On Thu, 12 May 2005, Ryan Lamberton wrote:
everything is allowed. It looks like the script is giving an OK even if the x-pun is not in the browser. What does squid pass to the ident.pl if there is no header x-pun?
- I think. Was a long time since I wrote this, and I never used it in situations where I needed to know the header was not set..
I corrected it by changing
http_access allow propel_auth
to
http_access allow localhost propel_auth
but I would like to use this option without localhost.
I would not.. you should only allow the use of this header from trusted sources. If not anyone who can reach the proxy and knows you are using this scheme may spoof as any user for you...
Regards Henrik
