On 5/11/2011 3:04 a.m., Markus Nilsson wrote:
Hi!
I'm having some trouble with kerberos (negotiate) authentication and the Proxy-Authorization header.
Currently I am using digest, and it's working fine. I allow most request in squid, but am using a url_rewriter to check if the user really has permission to access a specific site.
This way I can let some users, without logging in, access some sites, but require proxy_auth access for other.
To achieve this I protect one single page (redirector) with
http_access allow authenticated_users redirector
This way I can forward all requests which are blocked by the url_rewrite_program to a splash-page, with a link to this blocked page, and by doing that force a proxy login.
This works very well, and makes it easy for the end users. It has the side effect though that Squid does not extract the username, and hence the url_rewrite_program will not get the username. I have solved this with a helper that extracts this information from the Proxy-Authorization header:
#Extracts username from HTTP-header
external_acl_type username ttl=3600 %{Proxy-Authorization} /usr/bin/extract_username_from_proxy_header
acl username external username
This helper returns
OK user=username
or
OK
if no username is found. With this I will opportunistically get a username if it is provided through the Proxy-Authorization header. And by the rule below, I can see in the logs that the username is extracted correctly
http_access allow all !redirector username
Now to my problem; when adding kerberos authentication, I can't seem to find the Proxy-Authorization header on more than the request to the redirector acl, and when I analyze in firebug, I can't see that it is continuously sent by the browser. Is the negotiate authentication scheme different in this way than digest (and plain)? Or am I doing something wrong here...? Plain and Digest sends their Proxy-Authorization headers on all request after a successful login, even if squid does not require them to do so.
Thanks for any input!
Kind Regards
Markus
HTTP requires auth credentials on every request. BUT, Kerberos and NTLM
are a bit special and try to violate HTTP in many ways. They are not
authenticating the request itself like they should be. But are
authenticating the TCP connection using the first request(s) over it.
The good browsers send the Kerberos/NTLM credentials on followup
requests anyway, but some agents are broken and prefer to break HTTP
instead of following the rules for good performance.
Amos
