Robert Collins wrote:
> I'm not suggesting that squid send the credentials just because the
> upstream asks for them - that'd be a invasion of privacy. I'm suggesting
> that squid _never_ sends them unless it knows the upstream wants and can
> use them. There would need to be a cache_peer option on the downstream
> to allow it
> ie cache_peer .... pass_user_details=on
And the peer needs some way of authorize the downstream to use the
credentials passing mechanism if they are to be used for anything (even
logging).
So what we need is one mechanism for passing the credentials and one
access mechanism to authorize the acceptance of the passed credentials.
I agree that the hack with basic authentication is just a hack, but it
acheives the ability to provide both things within what we have today,
with the added bonus that it can be shoehorned into interoperate with
existing systems. Also, the same technique can theoretically also be
applied to accelerators, where the interoperability benefits are much
larger than cache->cache.
Yes, a full long-term solution to the problem would involve extending
HTTP for cache->cache (or accelerator->origin) user credentials passing.
Doing this requires quite a lot more work, and won't be interoperable
with other implementations for a long time.
/Henrik
Received on Sun Jan 14 2001 - 15:58:26 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:18 MST