- From: Robert Collins <robertc@squid-cache.org>
- Date: Fri, 24 Oct 2003 20:59:14 +1000
- To: Rob Maidment <rob.maidment@clearswift.com>
- Cc: ietf-http-wg@w3.org
- Message-Id: <1066993154.847.49.camel@localhost>
On Fri, 2003-10-24 at 20:10, Rob Maidment wrote: > Thankyou for all the contributions on this thread. > > I over-simplified the proxy1 (Squid) role in the scenario slightly for the > sake of clarity, so I'll explain exactly what is going on: Squid is > authenticating the users, using the Basic authentication scheme I assume. That depends on your squid version and config. If you are running 2.5, it could be any of basic, rfc2617 digest, or NTLM. > The problem occurs because proxy1 re-uses persistent connections to proxy2 > for users in different groups, and proxy2 only authenticates the first > request on each connection. So subsequent requests may have the wrong > security policy applied. That sounds like a real bug in proxy2. Duanes suggestion of disabling server persistent connections is an effective workaround. proxy2 however, should be fixed. The MS NTLM/Kerberos/Negotiate connection based authentication do connection based auth, but AFAIK MS's basic implementation does check per request. I don't think you've specified which software proxy2 was, I assumed it was an MS proxy due to the use of connection orientated semantics.... > Thanks to your responses, I now realise proxy2 is at fault since it is > individual requests that should be authenticated, not connections. I've > also learnt there may be a workaround by disabling server-side persistent > connections in Squid. > > As a matter of interest, if the roles were reversed would Squid authenticate > every request, or only the first request on each connection? Every request for basic and digest authentication. Once per connection for NTLM authentication. Rob -- GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.
Received on Friday, 24 October 2003 06:59:16 UTC