[squid-users] rejecting CONNECT if Proxy-Authentication header is sent but not required
Ole Craig
olc at macmillan-craig.net
Tue Oct 11 05:31:02 UTC 2022
Background: we are using Squid internally to replicate customer
environments which require proxy transit for most if not all HTTP/REST
comms, in order to facilitate bug replication and dev/test of software
which must operate in those environments.
I would like to configure Squid with a set of allow-listed domains such
that unauthenticated CONNECTs to sites within those domains succeed,
_unless_ the following conditions are met:
* if a client preemptively sends a Proxy-Authenticate header anyway,
without first receiving a 407
* _and_ that header is invalid (bad username/password, unsupported
authN method, &c),
...in which case I want the CONNECT to get a standard 407 response.
Is this conditional possible with Squid's ACL structure? I can't see a
way to make it happen in Squid 3.5 running on Amazon linux, although
I've discovered a couple new ways of generating authentication loops. :/
Thanks for any help/pointers,
Ole
--
Ole Craig | olc at macmillan-craig.net
McQuary was far too generous.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221010/f3b99ca6/attachment.htm>
More information about the squid-users
mailing list