From: Amos Jeffries Date: Tue, 25 Aug 2009 11:31:30 +0000 (+1200) Subject: Fully transparent PASSTHRU option for authentication to peers. X-Git-Tag: SQUID_3_2_0_1~763 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11e4c5e5e6023c716b05e0efde3764d32dbba2e7;p=thirdparty%2Fsquid.git Fully transparent PASSTHRU option for authentication to peers. It turns out both PASS and PROXYPASS have special behaviour depending other configuration options. Clarify this in the existing Docs and add a method for fully transparent relay of credentials from client to upstream. --- diff --git a/src/cf.data.pre b/src/cf.data.pre index 964e442116..382208cc43 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1788,9 +1788,27 @@ DOC_START Note: The string can include URL escapes (i.e. %20 for spaces). This also means % must be written as %%. + login=PASSTHRU + Send login details received from client to this peer. + Both Proxy- and WWW-Authorization headers are passed + without alteration to the peer. + Authentication is not required by Squid for this to work. + + Note: This will pass any form of authentication but + only Basic auth will work through a proxy unless the + connection-auth options are also used. + login=PROXYPASS Send login details received from client to this peer. - Authentication is not required, nor changed. + Only WWW-Authorization headers are passed to the peer. + If the 'originserver' option is also used this will + convert Proxy-Authorization: to WWW-Authorization: before + relaying. The header content is not altered. + + Authentication is not required by Squid for this to work + however it should be noted that without it somewhere down + the proxy chain there may be no Proxy-Authorization: + header to convert. Note: This will pass any form of authentication but only Basic auth will work through a proxy unless the @@ -1798,6 +1816,7 @@ DOC_START login=PASS Send login details received from client to this peer. Authentication is not required by this option. + If there are no client-provided authentication headers to pass on, but username and password are available from either proxy login or an external ACL user= and diff --git a/src/http.cc b/src/http.cc index 8eef8db54c..9f51b1ea9b 100644 --- a/src/http.cc +++ b/src/http.cc @@ -1604,6 +1604,8 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request, } } else if (strcmp(orig_request->peer_login, "PROXYPASS") == 0) { /* Nothing to do */ + } else if (strcmp(orig_request->peer_login, "PASSTHRU") == 0) { + /* Nothing to do (yet) */ } else { httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s", base64_encode(orig_request->peer_login)); @@ -1615,6 +1617,8 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request, !hdr_out->has(HDR_AUTHORIZATION)) { if (strcmp(orig_request->peer_login, "PASS") == 0) { /* No credentials to forward.. (should have been done above if available) */ + } else if (strcmp(orig_request->peer_login, "PASSTHRU") == 0) { + /* Nothing to do (yet) */ } else if (strcmp(orig_request->peer_login, "PROXYPASS") == 0) { /* Special mode, convert proxy authentication to WWW authentication * (also applies to authentication provided by external acl) @@ -1723,13 +1727,11 @@ copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, co * Only pass on proxy authentication to peers for which * authentication forwarding is explicitly enabled */ - if (flags.proxying && orig_request->peer_login && (strcmp(orig_request->peer_login, "PASS") == 0 || - strcmp(orig_request->peer_login, "PROXYPASS") == 0)) { + strcmp(orig_request->peer_login, "PASSTHRU") == 0)) { hdr_out->addEntry(e->clone()); } - break; /** \par RFC 2616 sect 13.5.1 - Hop-by-Hop headers which Squid does not pass on. */ @@ -1754,11 +1756,12 @@ copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, co hdr_out->addEntry(e->clone()); } else { /** \note In accelerators, only forward authentication if enabled - * by login=PASS or login=PROXYPASS + * by login=PASS or login=PROXYPASS or login=PASSTHRU * (see also below for proxy->server authentication) */ if (orig_request->peer_login && (strcmp(orig_request->peer_login, "PASS") == 0 || + strcmp(orig_request->peer_login, "PASSTHRU") == 0 || strcmp(orig_request->peer_login, "PROXYPASS") == 0)) { hdr_out->addEntry(e->clone()); }