Re: [squid-users] Reverse proxy+SSL+Basic HTTP auth

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 08 Jan 2003 11:00:03 +0100

user666@xs4all.nl wrote:

> We've been trying to get around this by using digest authentication. It
> works. The user only has to log on once. The problem is that I dont see
> how this is done. I dont think squids digest code has any way for me to
> give it a 'domain="host1,host2,host3"' pair. I can give it a realm but the
> realmname I enter has no hostname in it. This was only tested with IE so
> is it broken or what am I missing?

The digest implementation in Squid is written for proxy authentication
which is slightly different, and probably needs to be extended a bit for
proper use in accelerators/reverse proxies.

> We have also tried to set up our hosts as shown here, in the hope that the
> browser might resend the basic authenticaton username/password if the
> hostname remained the same:
> http://host1:80 https://host1:443 intranet1
> http://host1:81 https://host1:444 intranet2
>
> This did not work (and rightly so I suppose).

Depends on the browser, but generally running https on ports other than
443 is not recommended as people behind firewalls or proxies may have
serious trouble to reach the other port..

> Is there anything we have missed? Is there any other way to have squid
> authenticate users for multiple reverse-proxied domains (whilst still
> using SSL)?

The problem is not due to Squid but due to HTTP. The only two HTTP
authentication schemes working with multiple domains are:

a) digest HTTP authentication

b) A custom brewed authentication scheme based on cookies. Can be
implemented in Squid-2.5 via external_acl and the help of a HTTP/HTTPS
server who manages the login screen and sets the proper cookies.

Regards
Henrik
Received on Wed Jan 08 2003 - 03:18:39 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:34 MST