[squid-users] Query about login=pass

Sreenath BH bhsreenath at gmail.com
Fri Apr 1 12:40:33 UTC 2016


Hi All,

We have a setup with two squid servers lets say, squid1 and squid2.
Requests land at Squid1 and it sends the request to squid2. Squid2
uses X-User-ID and Authorization headers for authenticating the user,
and on success, fetches data from another webserver and returns the
data. If authentication fails, it returns a 401 response.

What we have observed is that for some reason, squid does not send the
Authorization header to the upstream squid server. However, X-User-ID
header is always sent to upstre.

10.135.81.100 is squid2.

Here is configuration of squid1, where we see the problem.
------------------
acl    test_upload   urlpath_regex   ^/upload
acl    test_nms       urlpath_regex   ^/nms
acl    trash_misc    urlpath_regex   ^/trash

http_port 80 accel defaultsite=sitgateway.qiodrive.com vhost
https_port 443 cert=/etc/squid3/certificates/test.crt
key=/etc/squid3/certificates/qiodrivekey.key
cafile=/etc/squid3/certificates/gd_bundle-g2-g1.crt accel

cache_peer 10.135.81.100 parent 80 0 no-query login=PASS originserver name=name1
cache_peer_access name1 allow test_upload
cache_peer_access name1 deny all

cache_peer 10.135.81.100 parent 80 0 no-query login=PASS originserver name=name2
cache_peer_access name2 allow test_nms
cache_peer_access name2 deny all

cache_peer 10.135.81.100 parent 80 0 no-query originserver name=name3
cache_peer_access name3 allow trash_misc
cache_peer_access name3 deny all
----------------

As can be seen above, we have associated different names  (name1,
name2 and name3) for the same Squid2 server, all listening at same
port also. Is this a correct way of doing it? I ran squid -parse on
the squid.conf file and it did not report any problem.

1. Squid1 listens on both 80 and SSL port. If request comes on SSL
port, will it send Authorization token to Squid that is not SSL squid?

2. In the source code of squid (http.c) I see following lines in the function:

void
copyOneHeaderFromClientsideRequestToUpstreamRequest(const
HttpHeaderEntry *e, const String strConnection, const HttpRequest *
request, HttpHeader * hdr_out, const int we_do_ranges, const
HttpStateFlags &flags)

   case HDR_AUTHORIZATION:
        /** \par WWW-Authorization:
         * Pass on WWW authentication */

        if (!flags.originpeer) {
            hdr_out->addEntry(e->clone());
        } else {
            /** \note In accelerators, only forward authentication if enabled
             * (see also httpFixupAuthentication for special cases)
             */
            if (request->peer_login &&
                    (strcmp(request->peer_login, "PASS") == 0 ||
                     strcmp(request->peer_login, "PASSTHRU") == 0 ||
                     strcmp(request->peer_login, "PROXYPASS") == 0)) {
                hdr_out->addEntry(e->clone());
            }
        }

        break;


I don't understand what might prevent squid from sending the
Authorization header.

Any help appreciated,

thanks,
Sreenath


More information about the squid-users mailing list