--------------------- PatchSet 1138 Date: 2001/01/07 00:37:02 Author: hno Branch: auth_rewrite Tag: (none) Log: Ported changes from upstreamauth Members: src/acl.c:1.1.1.3.12.26.2.21->1.1.1.3.12.26.2.22 src/cache_cf.c:1.1.1.3.4.1.2.9.2.14->1.1.1.3.4.1.2.9.2.15 src/cf.data.pre:1.1.1.3.4.1.2.18.2.13->1.1.1.3.4.1.2.18.2.14 src/forward.c:1.1.1.3.12.6.2.3->1.1.1.3.12.6.2.4 src/http.c:1.1.1.3.4.1.2.10.2.4->1.1.1.3.4.1.2.10.2.5 src/ssl.c:1.1.1.3.12.5.2.1->1.1.1.3.12.5.2.2 src/structs.h:1.1.1.3.4.1.2.26.2.24->1.1.1.3.4.1.2.26.2.25 Index: squid/src/acl.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/acl.c,v retrieving revision 1.1.1.3.12.26.2.21 retrieving revision 1.1.1.3.12.26.2.22 diff -u -r1.1.1.3.12.26.2.21 -r1.1.1.3.12.26.2.22 --- squid/src/acl.c 6 Jan 2001 23:56:27 -0000 1.1.1.3.12.26.2.21 +++ squid/src/acl.c 7 Jan 2001 00:37:02 -0000 1.1.1.3.12.26.2.22 @@ -1,6 +1,6 @@ /* - * $Id: acl.c,v 1.1.1.3.12.26.2.21 2001/01/06 23:56:27 rbcollins Exp $ + * $Id: acl.c,v 1.1.1.3.12.26.2.22 2001/01/07 00:37:02 hno Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -1643,14 +1643,6 @@ return -1; #endif } -#if 0 - /* we no longer check this here. See http.c - it's now a peer based option */ - /* - * Register that we used the proxy authentication header so that - * it is not forwarded to the next proxy - */ - r->flags.used_proxy_auth = 1; -#endif /* Check the credentials */ switch (aclMatchProxyAuth(ae->data, headertype, checklist->auth_user_request, checklist, ae->type)) { Index: squid/src/cache_cf.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cache_cf.c,v retrieving revision 1.1.1.3.4.1.2.9.2.14 retrieving revision 1.1.1.3.4.1.2.9.2.15 diff -u -r1.1.1.3.4.1.2.9.2.14 -r1.1.1.3.4.1.2.9.2.15 --- squid/src/cache_cf.c 6 Jan 2001 23:56:28 -0000 1.1.1.3.4.1.2.9.2.14 +++ squid/src/cache_cf.c 7 Jan 2001 00:37:02 -0000 1.1.1.3.4.1.2.9.2.15 @@ -1,6 +1,6 @@ /* - * $Id: cache_cf.c,v 1.1.1.3.4.1.2.9.2.14 2001/01/06 23:56:28 rbcollins Exp $ + * $Id: cache_cf.c,v 1.1.1.3.4.1.2.9.2.15 2001/01/07 00:37:02 hno Exp $ * * DEBUG: section 3 Configuration File Parsing * AUTHOR: Harvest Derived @@ -1253,8 +1253,6 @@ #endif } else if (!strcasecmp(token, "allow-miss")) { p->options.allow_miss = 1; - } else if (!strcasecmp(token, "pass_on_auth_headers")) { - p->options.pass_on_auth_headers = 1; } else if (!strcasecmp(token, "max-conn=")) { p->max_conn = atoi(token + 9); } else { Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.1.1.3.4.1.2.18.2.13 retrieving revision 1.1.1.3.4.1.2.18.2.14 diff -u -r1.1.1.3.4.1.2.18.2.13 -r1.1.1.3.4.1.2.18.2.14 --- squid/src/cf.data.pre 5 Jan 2001 06:12:22 -0000 1.1.1.3.4.1.2.18.2.13 +++ squid/src/cf.data.pre 7 Jan 2001 00:37:02 -0000 1.1.1.3.4.1.2.18.2.14 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.13 2001/01/05 06:12:22 rbcollins Exp $ +# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.14 2001/01/07 00:37:02 hno Exp $ # # # SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -228,11 +228,10 @@ no-digest no-netdb-exchange no-delay - login=user:password + login=user:password|PASS connect-timeout=nn digest-url=url allow-miss - pass_on_auth_headers use 'proxy-only' to specify that objects fetched from this cache should not be saved locally. @@ -281,6 +280,13 @@ use 'login=user:password' if this is a personal/workgroup