Re: [squid-users] Transp. + Authentication

From: Joe Cooper <joe@dont-contact.us>
Date: Tue, 27 Aug 2002 11:57:24 -0500

K.V. Chandrinos wrote:
> Hello all,
>
> I 've noticed no-one asked recently if there is any solution
> implemented to bypass the rather naive HTTP shortcoming of not being
> able to prompt the user for authentication when no proxy has been
> explicitly declared and you are running squid as transparent. Well, I
> opt to be original, at least for the last week of August 2002!
>
> I know it's a frequently unanswered quest, just checking on progress
> before I go about inventing wheels, using a same-box Web server,
> redirectors and stuff.. If someone has experimented with the overhead
> of such solutions it would be nice to hear.
>
> Thanks again, Kostas
>
> PS. Funny how people keep asking this since 1998 and nothing happens!
> Kind of makes you wonder what makes a 'desired feature' nowadays...

Funny how people keep asking the same question, over and over again, and
yet none of the folks asking has solved the problem themselves and
contributed a solution for others...

'desired feature' == Something someone is willing to invest in. You can
invest time and code, or you can invest money, and if you invest
something you're far more likely to see a feature come to be. But
asking the same question on the mailing list that has been asked a
hundred times is not much of an investment.

However, in this case, it doesn't matter how much you invest--the HTTP
protocol has no room for transparent proxying and proxy authentication.
  As you seem to already be aware, the only 'workaround' is a Wile E.
Coyote scheme of redirectors, CGI scripts, pullies, and a pair of roller
skates (ok, really just a redirector and CGI scripts). Squid can't do
transparent proxying and proxy authentication simultaneously, and never
will as long as we're using the current HTTP protocols that do not have
room for a hidden proxy in the request path. Though the new
external_acl will probably make it much easier to implement. So there,
a requested feature gets closer.

There was much discussion about /how/ to go about implementing such a
hack about a month or two ago, between myself, Henrik and a fellow named
Roy Hairyes. I don't believe it ever came to anything, but the
knowledge you would need to implement the CGI/redirector combo is
contained in those messages.

-- 
Joe Cooper <joe@swelltech.com>
Web caching appliances and support.
http://www.swelltech.com
Received on Tue Aug 27 2002 - 11:00:59 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:51 MST