Thanks for quick reply. i have added the "PASSTHRU" only after I have had the problem. Without it (I removed the entire login directive), it seems that squid strips away the entire Authorization digest:
4sG^GET./xadmin/ mk.php.HTTP/1.0. .Host:xxxxxx..User- Agent:.Mozilla/5 .0.(Windows;.U;. Windows.NT.6.1;. en-US;.rv:1.9.2. 16).Gecko/201103 19.Firefox/3.6.1 6.GTB7.1..Accept :.text/html,appl ication/xhtml+xm l,application/xm l;q=0.9,*/*;q=0. 8..Accept-Langua ge:.en-us,en;q=0 .5..Accept-Encod ing:.gzip,deflat e..Accept-Charse t:.ISO-8859-1,ut f-8;q=0.7,*;q=0. 7..Via:.1.1.squid-server:3128.(squid/ 2.6.STABLE21)..X -Forwarded-For:. 192.168.0.71..Ca che-Control:.max -age=259200..Con nection:.keep-al -----Original Message----- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, April 14, 2011 1:13 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] squid to pass http digest On 14/04/11 21:08, Or Gerson wrote: > Hello, > > I have two web servers running apache behind squid. > The application on the apache is php written and requests authentication > which is passed by http digest. > > When I try to get to the web servers directly the application works. But > through squid I find that squid removes the http digest header and replaces > it with its own basic authentication (proxy_auth is not enabled). > Exactly as you have configured to happen. > This is taken from squid access log: > > http://squid-server/xadmin/mk.php - ROUNDROBIN_PARENT/squid-server text/html > Host:%20squid-server%0D%0AUser-Agent:%20Mozilla/5.0%20(Windows;%20U;%20Windows%20NT%206.1;%20en-US;%20rv:1.9.2.16)%20Gecko/20110319%20Firefox/3.6.16%20GTB7.1%0D%0AAccept:%20text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8%0D%0AAccept-Language:%20en-us,en;q=0.5%0D%0AAccept-Encoding:%20gzip,deflate%0D%0AAccept-Charset:%20ISO-8859-1,utf-8;q=0.7,*;q=0.7%0D%0AKeep-Alive:%20115%0D%0AConnection:%20keep-alive%0D%0AAuthorization:%20Digest%20username=%22dev%22,%20realm=%22xadmin%22,%20nonce=%22b1ffe1477deafad5554a0632ad8fba1c%22,%20uri=%22/xadmin/mk.php%22,%20algorithm=MD5,%20response=%22625715996fe71c2fec61d4f6f1514150%22,%20opaque=%22d75db7b160fe72d1346d2bd1f67bfd10%22,%20qop=auth,%20nc=00000001,%20cnonce=%227dad729a5d7d6eae%22%0D%0A > > This is the header that gets to the web server: > <erasing the binary copy we get...> ...mk.php.HTTP/1.0 Host:.squid-server User-Agent:.Mozilla/5.0.(Windows;.U;.Windows.NT.6.1;.en-US;.rv:1.9.2.16).Gecko/20110319.Firefox/3.6.16.GTB7.1 Accept:.text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language:.en-us,en;q=0.5 Accept-Encoding:.gzip,deflate Accept-Charset:.ISO-8859-1,utf-8;q=0.7,*;q=0.7 Via:.1.1.xxxxx.(squid/2.6.STABLE21) X-Forwarded-For:.192.168.0.71 Proxy-Authorization:.Basic.UEFTU1RIUlU= Authorization:.Basic.UEFTU1RIUlU= Cache-Control:.max-age=259200 > > This is squid config: > > http_port 3128 > http_port 192.168.68.167:80 vhost > cache_peer 192.168.68.155 parent 80 0 no-query connection-auth=off > login=PASSTHRU originserver round-robin name=web1 > cache_peer 192.168.68.156 parent 80 0 no-query connection-auth=off > login=PASSTHRU originserver round-robin name=web2 There are two headers involved: Proxy-Authorization and Authorization. "Proxy-Authorization:" is only relevant on forward-proxy requests to the proxy being talked to. Squid will normally strip these and requires login=PASS to pass them on in Basic format. Your server peers DO NOT NEED IT. So the normal hop cleanup is the right thing to happen. "Authorization:" is end-to-end web server auth. and contains the login for a web server. Squid does not touch them unless some very narrow circumstances are occuring. Which brings us to the only auth-related thing your Squid is doing being login=PASSTHRU. "PASSTHRU" is a new option available in 3.2 series Squid. 2.6 series treat it as the "username:password" value to be relayed on in Basic auth format. SOLUTION: remove the login= option from your config. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.6 This message, together with its attachments, contains information from WebsPlanet Ltd., which is privileged and confidential. If you are not the intended recipient or you have received this message in error, then please notify us immediately by e-mail to i...@websplanet.com, and delete all copies of this message and its attachments.
