On 4/11/2016 4:25 a.m., FredB wrote: > >> Authentication credentials represent and verify the identity of your >> proxy. That is a fixed thing so why would the credentials used to >> verify >> that static identity need to change? > > > I'm only speaking about users identities, not something like cache_peer login=XXX > So each user must have is own ID > >> >> NP: Proxy-auth is not related to the message itelf, but to the >> transport >> mechanism. Do not confuse the identity of the proxy/sender with the >> traffic flowing through it from other sources. > > Yes > >> >> That said, you can use request_header_add to add whatever headers you >> like to upstream requests. Even proxy-auth headers. You just cant >> easily >> handle any 407 which result from that when the credentials are not >> accepted. So the ACL you use better be 100% accurate when it matches. > > Ah ok great, so maybe we can imagine something like this > > If an acl match a specific address (eg 10.1.1.1) I put Authorization: BASIC Z3Vlc3Q6Z3Vlc3QxMjM= ? > It's what I was talking about helper, maybe a separate program should be better for matching IP=USERNAME > > If there is many users the ACL will be very long and complex ... > Use "login=PASS" (exact string) on the cache_peer. Along with an http_access check that uses an external ACL helper which produces "OK user=X password=Y" for whatever credentials need to be sent. NP: on older Squid that may be "pass=" instead of "password=". Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