proxy and your parent requires proxy authentication. + use 'login=PASS' if users must authenticate against + the upstream proxy. Note: To combine this with + proxy_auth both proxies must share the same user + database as HTTP only allows for one proxy login. + Also be warned that this will expose your users proxy + password to the parent. USE WITH CAUTION + use 'connect-timeout=nn' to specify a peer specific connect timeout (also see the peer_connect_timeout directive) @@ -299,12 +305,6 @@ requests from peer by denying cache_peer_access if the source is a peer) - use 'pass_on_auth_headers' to instruct squid to pass authentication - headers (if present) onto the next upstream cache server. They will - not get sent to origin servers. - ****WARNING: use of this option may result in unintended exposure of - your users login details across the internet. USE WITH CAUTION**** - NOTE: non-ICP neighbors must be specified as 'parent'. DOC_END Index: squid/src/forward.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/forward.c,v retrieving revision 1.1.1.3.12.6.2.3 retrieving revision 1.1.1.3.12.6.2.4 diff -u -r1.1.1.3.12.6.2.3 -r1.1.1.3.12.6.2.4 --- squid/src/forward.c 5 Jan 2001 22:45:27 -0000 1.1.1.3.12.6.2.3 +++ squid/src/forward.c 7 Jan 2001 00:37:02 -0000 1.1.1.3.12.6.2.4 @@ -1,6 +1,6 @@ /* - * $Id: forward.c,v 1.1.1.3.12.6.2.3 2001/01/05 22:45:27 rbcollins Exp $ + * $Id: forward.c,v 1.1.1.3.12.6.2.4 2001/01/07 00:37:02 hno Exp $ * * DEBUG: section 17 Request Forwarding * AUTHOR: Duane Wessels @@ -391,6 +391,7 @@ fwdState->request->peer_login = p->login; httpStart(fwdState); } else { + fwdState->request->peer_login = NULL; switch (request->protocol) { case PROTO_HTTP: httpStart(fwdState); Index: squid/src/http.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/http.c,v retrieving revision 1.1.1.3.4.1.2.10.2.4 retrieving revision 1.1.1.3.4.1.2.10.2.5 diff -u -r1.1.1.3.4.1.2.10.2.4 -r1.1.1.3.4.1.2.10.2.5 --- squid/src/http.c 5 Jan 2001 22:45:27 -0000 1.1.1.3.4.1.2.10.2.4 +++ squid/src/http.c 7 Jan 2001 00:37:02 -0000 1.1.1.3.4.1.2.10.2.5 @@ -1,6 +1,6 @@ /* - * $Id: http.c,v 1.1.1.3.4.1.2.10.2.4 2001/01/05 22:45:27 rbcollins Exp $ + * $Id: http.c,v 1.1.1.3.4.1.2.10.2.5 2001/01/07 00:37:02 hno Exp $ * * DEBUG: section 11 Hypertext Transfer Protocol (HTTP) * AUTHOR: Harvest Derived @@ -689,22 +689,27 @@ } switch (e->id) { case HDR_PROXY_AUTHORIZATION: - /* If we're configured to pass proxy auth, then it must be passed on */ -#if 0 - if (!request->flags.used_proxy_auth) -#endif - if (!flags.used_proxy_auth) + /* Only pass on proxy authentication to peers for which + * authentication forwarding is explicitly enabled + */ + if (request->flags.proxying && orig_request->peer_login && + strcmp(orig_request->peer_login, "PASS") == 0) { httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e)); + } break; case HDR_AUTHORIZATION: - /* If we're not doing www auth, then it must be passed on */ -#if 0 - if (!request->flags.accelerated || !request->flags.used_proxy_auth) -#endif - if (!request->flags.accelerated || !flags.used_proxy_auth) - httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e)); - else - request->flags.auth = 0; /* We have used the authentication */ + /* Pass on WWW authentication even if used locally. If this is + * not wanted in