[squid-users] Proxy-Authorization headers

From: Markus Nilsson <markus_at_markusoft.se>
Date: Fri, 04 Nov 2011 15:04:00 +0100 (CET)

Hi!

I'm having some trouble with kerberos (negotiate) authentication and the Proxy-Authorization header.

Currently I am using digest, and it's working fine. I allow most request in squid, but am using a url_rewriter to check if the user really has permission to access a specific site.

This way I can let some users, without logging in, access some sites, but require proxy_auth access for other.

To achieve this I protect one single page (redirector) with

http_access allow authenticated_users redirector

This way I can forward all requests which are blocked by the url_rewrite_program to a splash-page, with a link to this blocked page, and by doing that force a proxy login.

This works very well, and makes it easy for the end users. It has the side effect though that Squid does not extract the username, and hence the url_rewrite_program will not get the username. I have solved this with a helper that extracts this information from the Proxy-Authorization header:

#Extracts username from HTTP-header
external_acl_type username ttl=3600 %{Proxy-Authorization} /usr/bin/extract_username_from_proxy_header
acl username external username

This helper returns

OK user=username

or

OK

if no username is found. With this I will opportunistically get a username if it is provided through the Proxy-Authorization header. And by the rule below, I can see in the logs that the username is extracted correctly

http_access allow all !redirector username

Now to my problem; when adding kerberos authentication, I can't seem to find the Proxy-Authorization header on more than the request to the redirector acl, and when I analyze in firebug, I can't see that it is continuously sent by the browser. Is the negotiate authentication scheme different in this way than digest (and plain)? Or am I doing something wrong here...? Plain and Digest sends their Proxy-Authorization headers on all request after a successful login, even if squid does not require them to do so.

Thanks for any input!

Kind Regards

Markus
Received on Fri Nov 04 2011 - 14:04:06 MDT

This archive was generated by hypermail 2.2.0 : Sat Nov 05 2011 - 12:00:03 MDT