Of course that system MUST NOT be the only one used
by the upstream server. Instead, IPaddress-based
ACLs SHOULD be used for that purpose. This system's
purpose is ONLY credentials forwarding.
-- /kinkie > -----Original Message----- > From: Robert Collins [mailto:robert.collins@itdomain.com.au] > Sent: Tuesday, January 09, 2001 1:04 AM > To: Henrik Nordstrom; Chemolli Francesco (USI) > Cc: squid-dev@squid-cache.org > Subject: RE: [SQU] Credentials forwarding? > > > > -----Original Message----- > > From: Henrik Nordstrom [mailto:hno@hem.passagen.se] > > Sent: Tuesday, 9 January 2001 10:48 AM > > To: Chemolli Francesco (USI) > > Cc: squid-dev@squid-cache.org > > Subject: Re: [SQU] Credentials forwarding? > > > > > > Chemolli Francesco (USI) wrote: > > > > > > A better choice is perhaps to translate it to basic > with a shared > > > > secret password... this has the benefit that it is a > > known mechanism > > > > which is well understood by servers. > > > > > > That might work. Maybe some magic in the cache_peer options (i.e. > > > login=@USER@:sharedpassword) > > > > what about login=*:password. Looks better I think ;-) > > > > Implementing it should be pretty simple. One or two lines. > > > > /Henrik > > > > > > The problem is, it's vulnerable to replay attacks. > > Re: implementing > -Sure as a quick hack it'll get the username to the upstream server, > which then needs to be told something like > acl foo proxy_auth PASSEDTHROUGH > so that it doesn't try to authenticate externally every usercode, and > instead trusts the downstrem. > > Rob >Received on Tue Jan 09 2001 - 02:01:33 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:14 MST