On 10/04/2013 4:23 p.m., Alan wrote:
Is there any way to influence the order in which Squid sends the
Proxy-Authenticate headers to the client? I already tried changing
the order in the config file to no avail.
That was the way to do it.
Please test carefully and IF you have solid evidence of Squid disobeying
the config order please open a bug report about it.
Background:
I have a squid 3.3.3 proxy using both kerberos and radius. A capture
shows it offers both Basic and Negotiate authentication schemes, in
separate headers and in that order.
IE seems to try Negotiate first and Basic later, disregarding the
order in which the headers appear.
Firefox seems to be trying in the same order as the headers appear (I
haven't confirmed that changing the order would fix this).
The RFC doesn't seem to mention anything about which one should be
tried first, so both approaches seem reasonable. I haven't been able
to find any configuration option in Firefox to change the order
either.
This should clarify for you what is going on:
http://wiki.squid-cache.org/action/show/Features/Authentication#Can_I_use_different_authentication_mechanisms_together.3F
The order Squid sends the headers is *supposed* to be irrelevant. Any
browser following that order is buggy.
Amos
