[squid-users] authentication of every GET request from part of URL?

Amos Jeffries squid3 at treenet.co.nz
Fri Nov 6 15:07:16 UTC 2015


On 7/11/2015 1:33 a.m., Sreenath BH wrote:
> Hi
> I am very new to Squid, and think have a strange requirement.
> We want to serve cached content only if the client has been
> authenticated before.
> Since we don't expect the client software to send any information in
> headers, we embed a token in the URL that we present to the user.
> 

Um, you know how sending username and password in plain-text Basic auth
headers is supposed to be the worst form of security around?

It's not quite. Sending credentials in the URL is worse. Even if its
just an encoded token.

Why are you avoiding actual HTTP authentication?

Why be so actively hostile to every other cache in existence?


> So when the client s/w uses this URL, we want to extract the token
> from URL and do a small database query to ensure that the token is
> valid.
> 
> This is in accelerator mode.
> Is it possible to use something similar to basic_fake_auth and put my
> code there that does some database query?

The "basic_..._auth" parts of that helpers name mean that it performs
HTTP Basic authentication.

The "fake" part means that it does not perform any kind of validation.

All of the text above has been describing how you want to perform
actions which are the direct opposite of everything basic_fake_auth does.


> If the query fails, we don't return the cached content?

What do you want to be delivered instead?


Amos



More information about the squid-users mailing list