Amos Jeffries schrieb: >> Config: >> cache_peer 10.1.2.3 parent 8000 0 no-query originserver login=PASS >> > > This is a origin server peer. The header delivered to it is > WWW-Authenticate. Proxy-Authenticate is invalid on connections to origin > servers. > > Is your proxy a reverse-proxy or a forward-proxy? > It is a reverse proxy. > Which of the servers (your proxy or the origin) is validating the > authentication? > > The origin server. >> The config seems to work, squid shows me the login dialog of the >> cache_peer. For several reasons I have to feed the username back as a >> header value.... >> I also tried login=PASSTHRU for testing, but without any difference. > > FWIW: > * "PASSTHRU" sends the received Proxy-Authenticate header (if any) > through to the peer untouched. Leaving no header if none provided by the > client. > > * "PASS" tries to convert credentials to Basic auth and deliver to the > peer in Proxy-Authenticate. Will try to generate a header from any > available other sources of credentials if none are provided by the client. > > In both of the above the peer being an origin treats them as not having > www-Authenticate header (naturally) and responds with a challenge to get > some. > > The origin peer creates the "WWW-Authenticate: NTLM" request upon which the rev proxy shows the user/password popup request. The Rev Proxy then replies with a "Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGYAAADuAO4A [...]" Header. So I think PASS is OK, as nothing seems to be converted from NTLM... Or am I wrong? Bye Stefan
