Re: Why does Squid-2 return HTTP_PROXY_AUTHENTICATION_REQUIRED on http_access DENY?
tis 2009-09-15 klockan 16:09 +1000 skrev Adrian Chadd: > But in that case, ACCESS_REQ_PROXY_AUTH would be returned rather than > ACCESS_DENIED.. Perhaps. Simple change moving that logic from client_side.c to acl.c, but may cause unexpected effects in other access directives such as cache_peer_access where we don't want to challenge the user. Why does it matter? Regards Henrik
Re: Why does Squid-2 return HTTP_PROXY_AUTHENTICATION_REQUIRED on http_access DENY?
On Tue, 2009-09-15 at 16:09 +1000, Adrian Chadd wrote: > But in that case, ACCESS_REQ_PROXY_AUTH would be returned rather than > ACCESS_DENIED.. Right... so can we have some more details about what is happening and what you expect? deny !proxy_auth_group != allow proxy_auth_group and deny proxy_auth_group != allow !proxy_auth_group -Rob signature.asc Description: This is a digitally signed message part
Re: Why does Squid-2 return HTTP_PROXY_AUTHENTICATION_REQUIRED on http_access DENY?
But in that case, ACCESS_REQ_PROXY_AUTH would be returned rather than ACCESS_DENIED.. Adrian 2009/9/15 Robert Collins : > On Tue, 2009-09-15 at 15:22 +1000, Adrian Chadd wrote: >> G'day. This question is aimed mostly at Henrik, who I recall replying >> to a similar question years ago but without explaining why. >> >> Why does Squid-2 return HTTP_PROXY_AUTHENTICATION_REQUIRED on a denied ACL? >> >> The particular bit in src/client_side.c: >> >> int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || >> aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent; >> >> Is there any particular reason why auth is tried again? it forces a >> pop-up on browsers that already have done authentication via NTLM. > > Because it should? Perhaps you can expand on where you are seeing this - > I suspect a misconfiguration or some such. > > Its entirely appropriate to signal HTTP_PROXY_AUTHENTICATION_REQUIRED > when a user is denied access to a resource *and if they log in > differently they could get access*. > > -Rob >
Re: Why does Squid-2 return HTTP_PROXY_AUTHENTICATION_REQUIRED on http_access DENY?
On Tue, 2009-09-15 at 15:22 +1000, Adrian Chadd wrote: > G'day. This question is aimed mostly at Henrik, who I recall replying > to a similar question years ago but without explaining why. > > Why does Squid-2 return HTTP_PROXY_AUTHENTICATION_REQUIRED on a denied ACL? > > The particular bit in src/client_side.c: > > int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || > aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent; > > Is there any particular reason why auth is tried again? it forces a > pop-up on browsers that already have done authentication via NTLM. Because it should? Perhaps you can expand on where you are seeing this - I suspect a misconfiguration or some such. Its entirely appropriate to signal HTTP_PROXY_AUTHENTICATION_REQUIRED when a user is denied access to a resource *and if they log in differently they could get access*. -Rob signature.asc Description: This is a digitally signed message part
Why does Squid-2 return HTTP_PROXY_AUTHENTICATION_REQUIRED on http_access DENY?
G'day. This question is aimed mostly at Henrik, who I recall replying to a similar question years ago but without explaining why. Why does Squid-2 return HTTP_PROXY_AUTHENTICATION_REQUIRED on a denied ACL? The particular bit in src/client_side.c: int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent; Is there any particular reason why auth is tried again? it forces a pop-up on browsers that already have done authentication via NTLM. I've written a patch to fix this in Squid-2.7: http://www.creative.net.au/diffs/2009-09-15-squid-2.7-auth_required_on_auth_acl_deny.diff I'll create a bugtraq entry when I have some more background information about this. Thanks, adrian
