--------------------- PatchSet 945 Date: 2000/12/17 12:09:36 Author: hno Branch: upstreamauth Tag: (none) Log: cache_peer login=PASS option to enable forwarding of proxy authentication. proxy_auth forwarding is now disabled by default, as per RFC2616 (hop-by-hop header), and must be explicitly enabled on a per peer basis. Members: src/acl.c:1.5->1.5.6.1 src/cf.data.pre:1.5->1.5.6.1 src/forward.c:1.5->1.5.6.1 src/http.c:1.5->1.5.12.1 src/ssl.c:1.3->1.3.18.1 src/structs.h:1.8->1.8.6.1 Index: squid/src/acl.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/acl.c,v retrieving revision 1.5 retrieving revision 1.5.6.1 diff -u -r1.5 -r1.5.6.1 --- squid/src/acl.c 12 Dec 2000 23:21:16 -0000 1.5 +++ squid/src/acl.c 17 Dec 2000 12:09:36 -0000 1.5.6.1 @@ -1,6 +1,6 @@ /* - * $Id: acl.c,v 1.5 2000/12/12 23:21:16 adri Exp $ + * $Id: acl.c,v 1.5.6.1 2000/12/17 12:09:36 hno Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -1475,11 +1475,6 @@ return -1; #endif } - /* - * Register that we used the proxy authentication header so that - * it is not forwarded to the next proxy - */ - r->flags.used_proxy_auth = 1; /* Check the password */ switch (aclMatchProxyAuth(ae->data, header, Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.5 retrieving revision 1.5.6.1 diff -u -r1.5 -r1.5.6.1 --- squid/src/cf.data.pre 12 Dec 2000 23:21:17 -0000 1.5 +++ squid/src/cf.data.pre 17 Dec 2000 12:09:36 -0000 1.5.6.1 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.5 2000/12/12 23:21:17 adri Exp $ +# $Id: cf.data.pre,v 1.5.6.1 2000/12/17 12:09:36 hno Exp $ # # # SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -228,7 +228,7 @@ no-digest no-netdb-exchange no-delay - login=user:password + login=user:password|PASS connect-timeout=nn digest-url=url allow-miss @@ -280,6 +280,11 @@ use 'login=user:password' if this is a personal/workgroup proxy and your parent requires proxy authentication. + use 'login=PASS' if users must authenticate against + the upstream proxy. Note: To combine this with + proxy_auth both proxies must share the same user + database as HTTP only allows for one proxy login. + use 'connect-timeout=nn' to specify a peer specific connect timeout (also see the peer_connect_timeout directive) Index: squid/src/forward.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/forward.c,v retrieving revision 1.5 retrieving revision 1.5.6.1 diff -u -r1.5 -r1.5.6.1 --- squid/src/forward.c 12 Dec 2000 23:21:18 -0000 1.5 +++ squid/src/forward.c 17 Dec 2000 12:09:36 -0000 1.5.6.1 @@ -1,6 +1,6 @@ /* - * $Id: forward.c,v 1.5 2000/12/12 23:21:18 adri Exp $ + * $Id: forward.c,v 1.5.6.1 2000/12/17 12:09:36 hno Exp $ * * DEBUG: section 17 Request Forwarding * AUTHOR: Duane Wessels @@ -392,6 +392,7 @@ fwdState->request->peer_login = p->login; httpStart(fwdState); } else { + fwdState->request->peer_login = NULL; switch (request->protocol) { case PROTO_HTTP: httpStart(fwdState); Index: squid/src/http.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/http.c,v retrieving revision 1.5 retrieving revision 1.5.12.1 diff -u -r1.5 -r1.5.12.1 --- squid/src/http.c 14 Nov 2000 13:03:47 -0000 1.5 +++ squid/src/http.c 17 Dec 2000 12:09:36 -0000 1.5.12.1 @@ -1,6 +1,6 @@ /* - * $Id: http.c,v 1.5 2000/11/14 13:03:47 adri Exp $ + * $Id: http.c,v 1.5.12.1 2000/12/17 12:09:36 hno Exp $ * * DEBUG: section 11 Hypertext Transfer Protocol (HTTP) * AUTHOR: Harvest Derived @@ -685,16 +685,26 @@ continue; switch (e->id) { case HDR_PROXY_AUTHORIZATION: - /* If we're not doing proxy auth, then it must be passed on */ - if (!request->flags.used_proxy_auth) + /* Only pass on proxy authentication to peers for which + * authentication forwarding is explicitly enabled + */ + if (request->flags.proxying && orig_request->peer_login && + strcmp(orig_request->peer_login, "PASS") == 0) httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e)); break; case HDR_AUTHORIZATION: - /* If we're not doing www auth, then it must be passed on */ - if (!request->flags.accelerated || !request->flags.used_proxy_auth) - httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e)); - else - request->flags.auth = 0; /* We have used the authentication */ + /* Pass on WWW authentication even if used locally. If this is + * not wanted in an accelerator then the header can be removed + * using the anonymization functions + */ + httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e)); + /* XXX Some accelerators might want to strip the header + * and regard the reply as cacheable, but authentication + * is not normally enabled for accelerators without reading + * the code, so there is not much use in adding logics here + * without first defining the concept of having authentication + * in the accelerator... + */ break; case HDR_HOST: /* @@ -782,7 +792,8 @@ } /* append Proxy-Authorization if configured for peer, and proxying */ if (!httpHeaderHas(hdr_out, HDR_PROXY_AUTHORIZATION)) { - if (request->flags.proxying && orig_request->peer_login) { + if (request->flags.proxying && orig_request->peer_login && + strcmp(orig_request->peer_login, "PASS") != 0) { httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s", base64_encode(orig_request->peer_login)); } Index: squid/src/ssl.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/ssl.c,v retrieving revision 1.3 retrieving revision 1.3.18.1 diff -u -r1.3 -r1.3.18.1 --- squid/src/ssl.c 23 Oct 2000 15:04:22 -0000 1.3 +++ squid/src/ssl.c 17 Dec 2000 12:09:36 -0000 1.3.18.1 @@ -1,6 +1,6 @@ /* - * $Id: ssl.c,v 1.3 2000/10/23 15:04:22 hno Exp $ + * $Id: ssl.c,v 1.3.18.1 2000/12/17 12:09:36 hno Exp $ * * DEBUG: section 26 Secure Sockets Layer Proxy * AUTHOR: Duane Wessels @@ -586,6 +586,7 @@ sslState->request->peer_login = fs->peer->login; sslState->request->flags.proxying = 1; } else { + sslState->request->peer_login = NULL; sslState->request->flags.proxying = 0; } #if DELAY_POOLS Index: squid/src/structs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/structs.h,v retrieving revision 1.8 retrieving revision 1.8.6.1 diff -u -r1.8 -r1.8.6.1 --- squid/src/structs.h 12 Dec 2000 23:21:20 -0000 1.8 +++ squid/src/structs.h 17 Dec 2000 12:09:36 -0000 1.8.6.1 @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.8 2000/12/12 23:21:20 adri Exp $ + * $Id: structs.h,v 1.8.6.1 2000/12/17 12:09:36 hno Exp $ * * * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -1400,7 +1400,6 @@ unsigned int proxy_keepalive:1; unsigned int proxying:1; unsigned int refresh:1; - unsigned int used_proxy_auth:1; unsigned int redirected:1; unsigned int need_validation:1; #if HTTP_VIOLATIONS