Re: [squid-users] Order of authentication schemes in Proxy-Authenticate

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 11 Apr 2013 22:02:18 +1200

On 10/04/2013 4:23 p.m., Alan wrote:
> Is there any way to influence the order in which Squid sends the
> Proxy-Authenticate headers to the client? I already tried changing
> the order in the config file to no avail.

That was the way to do it.
Please test carefully and IF you have solid evidence of Squid disobeying
the config order please open a bug report about it.

> Background:
> I have a squid 3.3.3 proxy using both kerberos and radius. A capture
> shows it offers both Basic and Negotiate authentication schemes, in
> separate headers and in that order.
> IE seems to try Negotiate first and Basic later, disregarding the
> order in which the headers appear.
> Firefox seems to be trying in the same order as the headers appear (I
> haven't confirmed that changing the order would fix this).
>
> The RFC doesn't seem to mention anything about which one should be
> tried first, so both approaches seem reasonable. I haven't been able
> to find any configuration option in Firefox to change the order
> either.

This should clarify for you what is going on:
http://wiki.squid-cache.org/action/show/Features/Authentication#Can_I_use_different_authentication_mechanisms_together.3F

The order Squid sends the headers is *supposed* to be irrelevant. Any
browser following that order is buggy.

Amos
Received on Thu Apr 11 2013 - 10:02:31 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 11 2013 - 12:00:03 MDT