As I understand from the squid.conf documentation login=PASSTHRU: "Send login details received from client to this peer. Both Proxy- and WWW-Authorization headers are passed without alteration to the peer." But as I mentioned in my previous messages proxy-authenticate headers sent from the proxy are removed before sent to the client (unless login=PASS is configured). Is that how the PASSTHRU should behave? In any case I also set the connection-auth=on for that peer.
On Mon, May 23, 2011 at 4:27 PM, Tsachi <tsachi.ki...@gmail.com> wrote: > Thanks for your replay, > I have tried the PASSTHRU before but it didn’t work for me with NTLM. > It seems that http "proxy-authenticate: XXXXX" headers are removed in > the client replay if the login is configured not to be PASS. > > clientReplyContext::buildReplyHeader() > if ( !(request->peer_login && strcmp(request->peer_login,"PASS") ==0)) > reply->header.delById(HDR_PROXY_AUTHENTICATE); > > Removing this condition seems to overcome this. > > But it seems to be asking for user and password quite occasionally. > > Is the connection pinning is already fully integrated to 3.2? > > > On Mon, May 23, 2011 at 3:13 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: >> On 23/05/11 23:59, Tsachi wrote: >>> >>> Hey I am checkig Squid 3.2.0.5. >>> I have a question regarding some behavior I noticed. >>> Configuring a parent proxy with login=PASS. >>> No user or passwords are configured in ACL. >>> >>> A client makes a normal http request without any authorization header. >>> Squid process the request and sends it to the parent proxy with the >>> header field "proxy-authorization: Basic xxxxx" >>> >>> I guess this is because the httpFixupAuthentication (http.cc) is >>> called and reach the end and set httpHeaderPutStrf(hdr_out, header, >>> "Basic %s",base64_encode(orig_request->peer_login)); >>> >>> Is that how it is suppose to be? >> >> Yes. "login=PASS" *requires* login to be sent and goes to some lengths to >> locate a login for passing on. >> >>> Am I missing here something? >> >> If you need Squid to pass the exact login/non-login state of requests >> through to a peer use "login=PASSTHRU" which was added in 3.2. This will >> make Squid transparent regarding the Proxy-Auth headers. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.12 >> Beta testers wanted for 3.2.0.7 and 3.1.12.1 >> >