an accelerator then the header can be removed + * using the anonymization functions + */ + httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e)); + /* XXX Some accelerators might want to strip the header + * and regard the reply as cacheable, but authentication + * is not normally enabled for accelerators without reading + * the code, so there is not much use in adding logics here + * without first defining the concept of having authentication + * in the accelerator... + */ break; case HDR_HOST: /* @@ -785,7 +790,8 @@ } /* append Proxy-Authorization if configured for peer, and proxying */ if (!httpHeaderHas(hdr_out, HDR_PROXY_AUTHORIZATION)) { - if (request->flags.proxying && orig_request->peer_login) { + if (request->flags.proxying && orig_request->peer_login && + strcmp(orig_request->peer_login, "PASS") != 0) { httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s", base64_encode(orig_request->peer_login)); } @@ -873,15 +879,7 @@ cfd = entry->mem_obj->fd; assert(-1 == cfd || FD_SOCKET == fd_table[cfd].type); if (p != NULL) - { - httpState->flags.proxying = 1; - httpState->flags.used_proxy_auth=p->options.pass_on_auth_headers ? 0:1; - } - else - { - /* direct connection - never send on auth credentials */ - httpState->flags.used_proxy_auth=1; - } + httpState->flags.proxying = (p != NULL); /* * Is keep-alive okay for all request methods? */ Index: squid/src/ssl.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/ssl.c,v retrieving revision 1.1.1.3.12.5.2.1 retrieving revision 1.1.1.3.12.5.2.2 diff -u -r1.1.1.3.12.5.2.1 -r1.1.1.3.12.5.2.2 --- squid/src/ssl.c 5 Jan 2001 22:45:28 -0000 1.1.1.3.12.5.2.1 +++ squid/src/ssl.c 7 Jan 2001 00:37:02 -0000 1.1.1.3.12.5.2.2 @@ -1,6 +1,6 @@ /* - * $Id: ssl.c,v 1.1.1.3.12.5.2.1 2001/01/05 22:45:28 rbcollins Exp $ + * $Id: ssl.c,v 1.1.1.3.12.5.2.2 2001/01/07 00:37:02 hno Exp $ * * DEBUG: section 26 Secure Sockets Layer Proxy * AUTHOR: Duane Wessels @@ -587,6 +587,7 @@ sslState->request->peer_login = fs->peer->login; sslState->request->flags.proxying = 1; } else { + sslState->request->peer_login = NULL; sslState->request->flags.proxying = 0; } #if DELAY_POOLS Index: squid/src/structs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/structs.h,v retrieving revision 1.1.1.3.4.1.2.26.2.24 retrieving revision 1.1.1.3.4.1.2.26.2.25 diff -u -r1.1.1.3.4.1.2.26.2.24 -r1.1.1.3.4.1.2.26.2.25 --- squid/src/structs.h 7 Jan 2001 00:24:26 -0000 1.1.1.3.4.1.2.26.2.24 +++ squid/src/structs.h 7 Jan 2001 00:37:02 -0000 1.1.1.3.4.1.2.26.2.25 @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.1.1.3.4.1.2.26.2.24 2001/01/07 00:24:26 rbcollins Exp $ + * $Id: structs.h,v 1.1.1.3.4.1.2.26.2.25 2001/01/07 00:37:02 hno Exp $ * * * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -889,7 +889,6 @@ unsigned int proxying:1; unsigned int keepalive:1; unsigned int only_if_cached:1; - unsigned int used_proxy_auth:1; }; struct _HttpStateData { @@ -1193,7 +1192,6 @@ unsigned int no_delay:1; #endif unsigned int allow_miss:1; - unsigned int pass_on_auth_headers:1; } options; int weight; struct { @@ -1518,9 +1516,6 @@ unsigned int proxy_keepalive:1; unsigned int proxying:1; unsigned int refresh:1; -#if 0 - unsigned int used_proxy_auth:1; -#endif unsigned int redirected:1; unsigned int need_validation:1; #if HTTP_VIOLATIONS