Re: [squid-users] HTTP Headers

From: Craig Kelley <ckelley@dont-contact.us>
Date: 06 Mar 2003 09:02:54 -0700

On Thu, 2003-03-06 at 00:54, Henrik Nordstrom wrote:
> On Thursday 06 March 2003 00.24, Craig Kelley wrote:
>
> > Just for the archives; I solved the problem by using this on the
> > source HTTPD server:
> >
> > <Directory dir/to/cache/goes/here>
> > Options FollowSymLinks
> > AllowOverride None
> > Header set Cache-control public
> > AuthType Basic
> > AuthName ByPassword
> > AuthUserFile /path/to/htpasswd/file/goes/here
> > <Limit GET PUT POST DELETE>
> > Require valid-user
> > </Limit>
> > </Directory>
> >
> > Many thanks Henrik for the HTTP header hint.
>
> I assume you know that cache hits will not require authentication in
> such setup? And this does not only apply to your cache but any cache
> on the Internet who have cached the page.
>
> Having auth requirement on such URLs on the server is somewhat odd,
> but if you require authentication for URLs higher up in the directory
> structure then you will need to mark them as public as browsers will
> still think authentication is required to fetch these objects and
> thereby make caches also think it is...
>
> If you really want both authentication and caching in your accelerator
> then set up authentication in Squid.

Yes, that is a good point. In our situation we are setting up firewall
rules such that the only machines that can speak with the central apache
server are the squid transparent proxies, so it works for us. The squid
machines are also behind private firewalls, with controlled access to
the clients (in between is FreeS/WAN). This gives us a top-down
distributed filesystem with top-down authentication too.

The auth requirement is just meant to be there to keep the casual
observer from snooping around (which will be discovered via log files
and such). Thanks again for your help;

  -Craig
Received on Thu Mar 06 2003 - 09:00:50 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:57 MST