal:1;
 };
 
 struct _request_t {
@@ -1300,6 +1303,7 @@
 #if DELAY_POOLS
     delay_id delay_id;
 #endif
+ char *peer_login; /* Configured peer login:password */
 };
 
 struct _cachemgr_passwd {
Received on Tue Jul 29 2003 - 13:15:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:11:57 MST