[squid-users] Query about login=pass
Sreenath BH
bhsreenath at gmail.com
Fri Apr 1 12:40:33 UTC 2016
Hi All,
We have a setup with two squid servers lets say, squid1 and squid2.
Requests land at Squid1 and it sends the request to squid2. Squid2
uses X-User-ID and Authorization headers for authenticating the user,
and on success, fetches data from another webserver and returns the
data. If authentication fails, it returns a 401 response.
What we have observed is that for some reason, squid does not send the
Authorization header to the upstream squid server. However, X-User-ID
header is always sent to upstre.
10.135.81.100 is squid2.
Here is configuration of squid1, where we see the problem.
------------------
acl test_upload urlpath_regex ^/upload
acl test_nms urlpath_regex ^/nms
acl trash_misc urlpath_regex ^/trash
http_port 80 accel defaultsite=sitgateway.qiodrive.com vhost
https_port 443 cert=/etc/squid3/certificates/test.crt
key=/etc/squid3/certificates/qiodrivekey.key
cafile=/etc/squid3/certificates/gd_bundle-g2-g1.crt accel
cache_peer 10.135.81.100 parent 80 0 no-query login=PASS originserver name=name1
cache_peer_access name1 allow test_upload
cache_peer_access name1 deny all
cache_peer 10.135.81.100 parent 80 0 no-query login=PASS originserver name=name2
cache_peer_access name2 allow test_nms
cache_peer_access name2 deny all
cache_peer 10.135.81.100 parent 80 0 no-query originserver name=name3
cache_peer_access name3 allow trash_misc
cache_peer_access name3 deny all
----------------
As can be seen above, we have associated different names (name1,
name2 and name3) for the same Squid2 server, all listening at same
port also. Is this a correct way of doing it? I ran squid -parse on
the squid.conf file and it did not report any problem.
1. Squid1 listens on both 80 and SSL port. If request comes on SSL
port, will it send Authorization token to Squid that is not SSL squid?
2. In the source code of squid (http.c) I see following lines in the function:
void
copyOneHeaderFromClientsideRequestToUpstreamRequest(const
HttpHeaderEntry *e, const String strConnection, const HttpRequest *
request, HttpHeader * hdr_out, const int we_do_ranges, const
HttpStateFlags &flags)
case HDR_AUTHORIZATION:
/** \par WWW-Authorization:
* Pass on WWW authentication */
if (!flags.originpeer) {
hdr_out->addEntry(e->clone());
} else {
/** \note In accelerators, only forward authentication if enabled
* (see also httpFixupAuthentication for special cases)
*/
if (request->peer_login &&
(strcmp(request->peer_login, "PASS") == 0 ||
strcmp(request->peer_login, "PASSTHRU") == 0 ||
strcmp(request->peer_login, "PROXYPASS") == 0)) {
hdr_out->addEntry(e->clone());
}
}
break;
I don't understand what might prevent squid from sending the
Authorization header.
Any help appreciated,
thanks,
Sreenath
More information about the squid-users
mailing list