headers
Henrik Nordström | 1 May 2010 02:44
Gravatar

Re: Forward Authenticated User

tor 2010-04-29 klockan 15:53 -0430 skrev Robert Marcano:
> I am attaching a patch for 3.0.x versions (I will forward port if there 
> is interest and change recommendations). This patch adds a new option to 
> Squid that allows it to forward the current authenticated user to the 
> next proxy (or the HTTP server if that is what is wanted) via an HTTP 
> header.

How does this differ from the already existing login=*:somesecret
cache_peer option? From your description it sounds like that may
actually be preferred as you then do not need to patch DG to support the
new header.

Regards
Henrik
Permalink | Reply | 2 comments |
headers
noc | 1 May 2010 04:16
Favicon

Build failed in Hudson: 3.HEAD-i386-opensolaris-SunStudioCc #203

See <http://build.squid-cache.org/job/3.HEAD-i386-opensolaris-SunStudioCc/203/changes>

Changes:

[Automatic source maintenance <squidadm <at> squid-cache.org>] SourceFormat Enforcement

[Francesco Chemolli <kinkie <at> squid-cache.org>] Fixed more symbol overlapping in ntlm_auth/smb_lm helper

------------------------------------------
[...truncated 4514 lines...]
	ccache /opt/SunStudioExpress/prod/bin/CC -DHAVE_CONFIG_H  -I../../../.. -I../../../../include
-I../../../../src -I../../../include -I/usr/local/include -I/usr/include/gssapi
-I/usr/include/kerberosv5 -I../../../../helpers/basic_auth/NIS  -I/usr/include/gssapi
-I/usr/include/kerberosv5 -D_REENTRANT -g -c -o nis_support.o ../../../../helpers/basic_auth/NIS/nis_support.cc
/bin/sh ../../../libtool --tag=CXX   --mode=link ccache /opt/SunStudioExpress/prod/bin/CC
-D_REENTRANT -g  -L/usr/local/sunstudio-libs/lib -o basic_nis_auth basic_nis_auth.o
nis_support.o -L../../../lib -lmiscutil ../../../compat/libcompat.la -lcrypt -lmd5 -lm -lsocket
-lresolv -lnsl -lsocket 
libtool: link: ccache /opt/SunStudioExpress/prod/bin/CC -D_REENTRANT -g -o basic_nis_auth
basic_nis_auth.o nis_support.o  -L/usr/local/sunstudio-libs/lib
-L<http://build.squid-cache.org/job/3.HEAD-i386-opensolaris-SunStudioCc/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/lib>
-lmiscutil ../../../compat/.libs/libcompat.a -lcrypt -lmd5 -lm -lresolv -lnsl -lsocket
make[4]: Leaving directory `<http://build.squid-cache.org/job/3.HEAD-i386-opensolaris-SunStudioCc/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/NIS'>
Making all in PAM
make[4]: Entering directory `<http://build.squid-cache.org/job/3.HEAD-i386-opensolaris-SunStudioCc/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/PAM'>
source='../../../../helpers/basic_auth/PAM/basic_pam_auth.cc' object='basic_pam_auth.o'
libtool=no \
	DEPDIR=.deps depmode=none /bin/sh ../../../../cfgaux/depcomp \
	ccache /opt/SunStudioExpress/prod/bin/CC -DHAVE_CONFIG_H  -I../../../.. -I../../../../include
-I../../../../src -I../../../include -I/usr/local/include -I/usr/include/gssapi
(Continue reading)

Permalink | Reply | 3 comments |
headers
noc | 1 May 2010 05:04
Favicon

Build failed in Hudson: 3.HEAD-sparc-opensolaris-SunStudioCc #134

See <http://build.squid-cache.org/job/3.HEAD-sparc-opensolaris-SunStudioCc/134/changes>

Changes:

[Automatic source maintenance <squidadm <at> squid-cache.org>] SourceFormat Enforcement

[Francesco Chemolli <kinkie <at> squid-cache.org>] Fixed more symbol overlapping in ntlm_auth/smb_lm helper

