debugs(29, DBG_CRITICAL, "FATAL: Unexpected argument '" << t << "' after request_format specification");
self_destruct();
}
+ } else if (strcmp(param_str, "keep_alive") == 0) {
+ parse_onoff(&keep_alive);
+ } else if (strcmp(param_str, "utf8") == 0) {
+ parse_onoff(&utf8);
} else {
debugs(29, DBG_CRITICAL, "Unrecognised " << scheme->type() << " auth scheme parameter '" << param_str << "'");
}
if (!authenticateProgram)
return false; // not configured
+ const char *type = scheme->type();
+
wordlist *list = authenticateProgram;
- storeAppendPrintf(entry, "%s %s", name, scheme->type());
+ storeAppendPrintf(entry, "%s %s", name, type);
while (list != NULL) {
storeAppendPrintf(entry, " %s", list->key);
list = list->next;
}
storeAppendPrintf(entry, "\n");
- storeAppendPrintf(entry, "%s %s realm " SQUIDSBUFPH "\n", name, scheme->type(), SQUIDSBUFPRINT(realm));
+ storeAppendPrintf(entry, "%s %s realm " SQUIDSBUFPH "\n", name, type, SQUIDSBUFPRINT(realm));
storeAppendPrintf(entry, "%s %s children %d startup=%d idle=%d concurrency=%d\n",
- name, scheme->type(),
+ name, type,
authenticateChildren.n_max, authenticateChildren.n_startup,
authenticateChildren.n_idle, authenticateChildren.concurrency);
- if (keyExtrasLine.size() > 0)
- storeAppendPrintf(entry, "%s %s key_extras \"%s\"\n", name, scheme->type(), keyExtrasLine.termedBuf());
+ if (keyExtrasLine.size() > 0) // default is none
+ storeAppendPrintf(entry, "%s %s key_extras \"%s\"\n", name, type, keyExtrasLine.termedBuf());
+
+ if (!keep_alive) // default is on
+ storeAppendPrintf(entry, "%s %s keep_alive off\n", name, type);
+
+ if (utf8) // default is off
+ storeAppendPrintf(entry, "%s %s utf8 on\n", name, type);
return true;
}
/// Call this method if you need a guarantee that all auth schemes has been
/// already configured.
static SchemeConfig *GetParsed(const char *proxy_auth);
- SchemeConfig() : authenticateChildren(20), authenticateProgram(NULL), keyExtras(NULL) {}
+ SchemeConfig() : authenticateChildren(20) {}
virtual ~SchemeConfig() {}
public:
Helper::ChildConfig authenticateChildren;
- wordlist *authenticateProgram; ///< Helper program to run, includes all parameters
+ wordlist *authenticateProgram = nullptr; ///< Helper program to run, includes all parameters
String keyExtrasLine; ///< The format of the request to the auth helper
- Format::Format *keyExtras; ///< The compiled request format
+ Format::Format *keyExtras = nullptr; ///< The compiled request format
+ int keep_alive = 1; ///< whether to close the connection on auth challenges. default: on
+ int utf8 = 0; ///< wheter to accept UTF-8 characterset instead of ASCII. default: off
protected:
/// RFC 7235 section 2.2 - Protection Space (Realm)
storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
- storeAppendPrintf(entry, "%s basic utf8 %s\n", name, utf8 ? "on" : "off");
return true;
}
Auth::Basic::Config::Config() :
credentialsTTL( 2*60*60 ),
- casesensitive(0),
- utf8(0)
+ casesensitive(0)
{
static const SBuf defaultRealm("Squid proxy-caching web server");
realm = defaultRealm;
parse_time_t(&credentialsTTL);
} else if (strcmp(param_str, "casesensitive") == 0) {
parse_onoff(&casesensitive);
- } else if (strcmp(param_str, "utf8") == 0) {
- parse_onoff(&utf8);
} else
Auth::SchemeConfig::parse(scheme, n_configured, param_str);
}
public:
time_t credentialsTTL;
int casesensitive;
- int utf8;
private:
char * decodeCleartext(const char *httpAuthHeader);
name, "digest", noncemaxuses,
name, "digest", (int) noncemaxduration,
name, "digest", (int) nonceGCInterval);
- storeAppendPrintf(entry, "%s digest utf8 %s\n", name, utf8 ? "on" : "off");
return true;
}
noncemaxuses(50),
NonceStrictness(0),
CheckNonceCount(1),
- PostWorkaround(0),
- utf8(0)
+ PostWorkaround(0)
{}
void
parse_onoff(&CheckNonceCount);
} else if (strcmp(param_str, "post_workaround") == 0) {
parse_onoff(&PostWorkaround);
- } else if (strcmp(param_str, "utf8") == 0) {
- parse_onoff(&utf8);
} else
Auth::SchemeConfig::parse(scheme, n_configured, param_str);
}
int NonceStrictness;
int CheckNonceCount;
int PostWorkaround;
- int utf8;
};
} // namespace Digest
debugs(29, DBG_IMPORTANT, "Reconfigure: Negotiate authentication configuration cleared.");
}
-bool
-Auth::Negotiate::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
-{
- if (!Auth::SchemeConfig::dump(entry, name, scheme))
- return false;
-
- storeAppendPrintf(entry, "%s negotiate keep_alive %s\n", name, keep_alive ? "on" : "off");
- return true;
-}
-
-Auth::Negotiate::Config::Config() : keep_alive(1)
-{ }
-
-void
-Auth::Negotiate::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
-{
- if (strcmp(param_str, "keep_alive") == 0) {
- parse_onoff(&keep_alive);
- } else
- Auth::SchemeConfig::parse(scheme, n_configured, param_str);
-}
-
const char *
Auth::Negotiate::Config::type() const
{
class Config : public Auth::SchemeConfig
{
public:
- Config();
virtual bool active() const;
