Re: Chained proxies, persistent connections, authentication

> I am currently investigating a problem that occurs in this type of
> scenario:
> browser -> proxy1 -> proxy2 -> server
> Proxy1 is actually a Squid proxy, it is passing though the end-user
> authentication to proxy2.  The problem occurs because proxy1 is reusing
> connections to proxy2 for requests from different users, but proxy2 is
> only authenticating the first request on each new connection.  This
> means that subsequent requests are not being authenticated, and these
> requests are being treated as if they originated from the first user to
> use the connection.

You're not clear on what's happening here - what authentication header
is proxy2 interpreting?  As a proxy, it should not be using the Authorization
header at all - that is for 'server', not any proxy.

As Dave pointed out, proxy1 should not be passing through any
Proxy-Authorization header because that is a hop-by-hop header; if
proxy2 is challenging by sending a 407, then only proxy1 can respond to
that challenge (not intuitive, and perhaps not optimal, but that is
what the standard says).

In any event, proxy2 is incorrect to associate the connection with
the authentication of the first request on that connection; all requests
are stateless, including authentication attributes.  Each request must
be authenticated on its own - this is _not_ one of the _actual_ benefits
of persistent connections.

Received on Thursday, 23 October 2003 12:57:46 UTC