On 28/08/2013 8:13 p.m., Attila Gömbös wrote:
> The downstream proxy authenticates the users (with SPNEGO for example).
> The downstream proxy sends the Proxy-Authorization token with only the
> username in it.
> But the Squid will send the request to Symantec Messagelabs, but it
> can't create the right X-saucer and X-teacup headers, if the user is
> authenticated only with username, but expects domain\username in the
> Proxy-Authorization field.
Please understand that authentication protocols SPNEGO in particular are
authenticating either the specific TCP connection or the specific HTTP
request between the downstream client and the downstream proxy.
The TCP connection and/or request between the downstream proxy and your
Squid may be *very* different from the original ones. In the case of the
TCP connection the downstream proxy may even be multiplexing multiple
clients onto the one connection.
Sending the right credentials is a problem for the downstream proxy.
There is no way to accurately know the "correct" username credentials if
they were not explicitly delivered.
If you have a new enough Squid (3.2 or later) the best you can do is use
login=PASSTHRU and let the *upstream* proxy be the one performing
authentication, with the downstream and local proxies using
external_acl_type helpers to simply probe into the Proxy-Auth headers
and supply the user name label back for record keeping purposes.
Amos
Received on Wed Aug 28 2013 - 08:46:24 MDT
This archive was generated by hypermail 2.2.0 : Wed Aug 28 2013 - 12:00:15 MDT