------------------------------------------
[...truncated 4517 lines...]
	ccache /opt/SunStudioExpress/prod/bin/CC -DHAVE_CONFIG_H  -I../../../.. -I../../../../include
-I../../../../src -I../../../include -I/usr/local/include -I/usr/include/gssapi
-I/usr/include/kerberosv5 -I../../../../helpers/basic_auth/NIS  -I/usr/include/gssapi
-I/usr/include/kerberosv5 -D_REENTRANT -g -c -o nis_support.o ../../../../helpers/basic_auth/NIS/nis_support.cc
/bin/sh ../../../libtool --tag=CXX   --mode=link ccache /opt/SunStudioExpress/prod/bin/CC
-D_REENTRANT -g  -L/usr/local/sunstudio-libs/lib -o basic_nis_auth basic_nis_auth.o
nis_support.o -L../../../lib -lmiscutil ../../../compat/libcompat.la -lcrypt -lmd5 -lm -lsocket
-lresolv -lnsl -lsocket 
libtool: link: ccache /opt/SunStudioExpress/prod/bin/CC -D_REENTRANT -g -o basic_nis_auth
basic_nis_auth.o nis_support.o  -L/usr/local/sunstudio-libs/lib
-L<http://build.squid-cache.org/job/3.HEAD-sparc-opensolaris-SunStudioCc/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/lib>
-lmiscutil ../../../compat/.libs/libcompat.a -lcrypt -lmd5 -lm -lresolv -lnsl -lsocket
make[4]: Leaving directory `<http://build.squid-cache.org/job/3.HEAD-sparc-opensolaris-SunStudioCc/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/NIS'>
Making all in PAM
make[4]: Entering directory `<http://build.squid-cache.org/job/3.HEAD-sparc-opensolaris-SunStudioCc/ws/btlayer-00-default/squid-3.HEAD-BZR/_build/helpers/basic_auth/PAM'>
source='../../../../helpers/basic_auth/PAM/basic_pam_auth.cc' object='basic_pam_auth.o'
libtool=no \
	DEPDIR=.deps depmode=none /bin/sh ../../../../cfgaux/depcomp \
	ccache /opt/SunStudioExpress/prod/bin/CC -DHAVE_CONFIG_H  -I../../../.. -I../../../../include
-I../../../../src -I../../../include -I/usr/local/include -I/usr/include/gssapi
(Continue reading)

Permalink | Reply | 5 comments |
headers
Amos Jeffries | 1 May 2010 05:12
Picon
Favicon

Re: Introduction - pre patch submission

Robert Marcano wrote:
> Greetings.
> 
> I am interested in developing features for squid that are currently 
> needed in our installations, related with LDAP and authentication 
> integration and content filtering (ICAP). I have being able to add the 
> feature of forwarding the current authenticated to the next proxy in the 
> chain, primarily because Squid is doing the Kerberos authentication and 
> the next proxy needs that info to execute another actions (I will follow 
> this introduction with other email with the explanation of the needs and 
> the implementation)

Welcome aboard.

You may already have seen these, but just in case.

Basic Reference on the tools needed to work with Squid code as a 
developer and links to other useful developer information:
  http://wiki.squid-cache.org/DeveloperResources

Documentation on the patch submission process how-to and what to expect:
  http://wiki.squid-cache.org/MergeProcedure

> 
> Another area I want to make a few contributions are:
> 
> - Capability to advertise different auth methods based on the request, 
> for example, restrict to NTLM and Negotiate only to browser and never 
> tell them that basic auth is allowed (IE still tries with basic even 
> when NTLM auth is ok but acl restricted the request), I want to avoid
(Continue reading)

Permalink | Reply | 6 comments |
headers
Amos Jeffries | 1 May 2010 05:17
Picon
Favicon

Re: Forward Authenticated User

Henrik Nordström wrote:
> tor 2010-04-29 klockan 15:53 -0430 skrev Robert Marcano:
>> I am attaching a patch for 3.0.x versions (I will forward port if there 
>> is interest and change recommendations). This patch adds a new option to 
>> Squid that allows it to forward the current authenticated user to the 
>> next proxy (or the HTTP server if that is what is wanted) via an HTTP 
>> header.
> 
> How does this differ from the already existing login=*:somesecret
> cache_peer option? From your description it sounds like that may
> actually be preferred as you then do not need to patch DG to support the
> new header.
> 
> Regards
> Henrik
> 

Additionally:
  3.0 is no longer supported for anything but serious security fixes
  3.1 is feature-frozen for production releases
  3.2 has true Negotiate/Kerberos login to peers already implemented

Amos
--

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1
Permalink | Reply | 0 comments |
headers
Alex Rousskov | 1 May 2010 06:03
Favicon

[PATCH] IpAdress truncates printed port that exceeds 9999

Fixed IpAddress port printing for ports higher than 9999:
snprintf includes zero-terminator in its size limit, so 7
rather than 6 bytes are needed to snprintf a colon followed
by 5 port digits.

