Re: [squid-users] Proxy-Authentication-Info header

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 07 Jan 2011 20:07:57 +1300

On 06/01/11 03:17, Markus Moeller wrote:
> Hi,
>
> When should I expect to see a Proxy-Authentication-Info header ? I
> noticed that when I use Kerberos authentication with squid_kerb_auth on
> Version 3.0.STABLE25 that squid_kerb_auth returns AF
> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME to squid, but
> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== is added to a 200 OK as
> Proxy-Authentication-Info header and not to a Proxy-Authorization header
> for further processing by the client.
>
>
> GET http://192.168.1.127:9090/w16c332bd.60732998:00000008/t03/_00000001
> HTTP/1.1
> Accept: */*
> Host: 192.168.1.127:9090
> X-Xact: 16c332bd.60732998:00000002 16c332bd.60732998:0000000c 0
> X-Loc-World: 16c332bd.60732998:00000008 -1/1 0
> X-Rem-World: 16c332bd.60732998:00000008 -1/1 0
> X-Target: 192.168.1.127:9090
> X-Abort: 1798565613 512442519
> X-Phase-Sync-Pos: 0
> Proxy-Connection: close
> Proxy-Authorization: Negotiate
> YIICgwYGKwYBBQUCoIICdzCCAnOgHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggJOBIICSmCCAkYGCSqGSIb3EgECAgEAboICNTCCAjGgAwIBBaEDAgEOogcDBQAAAAAAo4IBXmGCAVowggFWoAMCAQWhCxsJU1VTRS5IT01FoicwJaADAgEDoR4wHBsESFRUUBsUb3BlbnN1c2UxMS5zdXNlLmhvbWWjggEXMIIBE6ADAgEXoQMCAQOiggEFBIIBAaC6OrRsodSdqr+Y15NtSpBpfanzwI865Yr/5pbFYO+U05YTpZkIKz1ioQaoEIiavnuk6mSy4pAPNyrhz5xmlkyBQ+/ZA3X87lTbik7+piyy4vRWUlkXSLFqLCQ+vDTA3Tn1DSgagvIitFaeS5ARkzlcbas3hyKyQJgRmD11NVAxlFTq/tNHk6TvLODP1Cb0fEGhl4+3uzOrA7zbTwrj0rcTQQ+oz+DXXd+NV+XYFKeubXFACZUfHDM/XDWyVBrcu2KfqgiUzlGd04jLF4BQZq4iptSoDpAPrlt7U/DgMk/5pIERfLFR/UVjT7CdLN7v5uN75/3axwLmqbbV+/Z1ccP8pIG5MIG2oAMCAReiga4EgasCdd9tBqcqYnW6xphxYurzncg3PxYJdxvnMU+XW11jXB8Krnj3+i296Ip4/AU9h8OZF2FDGThPrjT+zavB5r28NImnOX79Ds5650hN7TpIii/gcb3hBV0D6cLSJJcUCrgGoSrX70zGvIqNa/POioE3sIbIOdZ9m9Yu/Uwf66rItmqtPv5lo7s1W8J34e7PS2n5kZzf1jvJ786UNspn4C2a1uH7eYR0jC94lyU=
>
>
> HTTP/1.0 200 OK
> Cache-Control: public
> Date: Wed, 05 Jan 2011 14:15:43 GMT
> Content-Length: 18219
> X-Target: 192.168.1.127:9090
> X-Xact: 16c332a4.3f2d298e:00000002 16c332bd.60732998:7ffffff3 0
> X-Abort: 1412400744 2082554117
> X-Phase-Sync-Pos: 0
> Proxy-Authentication-Info: Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
> X-Cache: MISS from opensuse11.suse.home
> X-Cache-Lookup: MISS from opensuse11.suse.home:3128
> Via: 1.0 opensuse11.suse.home (squid/3.0.STABLE25)
> Proxy-Connection: close
>
> Is that correct or did I misconfigure something ?

Proxy-Authorization is only on requests from the client.

Squid will send Proxy-Authentication-Info on successfully authenticated
digest or negotiate responses. Digest is done as per RFC 2617. I'm
unable to find any proxy-auth* specs for Negotiate protocol, RFC 4559
only covers origin server auth and does not mention *-Info at all.

The specs of Proxy-Authentication-Info indicate that it can be used on
any successful auth response to provide the client with details about
the auth, so it makes sense to send it when Negotiate is accepted.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Fri Jan 07 2011 - 07:08:08 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 07 2011 - 12:00:02 MST