On Wed, 1 Sep 2004, Chris Perreault wrote:
I've looked through RFC 2617 trying to get a better understanding of the basic authentication process, and wondered if anyone on the list had a better way of explaining it to me. There is a 407 (web server) and 401 (proxy server) response messages generated to challenge the authorization of the requestor.
Yes. And in this context a reverse proxy is a web server, not a proxy.
proxy authentication is restricted to proxies configured as proxies in the users browser.
We were/are trying to limit the number of times someone has to log in, when using squid in accelerated mode. One of the webservers does basic auth against the same ldap directory the squid server will be using.
Ok.
Furthermore, there are links on this webserver to Lotus Notes. The Notes userdatabase has the usernames and passwords the same as the LDAP directory.
Ok.
Without squid, users do a basic auth to the webserver and can go to Notes without having to log back in. (they use an out of date reverse proxy which makes has site.com/webserver and site.com/notes in the mappings).
Ok.
We took the route of using a formed based authentication, with squid via ldap, hoping to rewrite the headers, but it appears we can't rewrite the headers we need to rewrite.
You can add Basic authentication to the request via a redirector. http://user:[EMAIL PROTECTED]/ will translate to basic authentication when Squid forwards the request.
One we'd like to rewrite is remote_user but it ends up creating and populating a header called http_remote_user instead.
There is no "remote_user" header in HTTP. This CGI variable is derived from authentication.
If you use Basic authentication then most of this is automatic, assuming you set up Squid in a manner similar to how the old reverse proxy was configured, presenting all the servers as one single big server to the users.
Regards Henrik
