Article delegate-en/831 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A830@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Double proxy authentication
09 Jun 2000 08:55:20 GMT ysato@etl.go.jp (Yutaka Sato)


On 06/08/00(18:36) you Alex Bel <pbmaabdyi-hugik5vkcbxr.ml@ml.delegate.org> wrote
in <_A830@delegate-en.ML_>
 |I've configuration:
 |    client->delegated:8080->squid:3128->server:80
 |
 |and try to register at www.newmail.ru (logging), server responds error
 |logging.
 |
 |The configurations
 |    client->squid->server
 |    client->delegated->server
 |seems Ok.
 |
 |What have I to do to fix bug?

HTTP protocol (RFC2616) does not provide a way of proxy authentication
for multiple proxies in chain.  So what you should do might be debugging
(modifying) the specification :-p

Since the proxy authentication mechanism of HTTP (Proxy-Authentication
in response header and Proxy-Authorization in request header) are
hop-by-hop headers, they should not be forwarded to next hop when a
proxy consumed them.  If we don't do so, a credential intended to be
confidential to the the first proxy can be leaked to upstream proxies
and servers.

By the way, DeleGate has a mechanism to generate Authorization header
by AUTH="authgen:basic:...", thus extending this mechanism to
Proxy-Authorization will be a natural solution for chained proxies
with proxy-authentication.  So I introduced a new parameter like
this:

  AUTH=pauthgen:basic:UserName:PassWord

UserName and PassWord can be arbitrary string and "%X" patterns will
be substituted as done in AUTH:authgen and AUTH:log.  Forwarding
Proxy-Authorization sent from a client will be done like this:

  AUTH="pauthgen:basic:%U:%P"

and it will be used together with other parameters like the following
example.

  delegated -P8080 \
           PROXY=ProxyHost:ProxyPort \
           AUTH=proxy:pauth \
           RELIABLE=UserName@AuthHost \
           AUTH="pauthgen:basic:%U:%P"


The enclosed patch will enable AUTH="pauthgen:..." as well as fixing
FTOSV parameter problem when used together with AUTH parameter.

Cheers,
Yutaka
--
Yutaka Sato <ysato@etl.go.jp> http://www.etl.go.jp/~ysato/   @ @ 
Computer Science Division, Electrotechnical Laboratory      ( - )
1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan            _<   >_


diff -cr 6113/src/access.c ./src/access.c
*** 6113/src/access.c	Tue Jun  6 16:08:28 2000
--- ./src/access.c	Fri Jun  9 17:24:46 2000
***************
*** 51,56 ****
--- 51,57 ----
  #define A_FORWARD	"forward"
  #define A_FROMGEN	"fromgen"
  #define A_AUTHGEN	"authgen"
+ #define A_PAUTHGEN	"pauthgen"
  
  #define AP_SMTP_VERIFY	"smtp-vrfy"
  #define AP_REQ_AUTH	"auth"	/* use auth. info. in request message */
***************
*** 233,239 ****
  	return 1;
  }
  
! makeAuthorization(Conn,genauth)
  	Connection *Conn;
  	char *genauth;
  {	char *fmt,atype[128],*afmt;
--- 234,240 ----
  	return 1;
  }
  
! makeAuthorization(Conn,genauth,proxy)
  	Connection *Conn;
  	char *genauth;
  {	char *fmt,atype[128],*afmt;
***************
*** 241,246 ****
--- 242,251 ----
  	int port;
  	char *dp;
  
+ 	if( proxy ){
+ 	if( (fmt = find_auth(A_PAUTHGEN,NULL)) == NULL )
+ 		return 0;
+ 	}else
  	if( (fmt = find_auth(A_AUTHGEN,NULL)) == NULL )
  		return 0;
  	strcpy(atype,fmt);
***************
*** 253,261 ****
--- 258,268 ----
  	if( gauth[0] == 0 )
  		return 0;
  
+ 	if( !proxy ){
  	gethostname(host,sizeof(host));
  	strcat(gauth,"/");
  	strcat(gauth,host);
+ 	}
  
  	str_to64(gauth,strlen(gauth),eauth,512,1);
  	if( dp = strpbrk(eauth,"\r\n") )
***************
*** 894,900 ****
  	set_realserver(Conn,proto,host,port);
  	Socketpair(io);
  
! 	svsock = connect_to_serv(Conn,io[0],io[1],0);
  	close(io[0]);
  	close(io[1]);
  	if( svsock < 0 ){
--- 901,907 ----
  	set_realserver(Conn,proto,host,port);
  	Socketpair(io);
  
! 	svsock = connect_to_servX(Conn,io[0],io[1],0,0);
  	close(io[0]);
  	close(io[1]);
  	if( svsock < 0 ){
diff -cr 6113/src/http.c ./src/http.c
*** 6113/src/http.c	Thu Jun  8 14:23:46 2000
--- ./src/http.c	Fri Jun  9 17:23:24 2000
***************
*** 3514,3523 ****
  		gfp = Sprintf(gfp,"Authorization: %s\r\n",genauth);
  	}else
  	if( withAuth == 0 )
! 	if( makeAuthorization(Conn,genauth) ){
  		HTTP_decompAuth(genauth,atype,sizeof(atype),buf2,sizeof(buf2));
  		sv1log("## GEN Authorization: %s [%s]\n",genauth,buf2);
  		gfp = Sprintf(gfp,"Authorization: %s\r\n",genauth);
  	}
  
  	if( cpath != NULL )
--- 3514,3528 ----
  		gfp = Sprintf(gfp,"Authorization: %s\r\n",genauth);
  	}else
  	if( withAuth == 0 )
! 	if( makeAuthorization(Conn,genauth,0) ){
  		HTTP_decompAuth(genauth,atype,sizeof(atype),buf2,sizeof(buf2));
  		sv1log("## GEN Authorization: %s [%s]\n",genauth,buf2);
  		gfp = Sprintf(gfp,"Authorization: %s\r\n",genauth);
+ 	}
+ 	if( makeAuthorization(Conn,genauth,1) ){
+ 		HTTP_decompAuth(genauth,atype,sizeof(atype),buf2,sizeof(buf2));
+ 		sv1log("## GEN Proxy-Authorization: %s [%s]\n",genauth,buf2);
+ 		gfp = Sprintf(gfp,"Proxy-Authorization: %s\r\n",genauth);
  	}
  
  	if( cpath != NULL )
diff -cr 6113/src/service.c ./src/service.c
*** 6113/src/service.c	Mon May 29 17:14:40 2000
--- ./src/service.c	Fri Jun  9 17:10:24 2000
***************
*** 1844,1850 ****
  /*
   *	DFLT_... should be replaced by DST_...
   */
! connect_to_serv(Conn, fromC,toC, relay_input)
  	Connection *Conn;
  {	int sock;
  
--- 1844,1850 ----
  /*
   *	DFLT_... should be replaced by DST_...
   */
! connect_to_servX(Conn, fromC,toC, relay_input, do_filter)
  	Connection *Conn;
  {	int sock;
  
***************
*** 1868,1875 ****
--- 1868,1881 ----
  		"E-C: Can't connect",shost,sport,"=>",DST_PROTO,server,reason);
  	}
  
+ 	if( do_filter )
  	insert_FSERVER(Conn,fromC);
  	return sock;
+ }
+ connect_to_serv(Conn, fromC,toC, relay_input)
+ 	Connection *Conn;
+ {
+ 	return connect_to_servX(Conn, fromC,toC, relay_input, 1);
  }
  connect_to(proto,host,port)
  	char *proto,*host;

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V