-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Amos Jeffries wrote: [dd] > > > > As far as I understood you, there would be a "407 Proxy > > Authentication Required" and "Proxy-Authorization: Negotiate" pair > > in each TCP connection between browser and proxy. > > 407 is repeated as many times as necesary until the client starts > sending valid credentials. Proxy-Authorization is used on every > request containing any credentials. That is the basic requirement for > any HTTP auth schemes. During one TCP session from browser to Squid, I see requests both with and without the Proxy-Authorization header. The requests without the Proxy-Authorization header are also satisfied by the proxy. I don't understand the logic behind this, that's why I am asking. If there were a Proxy-Authorization header on every request, or only on the first request in a TCP session, or if every credentialless request were followed by a 407, I would not be surprised. > They are not a pair. Since there is no requirement for anything to > follow the 407. Nor is there even a requirement for the two messages > to be sent on the same TCP connection (eg "auth_param ... keep_alive > off"). Statelessness is fun sometimes. > > > > > If the connection is used for several requests, only the first > > HTTP request in the connection would contain authentication info. > > No. Once authentication is accepted on a connection the credentials > token MUST be sent on all following requests. However, as I am looking at a single TCP session between squid and browser (filtered out by WireShark), I don't see this happening. The 407 reply is sent only once, and then there are some requests following, some of them contain the Proxy-Authorization header but most don't. > > - So far that is basic HTTP auth requirements. Now things get weird... > > Lack of Negotiate credentials on any request is a sign of injection > attack being performed and the TCP connection must be torn down. There are plenty of such requests in the packet dump, and they are happily answered with a "200 OK" and relevant content. > > To do that tear-down Squid can send 407 challenge with > Connection:close such that the client can resume with > re-authentication on new TCP connection(s) without waiting for any 407. > > > > But each new TCP connection is re-authenticated by HTTP. Is this > > correct? > > Not really. A TCP connection may be used for multiple requests before > one needs to authenticate and kicks out a 407. But each request, you say, must contain the credentials? Well, it does not seem to be happening. - -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUabdOAAoJEA2k8lmbXsY02GYH/iYQDJwXd/2iQlBEbCMA5EUN 2ou/0fIkiQkbtcZtln38AbIzzP70/9TNXRfaRnGJYpPr28jKhxbXEWLDStL4ZgV0 TCocf8OGJb1Y16GPjuO+w004dCiQsqibY1pf3WYU0Ru7sAqtmpvkIBh+3I+I3+yo KOh4onzALSj4A26pi3VIEtYv/4I/ufOibO1gJU43W9RcR9E33Cb3WZUTVeBniMkN gIfW7+87iOQtln3oI2SJhr5jegH/bR0H+kAimQGMfqTNh9Rgs3cDVNIcf0KmAdGh 09p3vgnZWTY+wvnCe2g37NBlsZk1DIyw8nD0oEIlolMWdi53tU8XtMDZI1FuiG4= =HcLA -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
