On 25/05/2012 8:37 p.m., Alan wrote:
Hello,
I'm implementing a proxy server that authenticates users via radius,
and then based on the source ip, login and the destination, grants
access or not to the requested objects.
The relevant section of squid.conf is:
auth_param basic program /usr/lib/squid/squid_radius_auth -f
/etc/squid/radius.conf -t 5
auth_param basic children 5
auth_param basic realm Web Proxy
auth_param basic credentialsttl 1 hour
external_acl_type my_acl_type %SRC %LOGIN %DST /var/www/htdocs/acl.php
acl my_acl external my_acl_type
http_access allow my_acl
http_access deny all
Both IE and Firefox have the same behavior: they popup the
authentication prompt, then they can make requests for a while, and
randomly popup the authentication prompt again. I type the same
username and password, and it works fine.
In Konqueror there is no popup, I guess it tries again one more time
with the last username and password before prompting the user.
A network capture reveals that the client is always sending the right
Proxy-Authentication header with it's requests, but squid randomly
replies with a 407 status code, without even asking the radius server
(the authentication result is presumably still cached).
In squid 3.2.0.17 this problem is gone and I don't get the
authentication prompts anymore, but since it is labeled Beta instead
of Stable, I wonder if this can be solved in the 3.1 series.
Has anybody else been affected by this?
Very likely.
The 3.2 code has had a near complete re-write to resolve a large number
of mysterious little bugs in pointer reference handling. That change is
BIG, still being debugged itself, and I'm not willing to repeat the
years voluntary work spent on fixing 3.2. So the auth bug fixes are not
going to be automatically ported to 3.1 like most others are. Patches
are welcome though if you wish to spend the time or money to locate and
fix 3.1.
Amos
