On Thursday 27 February 2003 17.39, Lucas Brasilino wrote: > Hi all, specially squid developers: > > > For me it's clear like cristal the explanation why I can't > use proxy_auth with interception shown at > http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.15 > > Ok. that's fine. > > But if I modify squid behavior to _NOT_ send > "HTTP/1.0 407 Proxy Authentication Required" > but > "HTTP/1.0 401 Unauthorized" > the client should think that it is talking with the original > server. It should do the trick, shouldn't it ?? > > Well.. maybe you say "go to hell Lucas!! Are you against RFC2616's > standards ??" :-)) > > No, I'm not. But this trick seems to be useful, isn't it ?? > Comments, please.... :)
Would not call it useful in a proxy. It is useful in accelerators but there the functionality is already available in Squid (a hidden define needs to be set in Squid-2.5 and earlier.. only to make it harder to find to make sure people who run transparent proxies do not think this is good for a transparent proxy, as it is not) This will as you say make the browser think it is the web site who requires authentication. This has a number of implications: a) As you are now using the authentication protocol meant to be user by web sites, no web sites will be able to use authentication via your proxy. b) The browser will request again for the password on each new web site requested. c) Your users proxy login+password will most likely leak out in plain text on the Internet unless you take special action to prevent this by making sure the Authorization header is not forwarded. Regards Henrik
