Robert Collins wrote:
> > what about login=*:password. Looks better I think ;-)
> The problem is, it's vulnerable to replay attacks.
In what way is it more vulnerable than any Basic authentication going by
that path?
> Re: implementing
> -Sure as a quick hack it'll get the username to the upstream server,
> which then needs to be told something like
> acl foo proxy_auth PASSEDTHROUGH
> so that it doesn't try to authenticate externally every usercode, and
> instead trusts the downstrem.
Minor issue. The basic auth cache should build up pretty quickly anyway.
Only one thing: To be really useful, the forwarding must be able to
identify the downstream.
Something like
login=*-downstream_unique_tag:password
should do quite nicely, as this allows a single ACL entry to match all
users on that downstream, and match it agains the known IP(s) of the
downstream server.
downstream:
cache_peer ... login=*-downstream1:password
upstream:
acl downstream1 src 192.168.1.2
acl downstream1-users proxy_auth_regex -downstream1$
http_access deny downstream1-users !downstream1
And if the helper protocol is extended to allow for the helpers to
change the effective (logger,forwarded) username then even better.
/Henrik
Received on Mon Jan 08 2001 - 18:04:44 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:14 MST