Re: [squid-users] Digest Auth Problem in Reverse Proxy Setup

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Wed, 16 Aug 2006 01:28:39 +0200

tis 2006-08-15 klockan 11:07 -0700 skrev Ben Drees:
> If I had a load balancer mapping many incoming client connections to
> fewer backend connections to Squid, would that cause trouble for the
> digest authentication logic? In particular, if requests from two
> different authenticated users were mapped onto a single connection from
> load balancer to Squid (and interleaved?) would that cause trouble?

No. Digest authentication is per the HTTP specifications and is message
oriented, not connection oriented.

But if this load balancer maps the same user to different Squids on
different requests in the same session then there could be trouble.
There is state kept at both ends, and if a second request gets sent to
another server then Digest will have a bit of problem..

> It seems like there is some cached auth state associated with each
> connection, and that the connection multiplexing must be interacting
> badly with that. Is there a way to suppress the caching of this auth state?

It's not caching of state, it's state inherent to the Digest
authentication scheme. It's in principle a challenge/response
authentication scheme and the response must be sent to the same server
who issued the challenge.

To get around this some code changes will be needed. I have some ideas
which should work even in load balanced farms, but it will require some
hours of coding.

Regards
Henrik

Received on Tue Aug 15 2006 - 17:28:43 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:02 MDT