[squid-users] Removing cache credentials

Victor Sudakov sudakov at sibptus.tomsk.ru
Mon Nov 17 08:52:30 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Amos Jeffries wrote:

[dd]

> > 
> > As far as I understood you, there would be a "407 Proxy
> > Authentication Required" and "Proxy-Authorization: Negotiate" pair
> > in each TCP connection between browser and proxy.
> 
> 407 is repeated as many times as necesary until the client starts
> sending valid credentials. Proxy-Authorization is used on every
> request containing any credentials. That is the basic requirement for
> any HTTP auth schemes.

During one TCP session from browser to Squid, I see requests both with
and without the Proxy-Authorization header. The requests without the
Proxy-Authorization header are also satisfied by the proxy. I don't
understand the logic behind this, that's why I am asking.

If there were a Proxy-Authorization header on every request, or only
on the first request in a TCP session, or if every credentialless
request were followed by a 407, I would not be surprised.

> They are not a pair. Since there is no requirement for anything to
> follow the 407. Nor is there even a requirement for the two messages
> to be sent on the same TCP connection (eg "auth_param ... keep_alive
> off"). Statelessness is fun sometimes.
> 
> > 
> > If the connection is used for several requests, only the first
> > HTTP request in the connection would contain authentication info.
> 
> No. Once authentication is accepted on a connection the credentials
> token MUST be sent on all following requests.

However, as I am looking at a single TCP session between squid and browser
(filtered out by WireShark), I don't see this happening. The 407 reply is sent
only once, and then there are some requests following, some of them
contain the Proxy-Authorization header but most don't.

> 
>  - So far that is basic HTTP auth requirements. Now things get weird...
> 
> Lack of Negotiate credentials on any request is a sign of injection
> attack being performed and the TCP connection must be torn down.

There are plenty of such requests in the packet dump, and they are
happily answered with a "200 OK" and relevant content.

> 
> To do that tear-down Squid can send 407 challenge with
> Connection:close such that the client can resume with
> re-authentication on new TCP connection(s) without waiting for any 407.
> 
> 
> > But each new TCP connection is re-authenticated by HTTP. Is this
> > correct?
> 
> Not really. A TCP connection may be used for multiple requests before
> one needs to authenticate and kicks out a 407.

But each request, you say, must contain the credentials? Well, it does
not seem to be happening.


- -- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUabdOAAoJEA2k8lmbXsY02GYH/iYQDJwXd/2iQlBEbCMA5EUN
2ou/0fIkiQkbtcZtln38AbIzzP70/9TNXRfaRnGJYpPr28jKhxbXEWLDStL4ZgV0
TCocf8OGJb1Y16GPjuO+w004dCiQsqibY1pf3WYU0Ru7sAqtmpvkIBh+3I+I3+yo
KOh4onzALSj4A26pi3VIEtYv/4I/ufOibO1gJU43W9RcR9E33Cb3WZUTVeBniMkN
gIfW7+87iOQtln3oI2SJhr5jegH/bR0H+kAimQGMfqTNh9Rgs3cDVNIcf0KmAdGh
09p3vgnZWTY+wvnCe2g37NBlsZk1DIyw8nD0oEIlolMWdi53tU8XtMDZI1FuiG4=
=HcLA
-----END PGP SIGNATURE-----

More information about the squid-users mailing list