tis 2007-03-06 klockan 16:44 +0100 skrev Alberto Dondana: > my reverse proxy for OWA with squid2.6stable9 on RH ES4.U1 works fine. > > Now I'm trying to add an authentication but I see an unusual behaviour > For that I'm using squid3 (daily auto-generated released last friday) You can only have one level of web server authentication in a reasonablemanner. A reverse proxy is a surrogate for the web server it sits infront of. In HTTP there is one slot for proxy authentication where the browser can authenticate to the configured proxy, and one slot for web server authentication. > What happens: two authentication level seems working fine, but > immediately my reverse proxy start sending OWA one packet with right > user 'alberto.dondana', the second with wrong user 'tce', then 'right > user again and so on... as seen in access.log below: > > 10.10.145.1 - alberto.dondana [06/Mar/2007:16:14:02 +0100] "GET > https://dondy.tc-express.it/exchange > <https://dondy.tc-express.it/exchange> HTTP/1.1" 401 2805 > TCP_DENIED:NONE This was denied by the proxy as an invalid login. > 10.10.145.1 - tce [06/Mar/2007:16:14:02 +0100] "GET > https://dondy.tc-express.it/exchange > <https://dondy.tc-express.it/exchange> HTTP/1.1" 401 412 > TCP_MISS:FIRST_UP_PARENT Sent to OWA, but rejected there as an invalid login.. > 10.10.145.1 - alberto.dondana [06/Mar/2007:16:14:02 +0100] "GET > https://dondy.tc-express.it/exchange > <https://dondy.tc-express.it/exchange> HTTP/1.1" 401 2805 > TCP_DENIED:NONE Denied by the proxy again.. (expected). > 10.10.145.1 - tce [06/Mar/2007:16:14:02 +0100] "GET > https://dondy.tc-express.it/exchange > <https://dondy.tc-express.it/exchange> HTTP/1.1" 401 412 > TCP_MISS:FIRST_UP_PARENT And denied by OWA (also expected). > If I'm using pam and locally in squid server I added a user with same > credentials of OWA one (but I use a different user for first squid > authentication) every works well.. It works well because you then authenticate as the OWA user both to Squid and OWA. HTTP is stateless, and the authentication is per request. So this is the same as logging in with the OWA user immeditely. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
