Amos Jeffries schrieb:
>> Config:
>> cache_peer 10.1.2.3 parent 8000 0 no-query originserver login=PASS
>>
>
> This is a origin server peer. The header delivered to it is
> WWW-Authenticate. Proxy-Authenticate is invalid on connections to origin
> servers.
>
> Is your proxy a reverse-proxy or a forward-proxy?
>
It is a reverse proxy.
> Which of the servers (your proxy or the origin) is validating the
> authentication?
>
>
The origin server.
>> The config seems to work, squid shows me the login dialog of the
>> cache_peer. For several reasons I have to feed the username back as a
>> header value....
>> I also tried login=PASSTHRU for testing, but without any difference.
>
> FWIW:
> * "PASSTHRU" sends the received Proxy-Authenticate header (if any)
> through to the peer untouched. Leaving no header if none provided by the
> client.
>
> * "PASS" tries to convert credentials to Basic auth and deliver to the
> peer in Proxy-Authenticate. Will try to generate a header from any
> available other sources of credentials if none are provided by the client.
>
> In both of the above the peer being an origin treats them as not having
> www-Authenticate header (naturally) and responds with a challenge to get
> some.
>
>
The origin peer creates the "WWW-Authenticate: NTLM" request upon which
the rev proxy shows the user/password popup request.
The Rev Proxy then replies with a "Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAGYAAADuAO4A [...]" Header.
So I think PASS is OK, as nothing seems to be converted from NTLM...
Or am I wrong?
Bye
Stefan
Received on Fri Apr 11 2014 - 10:18:43 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 11 2014 - 12:00:04 MDT