Whether the bug has any runtime effects in the current code,
I do not know, but I did waste a few hours following
misleading debugging output.

Alex.
Attachment (IpAddress-port-truncation.patch): text/x-diff, 935 bytes
Permalink | Reply | 3 comments |
headers
Alex Rousskov | 1 May 2010 06:34
Favicon

IpAddress comparison operators lie

Hello,

    Current IpAddress comparison operators are broken from logic point
of view. For example, if a and b are IpAddress objects, then

* both (a < b) and (a > b) are true if exactly one address is NoAddr;

* (ip1 == ip2) may be true even if the addresses have different ports

There may be more inconsistencies; I have not checked all possible
combinations.

These bugs make it impossible to reliably sort or compare addresses
using C++ operators. However, I do not know whether some code already
relies on this broken behavior. Does it? In other words, should we just
fix the operators or is there more to it?

Thank you,

Alex.
Permalink | Reply | 5 comments |
headers
noc | 1 May 2010 06:51
Favicon

Hudson build is back to normal: 3.1-amd64-CentOS-5.3 #127

See <http://build.squid-cache.org/job/3.1-amd64-CentOS-5.3/127/changes>
Permalink | Reply | 0 comments |
headers
noc | 1 May 2010 06:55
Favicon

Build failed in Hudson: 3.1-i386-opensolaris #64

See <http://build.squid-cache.org/job/3.1-i386-opensolaris/64/changes>

Changes:

[Amos Jeffries <squid3 <at> treenet.co.nz>] Fix build issue in WCCPv1 handshake port.

[Amos Jeffries <squid3 <at> treenet.co.nz>] Author: Francesco Chemolli <kinkie <at> squid-cache.org>
Portability fix for profiler on CPU/OS combos where it's not supported.

[Amos Jeffries <squid3 <at> treenet.co.nz>] Drop obsolete RADIUS auth makefiles

[Amos Jeffries <squid3 <at> treenet.co.nz>] Bug 2863: pt 1: Some Cygwin compile errors

[Amos Jeffries <amosjeffries <at> squid-cache.org>] Author: Amos Jeffries <squid3 <at> treenet.co.nz>
Author: gkeeling <grm___k <at> hotmail.com>
Bug 2860: WCCPv1 broken in 3.1

[Amos Jeffries <amosjeffries <at> squid-cache.org>] Ensure the PID file directory exists on install.

/var/run may not be the location installed to now and squid -k signals will
not work if the PID file cannot be opened due to missing diretories.

[Amos Jeffries <amosjeffries <at> squid-cache.org>] Author: Henrik Nordstrom <henrik <at> henriknordstrom.net>
Bug 2913: fix db_auth warning in new perl version

[Amos Jeffries <amosjeffries <at> squid-cache.org>] Author: Walter <bundestrojaner2 <at> googlemail.com>
Bug 2904: make can create uncomplete files

[Amos Jeffries <squid3 <at> treenet.co.nz>] Real --enable-ipv6 fix
(Continue reading)

Permalink | Reply | 35 comments |
headers
Amos Jeffries | 1 May 2010 08:07
Picon
Favicon

Re: IpAddress comparison operators lie

Alex Rousskov wrote:
> Hello,
> 
>     Current IpAddress comparison operators are broken from logic point
> of view. For example, if a and b are IpAddress objects, then
> 
> * both (a < b) and (a > b) are true if exactly one address is NoAddr;
> 

Sorry.

  (a > b) looks correct.

  (a < b) should return false on that test instead of true. Or using the 
AnyAddr test like <= operator does.

> * (ip1 == ip2) may be true even if the addresses have different ports
> 

We have to ignore ports in the boolean operators due to all the code 
which does ACL matching on IPs. The squid.conf provided address has a 
zero port.
  If we include port in the comparison we will have to resort to 
duplicating every address being ACL tested and set its port to zero 
before doing each the test.
  It's better to check the addr, then check the addr.GetPort() as needed 
for the minority of things which check the port.

> There may be more inconsistencies; I have not checked all possible
> combinations.
(Continue reading)

Permalink | Reply | 4 comments |

Gmane