[squid-users] Authorization Header not passed to originservers in 2.6 release 7

From: Benno Blumenthal <benno@dont-contact.us>
Date: Tue, 23 Jan 2007 16:46:38 -0500

Hello All,

Well Henrik fixed all my monitorurl problems -- thank you very much.

But now I have a new problem.

If I set up my content servers as origin servers, e.g.

# ingrid service: iridlc5p
cache_peer iridlc5p.ldeo.columbia.edu parent 80 3130 no-query no-digest
originserver monitorinterval=30 monitorurl=/
expert/ name=ingridc5p round-robin
# ingrid service: iridlc6p
cache_peer iridlc6p.ldeo.columbia.edu parent 80 3130 no-query no-digest
originserver monitorinterval=30 monitorurl=/
expert/ name=ingridc6p round-robin

And feed the content to them

cache_peer_access ingridc5p deny sesameurl
cache_peer_access ingridc5p deny iridlcgi
cache_peer_access ingridc5p allow iridlingrid
cache_peer_access ingridc5p deny all
cache_peer_access ingridc6p deny sesameurl
cache_peer_access ingridc6p deny iridlcgi
cache_peer_access ingridc6p allow iridlingrid
cache_peer_access ingridc6p deny all

Everything works fine, except that the Authorization: line is never
passed on to the servers, so they always refuse access to restricted
pages (I am using Digest Authentication here, but I have also tried
Basic authentication and it also fails). Note that I am not doing
authorization in squid, I am just trying to pass the authorization
dialog through to the server.

If, however, I transfer the requests to a squid running on the content
servers (i.e.

cache_peer iridlc5p.ldeo.columbia.edu sibling 3128 3130 round-robin
weight=50 allow-miss
cache_peer iridlc6p.ldeo.columbia.edu sibling 3128 3130 round-robin
weight=50 allow-miss

cache_peer_domain iridlc5p.ldeo.columbia.edu .iridatalibrary
cache_peer_domain iridlc6p.ldeo.columbia.edu .iridatalibrary

and suitable redirector lines so that the pages get rewritten to be for
that domain)

everything works fine. As it happens, both 80 and 3128 on the content
machines are covered by squid there, so things are really similar for
the two paths.

So it seems that squid 2.6v7 will pass on the Authorization line to a
parent proxy, but not to an origin server.

Is this a bug or a messed up configuration?

Benno

Just for reference, Here is a log line from the 2.6v7 front cache

1169586990.181 19 129.236.111.138 TCP_MISS/401 553 GET
http://iridl.ldeo.columbia.edu/expert/SOURCES/.CNES/.SPOT/.vegetation/ -
ROUNDROBIN_PARENT/iridlc5p.ldeo.columbia.edu text/html [Host:
iridl.ldeo.columbia.edu\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.7.7) Gecko/20050414\r\nAccept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\nAccept-Language:
en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nConnection:
keep-alive\r\nCookie:
__utmz=249055455.1169493272.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);
__utma=249055455.127915630.1169493272.1169583456.1169586261.5;
__utmb=249055455; __utmc=249055455\r\nAuthorization: Digest
username="benno", realm="iri.columbia.edu",
nonce="71760f7eb26dc149f017799a78e77751",
uri="/expert/SOURCES/.CNES/.SPOT/.vegetation/",
response="a77a3b49938441b87ae286484818a463",
opaque="5ccc069c403ebaf9f0171e9517f40e41", qop=auth, nc=00000001,
cnonce="0c1c0ce91b5d4d77"\r\n] [HTTP/1.0 401
Unauthorized\r\nCache-Control: public\r\nVary:
Authorization\r\nWWW-Authenticate: Digest realm="iri.columbia.edu",
qop="auth", nonce="71760f7eb26dc149f017799a78e77751",
opaque="5ccc069c403ebaf9f0171e9517f40e41"\r\nContent-Type:
text/html\r\nX-Cache: MISS from
iridlc5p.ldeo.columbia.edu\r\nConnection: close\r\n\r]

And here is the line from the content server (squid listening to 80 and
3128, though 80 is used in this case)

1169586990.173 16 129.236.112.96 TCP_MISS/401 392 GET
http://iridl.iridatali
brary/expert/SOURCES/.CNES/.SPOT/.vegetation/ - DIRECT/127.0.0.1
text/html [Host
: iridl.ldeo.columbia.edu\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux
i686; en-US;
 rv:1.7.7) Gecko/20050414\r\nAccept:
text/xml,application/xml,application/xhtml+
xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\nAccept-Language:
en-
us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset:
ISO-8859-1,utf-8
;q=0.7,*;q=0.7\r\nCookie:
__utmz=249055455.1169493272.1.1.utmccn=(direct)|utmcsr
=(direct)|utmcmd=(none);
__utma=249055455.127915630.1169493272.1169583456.116958
6261.5; __utmb=249055455; __utmc=249055455\r\nVia: 1.1
iridl3p.ldeo.columbia.edu
:80 (squid/2.6.STABLE7)\r\nX-Forwarded-For:
129.236.111.138\r\nCache-Control: ma
x-age=259200\r\nConnection: keep-alive\r\n] [HTTP/1.0 401
Unauthorized\nCache-Co
ntrol: public\nVary: Authorization\nWWW-Authenticate: Digest
realm="iri.columbia
.edu", qop="auth", nonce="71760f7eb26dc149f017799a78e77751",
opaque="5ccc069c403
ebaf9f0171e9517f40e41"\nContent-Type: text/html\n]

Note that the first one is refused despite a password being supplied,
and the second one does not have the Authorization line so that it is
quite rightly refused.

-- 
Dr. M. Benno Blumenthal          benno@iri.columbia.edu
International Research Institute for climate and society
The Earth Institute at Columbia University
Lamont Campus, Palisades NY 10964-8000   (845) 680-4450
Received on Tue Jan 23 2007 - 14:46:43 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST