>> Or maybe (it will simplify all) - is it some method to get %LOGIN from >> headers sent by browser (as it was said before - I use >> squid_kerb_auth). In such case I don't need to pass anything special >> with deny_info. > > Yes that is the better way to do all this. You wont be passing username > un-encrypted. > > Just generate the error page using a background auth check in the page > script to lookup the username from the Proxy-Authentication header received. > You could even use squid_kerb_auth to do the sub-check, all it does for > Squid is take a copy of the header line and pass back the username on > success and error message fail. Hmm... So for example user is redirected via deny_info to http://mydenyserver.com/index.php And my page in php will exec squid_kerb_auth to receive username? You mean something like this? > > This may help: > http://wiki.squid-cache.org/Features/AddonHelpers#Negotiate_and_NTLM_Scheme > > "KK $header_content" is what squid_kerb_auth accepts, > "AF $username" is the success reply, > "BH $message" is the failure reply. > > Amos