virtual bool configured() const;
virtual Auth::UserRequest::Pointer decode(char const *proxy_auth, const char *requestRealm);
virtual void done();
virtual void rotateHelpers();
- virtual bool dump(StoreEntry *, const char *, Auth::SchemeConfig *) const;
virtual void fixHeader(Auth::UserRequest::Pointer, HttpReply *, Http::HdrType, HttpRequest *);
virtual void init(Auth::SchemeConfig *);
- virtual void parse(Auth::SchemeConfig *, int, char *);
virtual void registerWithCacheManager(void);
virtual const char * type() const;
-
-public:
- int keep_alive;
};
} // namespace Negotiate
debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
}
-bool
-Auth::Ntlm::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
-{
- if (!Auth::SchemeConfig::dump(entry, name, scheme))
- return false;
-
- storeAppendPrintf(entry, "%s ntlm keep_alive %s\n", name, keep_alive ? "on" : "off");
- return true;
-}
-
-Auth::Ntlm::Config::Config() : keep_alive(1)
-{ }
-
-void
-Auth::Ntlm::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
-{
- if (strcmp(param_str, "keep_alive") == 0) {
- parse_onoff(&keep_alive);
- } else
- Auth::SchemeConfig::parse(scheme, n_configured, param_str);
-}
-
const char *
Auth::Ntlm::Config::type() const
{
class Config : public Auth::SchemeConfig
{
public:
- Config();
virtual bool active() const;
virtual bool configured() const;
virtual Auth::UserRequest::Pointer decode(char const *proxy_auth, const char *requestRealm);
virtual void done();
virtual void rotateHelpers();
- virtual bool dump(StoreEntry *, const char *, Auth::SchemeConfig *) const;
virtual void fixHeader(Auth::UserRequest::Pointer, HttpReply *, Http::HdrType, HttpRequest *);
virtual void init(Auth::SchemeConfig *);
- virtual void parse(Auth::SchemeConfig *, int, char *);
virtual void registerWithCacheManager(void);
virtual const char * type() const;
-
-public:
- int keep_alive;
};
} // namespace Ntlm
NOTE: NTLM and Negotiate schemes do not support concurrency
in the Squid code module even though some helpers can.
+ "keep_alive" on|off
+ If you experience problems with PUT/POST requests when using
+ the NTLM or Negotiate schemes then you can try setting this
+ to off. This will cause Squid to forcibly close the connection
+ on the initial request where the browser asks which schemes
+ are supported by the proxy.
-IF HAVE_AUTH_MODULE_BASIC
- === Basic authentication parameters ===
+ For Basic and Digest this parameter is ignored.
"utf8" on|off
HTTP uses iso-latin-1 as character set, while some
set to on Squid will translate the HTTP iso-latin-1 charset to
UTF-8 before sending the username and password to the helper.
+ For NTLM and Negotiate this parameter is ignored.
+
+IF HAVE_AUTH_MODULE_BASIC
+ === Basic authentication parameters ===
+
"credentialsttl" timetolive
Specifies how long squid assumes an externally validated
username:password pair is valid for - in other words how
IF HAVE_AUTH_MODULE_DIGEST
=== Digest authentication parameters ===
- "utf8" on|off
- HTTP uses iso-latin-1 as character set, while some
- authentication backends such as LDAP expects UTF-8. If this is
- set to on Squid will translate the HTTP iso-latin-1 charset to
- UTF-8 before sending the username and password to the helper.
-
"nonce_garbage_interval" timeinterval
Specifies the interval that nonces that have been issued
to client_agent's are checked for validity.
incorrect request digest in POST requests when reusing the
same nonce as acquired earlier on a GET request.
-ENDIF
-IF HAVE_AUTH_MODULE_NEGOTIATE
- === Negotiate authentication parameters ===
-
- "keep_alive" on|off
- If you experience problems with PUT/POST requests when using
- the this authentication scheme then you can try setting this
- to off. This will cause Squid to forcibly close the connection
- on the initial request where the browser asks which schemes
- are supported by the proxy.
-
-ENDIF
-IF HAVE_AUTH_MODULE_NTLM
- === NTLM authentication parameters ===
-
- "keep_alive" on|off
- If you experience problems with PUT/POST requests when using
- the this authentication scheme then you can try setting this
- to off. This will cause Squid to forcibly close the connection
- on the initial request where the browser asks which schemes
- are supported by the proxy.
ENDIF
=== Example Configuration ===
#auth_param negotiate program <uncomment and complete this line to activate>
#auth_param negotiate children 20 startup=0 idle=1
-#auth_param negotiate keep_alive on
#
#auth_param digest program <uncomment and complete this line to activate>
#auth_param digest children 20 startup=0 idle=1
#
#auth_param ntlm program <uncomment and complete this line to activate>
#auth_param ntlm children 20 startup=0 idle=1
-#auth_param ntlm keep_alive on
#
#auth_param basic program <uncomment and complete this line>
#auth_param basic children 5 startup=5 idle=1
-#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
DOC_END