Fully transparent PASSTHRU option for authentication to peers.

It turns out both PASS and PROXYPASS have special behaviour depending
other configuration options. Clarify this in the existing Docs and add a
method for fully transparent relay of credentials from client to upstream.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 964e442116588219c8f1615d3f47f2583d194ae1..382208cc432d9b2341fc751993ede3e576906c4d 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1788,9 +1788,27 @@ DOC_START
                        Note: The string can include URL escapes (i.e. %20 for
                        spaces). This also means % must be written as %%.
        
+       login=PASSTHRU
+                       Send login details received from client to this peer.
+                       Both Proxy- and WWW-Authorization headers are passed
+                       without alteration to the peer.
+                       Authentication is not required by Squid for this to work.
+                       
+                       Note: This will pass any form of authentication but
+                       only Basic auth will work through a proxy unless the
+                       connection-auth options are also used.
+       
        login=PROXYPASS
                        Send login details received from client to this peer.
-                       Authentication is not required, nor changed.
+                       Only WWW-Authorization headers are passed to the peer.
+                       If the 'originserver' option is also used this will
+                       convert Proxy-Authorization: to WWW-Authorization: before
+                       relaying. The header content is not altered.
+                       
+                       Authentication is not required by Squid for this to work
+                       however it should be noted that without it somewhere down
+                       the proxy chain there may be no Proxy-Authorization:
+                       header to convert.
                        
                        Note: This will pass any form of authentication but
                        only Basic auth will work through a proxy unless the
@@ -1798,6 +1816,7 @@ DOC_START
        
        login=PASS      Send login details received from client to this peer.
                        Authentication is not required by this option.
+                       
                        If there are no client-provided authentication headers
                        to pass on, but username and password are available
                        from either proxy login or an external ACL user= and

diff --git a/src/http.cc b/src/http.cc
index 8eef8db54ca53b7b2d4a305809c248a94c654647..9f51b1ea9b0bf90fccce4a27f8fbe3e4c025eb34 100644 (file)
--- a/src/http.cc
+++ b/src/http.cc
@@ -1604,6 +1604,8 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
             }
         } else if (strcmp(orig_request->peer_login, "PROXYPASS") == 0) {
             /* Nothing to do */
+        } else if (strcmp(orig_request->peer_login, "PASSTHRU") == 0) {
+            /* Nothing to do (yet) */
         } else {
             httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
                               base64_encode(orig_request->peer_login));
@@ -1615,6 +1617,8 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
             !hdr_out->has(HDR_AUTHORIZATION)) {
         if (strcmp(orig_request->peer_login, "PASS") == 0) {
             /* No credentials to forward.. (should have been done above if available) */
+        } else if (strcmp(orig_request->peer_login, "PASSTHRU") == 0) {
+            /* Nothing to do (yet) */
         } else if (strcmp(orig_request->peer_login, "PROXYPASS") == 0) {
             /* Special mode, convert proxy authentication to WWW authentication
             * (also applies to authentication provided by external acl)
@@ -1723,13 +1727,11 @@ copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, co
          * Only pass on proxy authentication to peers for which
          * authentication forwarding is explicitly enabled
          */
-
         if (flags.proxying && orig_request->peer_login &&
                 (strcmp(orig_request->peer_login, "PASS") == 0 ||
-                 strcmp(orig_request->peer_login, "PROXYPASS") == 0)) {
+                 strcmp(orig_request->peer_login, "PASSTHRU") == 0)) {
             hdr_out->addEntry(e->clone());
         }
-
         break;
 
         /** \par RFC 2616 sect 13.5.1 - Hop-by-Hop headers which Squid does not pass on. */
@@ -1754,11 +1756,12 @@ copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, co
             hdr_out->addEntry(e->clone());
         } else {
             /** \note In accelerators, only forward authentication if enabled
-             * by login=PASS or login=PROXYPASS
+             * by login=PASS or login=PROXYPASS or login=PASSTHRU
              * (see also below for proxy->server authentication)
              */
             if (orig_request->peer_login &&
                     (strcmp(orig_request->peer_login, "PASS") == 0 ||
+                     strcmp(orig_request->peer_login, "PASSTHRU") == 0 ||
                      strcmp(orig_request->peer_login, "PROXYPASS") == 0)) {
                 hdr_out->addEntry(e->clone());
             }