On tor, 2007-07-26 at 14:25 +1000, Matthew Smith wrote: > Is it correct to say that a response can only have one authenticate in > the headers? That a request containing a WWW-Authenticate cannot have a > Proxy-Authenticate as well? It can have both, and is required if both the proxy and the web server requires authentication. > If I have a site which requires authentication with a given scheme, am I > right to assume that the only way a authenticating proxy between the > site and the user can use authentication is if the authentication tokens > sent by the user are the same for the proxy and the site? Ofcourse not. Proxy authentication and web site authentication is separate from each other. The only limitation is that there may only be one of each. > Is basic > authentication the only auth system that can be chained in this way? proxy authentication is a designed as hop-by-hop thing.. browser authenticated to it's closest proxy which then authenticates to the next-hop. In Squid there is two means available to authenticate to the next-hop proxy. Either static login:password, or passtrought of the information provided by the browser. It's only basic authentication that can be chained in a good manner, so if you want each proxy to verify the credentials then basic needs to be used. It's possible chaining also works with NTLM/Negotiate due to the very different way these authentication "schemes" works, but it's not something I have tested. > Lastly, assuming a proxy with no auth, is it now possible to have a > WWW-Authenticate using the NTLM scheme pass though a squid proxy? Yes, possible both with and without proxy authentication. Regards Henrik
