RE: Re: [squid-users] user authentication

From: Colin Campbell <sgcccdc@dont-contact.us>
Date: Fri, 9 Nov 2001 13:41:54 +1000 (EST)

Hi,

On Thu, 8 Nov 2001, Arindam Haldar wrote:

> Hi all
>
> if I use a squid independent programme to authticate, which stores the
> current users list as plain text(only user name field), can squid use
> this file,which hence is dynamic updating, for allowing users for web
> ?.. if squid can then what r the fileds it wishes to seek in such
> files to let pass the user for web ?..(hence to sum this file is not
> used by squid auth but should be used by squid for valid users
> acceptance accessing web!!) Another behaviour i have seen with squid
> pam/NCSA auth is that every instance of browser(IE & Netscape) needs
> to be autheticated--why so . ??

As was stated in the response to your orginal question, squid does not use
files for authentication. squid gets a username and password from the
browser and then passes that information to a helper program (eg
ncsa_auth). The helper program must respond "OK" or "ERR" to squid. What
the helper program does with the data squid gives it and what fields it
uses out of whatever files it accesses are entirley up to the helper
program and have nothing to do with squid.

Proxy authentication works as follows:

An unautheticated user's browser will send no proxy-authentication
information in the HTTP headers with its first request. The proxy (squid)
will respond with an HTTP error 407 - proxy authentication required. This
causes the browser to pop up a window asking for username and password.
Once the user has provided the username and password, it resubmits the
request this time with the username and password "encoded" (not encrypted)
in the HTTP headers of the request. Squid will see the proxy-auth
information, extract it and send it to the helper program and wit for an
"OK" (and proceed to process the request) or an "ERR" (and deny the
request). The username and password in the proxy-auth HTTP header gets
sent with every request and the proxy checks it every time.

Colin

--
Colin Campbell
Unix Support/Postmaster/Hostmaster
CITEC
+61 7 3006 4710
Received on Thu Nov 08 2001 - 20:42:21 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:59 MST