Re: [squid-users] Authentication Prompt

From: Colin Campbell <sgcccdc@dont-contact.us>
Date: Wed, 6 Mar 2002 09:21:49 +1000 (EST)

Hi,

On Tue, 5 Mar 2002, Dale Harrod wrote:

> Scenario: Squid configured to use NCSA authentication with authenticate_TTL
> 1 hour
> and authenticate_ip_ttl 300 seconds
>
> Problem: Squid requests authentication for each browser the user spawns.
>
> Question: Can Squid be configured to remember authentication credentials
> for a given user so the user is not prompted for authentication every time
> they spawn a new browser?
>
> OS: Red Hat 7.2
> Squid: 2.4 Stable 4

Squid keeps information for each user that has previously authenticated.
That's how it is able to manage the TTLs you spoke of.

Since you kleep asking this question, perhaps an explanation of proxy
authentication is in order. An HTTP request has room for two
authentication fields in the headers. One is the information used to
authenticate to a web server. The other is to authenticate to a proxy
server. Initially both these fields are empty in the HTTP header. So, when
the browser connects to the proxy (in ithis case squid) and the proxy is
configured to authenticate users, the proxy examines the proxy-auth HTTP
header. If it's empty, as it is when the user hasn't previously
authenticated, the proxy "rejects" the request and sends back the HTTP
code "407" (proxy authentication required). The browser sees this, pops up
a window and the user enters a username and password. The proxy remembers
this information and resubmits the original query, this time with the
proxy-auth field, filled in. The proxy sees this information and allows
the connection to proceed. In squid's case it keeps a record of when the
first authentication for this user occurred (for authenticate_TTL) and
when the last time that IP address connected (authenticate_ip_ttl).

Now consider what happens when a request with no proxy-auth field arrives.
Squid does not know which user it is since there is nothing to identify
the user in the packet. Squid cannot just allow the connection
(based on having previously seen connections from that IP) because
there is no guarantee that the packet came from the same person that
authenticated previously. The packet could have come from a multi-user
machine. It could have been through a NAT-ing device. It could have come
from the same PC that someone else is using.

This all means that squid cannot and must not "trust" a packet that has no
authentication information in it. Squid does the right thing and sends
back a 407.

As I said yesterday, the problem is the browser. If you have already
authenticated to a proxy and a spawned child of that browser doesn't pick
up the authentication information, IMHO, the browser is broken.

Colin
Received on Tue Mar 05 2002 - 16:22:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:43 MST