On 2021-06-26 01:16, hoper wrote:
Hi again,
If Squid trusts stale user credentials (i.e. allows new requests with
stale cached credentials without revalidating them with your
authentication helper), then this is a Squid bug.
No, I don't think there is a bug here.
Because each time my helper is used by squid, it write a line in a
dedicated log file.
A Squid bug would likely be later on.
Before we go any further. Which versino of Squid are you using.
And it seems to work well. In detail :
Let's say I have a account in my DB with: user1,password1,proxy1
As a client, I start my browser and connect myself with user1/password1
In my helper log file, all is good and I can see that squid used the
helper,
and it's answer was "OK proxychoice=proxy1".
Now I switch from proxy1 to proxy2 for user1 in the database.
On my browser, I'm still authenticated as user1, and I'm still use
proxy1.
(Ok, that's normal). Later, when the TTL is reached (2 minutes in the
configuration I sent),
I can see in my helper's log file that squid used it again. This time,
the
answer was : "OK proxychoice=proxy2". So, all seems good here too.
But the routing did'nt change. The parent proxy used after 2 minutes
is still proxy1, and
it never change until I restart squid.
I hope to have better explain the problem. So you think there is a bug
somewhere,
or do we have a configuration problem ? How can we obtain the result
we are looking for ?
(Squid should change the parent proxy if needed after the
authentication TTL period).
You seem to think that user credentials are thrown away when they reach
TTL. That is not true.
What actually happens is that shortly *before* TTL is reached they enter
a grace period during which they will be refreshed using the helper. The
info the helper provides is then used to *update* the existing
credentials.
Also, the foo= annotations are additive by default. On more detailed
inspection you will find the user has become "proxy1" *OR* "proxy2"
allowed.
Insufficient demand for that feature does not allow me to provide a
reliable ETA at this time.
Do you have a vague idea of the cost of the developement of this
feature ?
I'm not sure why Alex is offering a feature. A change to helper
annotations was already implemented in Squid-5 to avoid this exact
behaviour you are seeing.
Thanks again.
FYI. The Squid-5 code already has the feature implemented. It is only
the Squid-4 code which behaves like above.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
