Re: [squid-users] NTLM through proxy server?

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Sat, 25 Aug 2007 09:51:39 +0200

On fre, 2007-08-24 at 21:23 -0300, Diego Woitasen wrote:

> ok, is protocol specific, but I read the protocol and I can't
> undertand why. The Client and the Server need to see themselves? Or Is
> a conexion multiplexation problem in the proxy?

HTTP is message oriented, based on self-contained messages being passed
over unspecified transports, with transports being hop-by-hop (i.e.
browser<->proxy and proxy<->server is independent transports).

NTLM is connection oriented, based on connection state. Only masqueraded
to look like an HTTP authentication scheme, not at all acting as one.

Thus proxying of NTLM requires the proxy to
1. Detect that the NTLM scheme is being used.
2. Then make a strict association between client connection and server
connection
3. and also remember that requests seen on this client connection is
using authentication even if the messages themselves do not contain any
authentication related information at all.

Which is quite different from how an HTTP proxy normally operates.

Regards
Henrik

Received on Sat Aug 25 2007 - 01:51:45 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT