Thank you Amos. Agree to your comments. I have another query: How can we categorize proxies (forward proxies) with regard to a client which wants to traverse through it to get it connected to a webserver. Like Firewall based proxies (Example Squid, TMG etc), Browser based proxies, two layer proxies, anything else? I can understand that if a client can traverse Squid it can work with any firewall based proxies. What are other such categorization I should keep in mind or test for? (I am struggling to get a good documentation hence not sure if I have framed the question in right way). Thanks, -Vinay On Thu, Jul 3, 2014 at 11:30 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 2014-07-03 17:17, Vinay C wrote: >> >> Thank you so much Eliezer for the quick response. I am so happy to see >> such a detailed response here which I could not get in any forums. >> Please find my replies and a few queries inline. >> >> On Thu, Jul 3, 2014 at 12:16 AM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> >> wrote: >>> >>> Hey Vinay, >>> >>> Answers are inside the email: >>> >>> >>> On 07/02/2014 08:15 PM, Vinay C wrote: >>>> >>>> >>>> Hi, >>>> >>>> I am looking for answer to a basic query and I have posted it in >>>> different forum but did not get any satisfactory answers. I hope in >>>> this group of expert I can get the answer. >>> >>> >>> We can try to help you. >>> >>>> >>>> Context: >>>> I have a program (a sort of http client) that internally uses apache >>>> httpClient. Given some set of parameters like Authscheme, proxy server >>>> and other details it can traverse through Squid proxy and establish >>>> connection to given Webserver. >>> >>> >>> What sort of authentication can it test?(basic, ntlm, kerberous) >> >> >> Vinay: It can test Basic, Digest, NTML and Kerberos. I want ensure >> that my client working can work with just not through Squid but any >> other enterprises level proxies in the world. >> I am not in IT domain but a QE engineer and want to ensure I can have >> a best possible coverage for my client. I agree that Squid is one of >> the best avaiable proxy server but my job is to ensure that my client >> works with other proxies too. >> >> >>> >>>> Query1: I want to ensure my program works for most of the enterprise >>>> proxy servers. Given that it can establish a connection via squid, is >>>> it safe to assume that it is going to work with all the proxy server >>>> like Microsoft TMG, Bluecoat etc? >>> >>> >>> Depends on what are the options to authenticate and the proxy >>> configuration. >>> Some use basic auth others ntlm(should not be used from many reasons) or >>> kerberous.(the are other options) >> >> > > See below about the RFCs. > > > >>>> >>>> Query2: In case I should test my program to be working with different >>>> proxy server then for enterprise world which of the proxy server would >>>> you like to suggest to have the best coverage. >>> >>> >>> What fits for you!! >>> If you can test all of them with squid in a convenient way use squid. >>> If you feel that squid sweeps you from your feet then use another one >>> that >>> you feel easy and happy with. >>> >> Vinay: >> I tested that the client can establish the connection through Squid >> but before testing in rest of the proxies in world. I want to know >> that does it even make sense to do this exercise. Can I assume that if >> my client can establish the connection through squid, it will be >> capable of establishing connection through any other proxies in the >> world? > > > It does not matter. All proxies are working to a set of RFC standards. The > general operation is defined in <https://tools.ietf.org/html/rfc7235> with > each specific authentication scheme being defined in the RFC standards > referenced from > <http://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml> > > If your software meets the behaviour specified in those RFCs then any HTTP > proxy will be able to authentication it using one or more of the schemes. > > Squid is a good testing ground for Basic, Digest (only a few bugs > remaining), and Negotiate. We also have a Bearer module recently created if > anyone wants to sponsor its merging into public releases. I'm not aware of > any HTTP proxy supporting OAuth scheme yet - it is superceded by Bearer now > so may never happen. > > NOTE that "NTLM" scheme found on many enterprise networks after only 12 > years since deprecation has never been formally standardised. By the time > that happened it was called "Negotiate". If you want to support "NTLM" you > will have to lookup the proprietary specification(s) from Microsoft for the > 7 or so protocols which use that scheme label - although only NTLMv2 is > anywhere near safe to use today. I recommend skipping this one, but you may > need to do it for those earlier mentioned enterprise networks. > > Amos
