[squid-users] suppress sending authentication prompt
Amos Jeffries
squid3 at treenet.co.nz
Wed Jul 22 11:54:51 UTC 2015
On 22/07/2015 3:36 a.m., Berkes, David wrote:
> Thank you.
> From the tcpdump, I see the iphone sending requests to the proxy. Sometimes with credentials and sometimes not. How can I tell squid to not send 407 in response to the header with no credentials? I have tried the following variations with no luck.
>
Think about that for a minute.
If Squid is never allowed to *ask* for credentials. How will it get them?
Do you really want the browser actively broadcasting usernames and
passwords in trivially decrypted format out into the network regardless
of where its connecting to?
You can block Squid actively requesting credentials by adding " all" to
the end of the http_access line(s) that would otherwise end with
ncsa_users ACL check. However, that will only cause the browser to
display an error page. Access Denied, end of transaction, full stop,
dont try again.
Remember that the popup is *not* part of HTTP messaging nor the HTTP
level authentication. It is purely a browser internal mechanism for
locating credentials.
407 is a perfectly normal HTTP operation. A working browser would always
answer Squid 407 queries by sending the MDM configured cerdentials, with
*zero* user involvement.
I suspect that perhapse your MDM system is tying the credentials to an
IPv4 address, and the iPhone using IPv6 on some traffic?
Or maybe the browser really is braindead and forgetting how to lookup
the credentials.
Amos
More information about the squid-users
mailing list