On 5/02/2012 12:30 a.m., Jason Fitzpatrick wrote:
Morning all.. I have a requirement to have my squid servers authenticate users before forwarding requests to an upstream server which does content filtering based on the X-Forwarded headers in the requests and all seems to be working quite well so far, (internal traffic is routed via the squids without the need to authenticate) I do have one issue though, clients that are unable to authenticate (windows update / Java updates etc) and want to set up the system so that it will attempt to authenticate the user, and if the authentication fails the request is routed regardless Is such a thing possible? I have tried all sorts of configurations but the logic to the rules still escapes me!
This is a side case of security which seems to boggle many an admins mind. The core of the problem is that missing credentials is only one *sub-set* of all failed authentications. You cannot simply take "failed auth" and assume its one of the "good" software which is failing. These days it will quite frequently be someone malicious, possibly even forging the "good" software user-agent header to get access.
In particular missing credentials is a type of failure indistinguishable from an HTTP request which has not yet even been challenged for credentials. HTTP is stateless so there is no way to identify two clients sharing a downstream proxy and one client re-trying without credentials. You must hard-code that distinction for the specific cases you know of, thus all the well published config hacks.
Amos
