On 2013-11-21 03:23, FredB wrote:
Hello,
I'm trying to use squid with two identifications mode, first digest
and second basic, all works without problem except one point
auth_param basic credentialsttl 1 hours
The proxy never claim the username and pass after 1 hour, so I found
no way for forcing the replay with digest
squid stop and start are also without effect (I guess that the browser
replay automatically is credential).
I should wait that the user close his browser ...
What do you mean by "claim" ?
The browser is expected to deliver credentials on every request and the
proxy validate them. The credentialsttl is only about how often Squid
has to query the backend to validate them. When the TTL expire the
authenticator backend is checked, exactly the same as on a new login. If
it says they are still OK then a new credentialsttl period is started.
When auth works properly the browser is only ever challenged at the
start of the users browsing session and not bothered again.
To force a change in credentials midway through a series of transactions
you need to cause the proxy to emit another auth challenge. Which can be
done by denying one of the requests using an access control line ending
with either an auth re-validation to the backend ("proxy_auth
REQUIRED"), a check against explicit username (proxy_auth <name>) or
with an external ACL that depends on %LOGIN.
http://wiki.squid-cache.org/action/show/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F
Amos