lör 2012-02-04 klockan 13:23 +0000 skrev Jason Fitzpatrick: > I was hoping that if a client failed to authenticate then it would be > forwarded to the upstream and fall under what ever the default (un > authorized) ruleset is, known risky sites etc would be getting > filtered there,
Unfortunately HTTP do not work in that way. Clients not supporting authentication sends requests without any credentials at all. Proxies (and servers) wanting to see authentication then rejects the request with an error "authentication required" challenging the client to present valid credentials. Clients supporting authentication also starts out by sending the request without any credentials at all like above. The difference is only how the client reacts to the received error. If the client supports authentication then it collects the needed user credentials and retries the same request but with user credentials this time. If the credentials is invalid then the authentication fails, which in most cases results in the exact same error as above to challenge the user to enter the correct credentials. Regards Henrik