W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2003

RE: Chained proxies, persistent connections, authentication

From: Robert Collins <robertc@squid-cache.org>
Date: Fri, 24 Oct 2003 20:59:14 +1000
To: Rob Maidment <rob.maidment@clearswift.com>
Cc: ietf-http-wg@w3.org
Message-Id: <1066993154.847.49.camel@localhost>
On Fri, 2003-10-24 at 20:10, Rob Maidment wrote:
> Thankyou for all the contributions on this thread.  
> 
> I over-simplified the proxy1 (Squid) role in the scenario slightly for the
> sake of clarity, so I'll explain exactly what is going on:  Squid is
> authenticating the users, using the Basic authentication scheme I assume.

That depends on your squid version and config. If you are running 2.5,
it could be any of basic, rfc2617 digest, or NTLM.


> The problem occurs because proxy1 re-uses persistent connections to proxy2
> for users in different groups, and proxy2 only authenticates the first
> request on each connection.  So subsequent requests may have the wrong
> security policy applied.

That sounds like a real bug in proxy2. Duanes suggestion of disabling
server persistent connections is an effective workaround. proxy2
however, should be fixed. The MS NTLM/Kerberos/Negotiate connection
based authentication do connection based auth, but AFAIK MS's basic
implementation does check per request. I don't think you've specified
which software proxy2 was, I assumed it was an MS proxy due to the use
of connection orientated semantics....

> Thanks to your responses, I now realise proxy2 is at fault since it is
> individual requests that should be authenticated, not connections.  I've
> also learnt there may be a workaround by disabling server-side persistent
> connections in Squid.
> 
> As a matter of interest, if the roles were reversed would Squid authenticate
> every request, or only the first request on each connection?  

Every request for basic and digest authentication. Once per connection
for NTLM authentication.

Rob
-- 
GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.

Received on Friday, 24 October 2003 06:59:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:25 GMT