[packages/squid.git] / squid-2.5.STABLE4_auth_param_doc.patch

Index: squid/src/cf.data.pre
diff -c squid/src/cf.data.pre:1.245.2.51 squid/src/cf.data.pre:1.245.2.52
*** squid/src/cf.data.pre:1.245.2.51	Tue Oct 14 14:17:45 2003
--- squid/src/cf.data.pre	Thu Nov  6 07:54:20 2003
***************
*** 1277,1283 ****
  	basic authentication sheme is not used unless a program is specified.
  
  	If you want to use the traditional proxy authentication,
! 	jump over to the ../auth_modules/NCSA directory and
  	type:
  		% make
  		% make install
--- 1277,1283 ----
  	basic authentication sheme is not used unless a program is specified.
  
  	If you want to use the traditional proxy authentication,
! 	jump over to the helpers/basic_auth/NCSA directory and
  	type:
  		% make
  		% make install
***************
*** 1285,1293 ****
  	Then, set this line to something like
  
  	auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
! 
  	"children" numberofchildren
! 	The number of authenticator processes to spawn (no default).
  	If you start too few Squid will have to wait for them to
  	process a backlog of usercode/password verifications, slowing
  	it down. When password verifications are done via a (slow)
--- 1285,1293 ----
  	Then, set this line to something like
  
  	auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
! 	
  	"children" numberofchildren
! 	The number of authenticator processes to spawn.
  	If you start too few Squid will have to wait for them to
  	process a backlog of usercode/password verifications, slowing
  	it down. When password verifications are done via a (slow)
***************
*** 1299,1305 ****
  	Specifies the realm name which is to be reported to the
  	client for the basic proxy authentication scheme (part of
  	the text the user will see when prompted their username and
! 	password). There is no default.
  	auth_param basic realm Squid proxy-caching web server
  
  	"credentialsttl" timetolive
--- 1299,1305 ----
  	Specifies the realm name which is to be reported to the
  	client for the basic proxy authentication scheme (part of
  	the text the user will see when prompted their username and
! 	password).
  	auth_param basic realm Squid proxy-caching web server
  
  	"credentialsttl" timetolive
***************
*** 1312,1317 ****
--- 1312,1318 ----
  	system (such as SecureID).  If you are using such a system,
  	you will be vulnerable to replay attacks unless you also
  	use the max_user_ip ACL in an http_access rule.
+ 	auth_param basic credentialsttl 2 hours
  
  	=== Parameters for the digest scheme follow ===
  
***************
*** 1321,1330 ****
  	replies with the appropriate H(A1) value base64 encoded.
  	See rfc 2616 for the definition of H(A1).  If you use an
  	authenticator, make sure you have 1 acl of type proxy_auth.
! 	By default, authentication is not used.
  
! 	If you want to use build an authenticator,
! 	jump over to the ../digest_auth_modules directory and choose the
  	authenticator to use. It it's directory type
          	% make
  	        % make install
--- 1322,1332 ----
  	replies with the appropriate H(A1) value base64 encoded.
  	See rfc 2616 for the definition of H(A1).  If you use an
  	authenticator, make sure you have 1 acl of type proxy_auth.
! 	By default, the digest authentication scheme is not used
! 	unless a program is specified.
  
! 	If you want to use a digest authenticator, jump over to
! 	the helpers/digest_auth/ directory and choose the
  	authenticator to use. It it's directory type
          	% make
  	        % make install
***************
*** 1346,1382 ****
  	Specifies the realm name which is to be reported to the
  	client for the digest proxy authentication scheme (part of
  	the text the user will see when prompted their username and
! 	password). There is no default.
  	auth_param digest realm Squid proxy-caching web server
  
  	"nonce_garbage_interval" timeinterval
  	Specifies the interval that nonces that have been issued
  	to client_agent's are checked for validity.
  
  	"nonce_max_duration" timeinterval
  	Specifies the maximum length of time a given nonce will be
  	valid for.
  
  	"nonce_max_count" number
  	Specifies the maximum number of times a given nonce can be
  	used.
  
  	"nonce_strictness" on|off
  	Determines if squid requires strict increment-by-1 behaviour
  	for nonce counts, or just incrementing (off - for use when
  	useragents generate nonce counts that occasionally miss 1
! 	(ie, 1,2,4,6)). Default off.
  
  	"check_nonce_count" on|off
  	This directive if set to off can disable the nonce count check
  	completely to work around buggy digest qop implementations in
  	certain mainstream browser versions. Default on to check the
  	nonce count to protect from authentication replay attacks.
  
  	"post_workaround" on|off
  	This is a workaround to certain buggy browsers who sends
  	an incorrect request digest in POST requests when reusing
  	the same nonce as aquired earlier on a GET request.
  
  	=== NTLM scheme options follow ===
  
--- 1348,1390 ----
  	Specifies the realm name which is to be reported to the
  	client for the digest proxy authentication scheme (part of
  	the text the user will see when prompted their username and
! 	password).
  	auth_param digest realm Squid proxy-caching web server
  
  	"nonce_garbage_interval" timeinterval
  	Specifies the interval that nonces that have been issued
  	to client_agent's are checked for validity.
+ 	auth_param digest nonce_garbage_interval 5 minutes
  
  	"nonce_max_duration" timeinterval
  	Specifies the maximum length of time a given nonce will be
  	valid for.
+ 	auth_param digest nonce_max_duration 30 minutes
  
  	"nonce_max_count" number
  	Specifies the maximum number of times a given nonce can be
  	used.
+ 	auth_param digest nonce_max_count 50
  
  	"nonce_strictness" on|off
  	Determines if squid requires strict increment-by-1 behaviour
  	for nonce counts, or just incrementing (off - for use when
  	useragents generate nonce counts that occasionally miss 1
! 	(ie, 1,2,4,6)).
! 	auth_param digest nonce_strictness off
  
  	"check_nonce_count" on|off
  	This directive if set to off can disable the nonce count check
  	completely to work around buggy digest qop implementations in
  	certain mainstream browser versions. Default on to check the
  	nonce count to protect from authentication replay attacks.
+ 	auth_param digest check_nonce_count on
  
  	"post_workaround" on|off
  	This is a workaround to certain buggy browsers who sends
  	an incorrect request digest in POST requests when reusing
  	the same nonce as aquired earlier on a GET request.
+ 	auth_param digest post_workaround off
  
  	=== NTLM scheme options follow ===
  
***************
*** 1386,1393 ****
  	and replies with the ntlm CHALLENGE, then waits for the
  	response and answers with "OK" or "ERR" in an endless loop.
  	If you use an ntlm authenticator, make sure you have 1 acl
! 	of type proxy_auth.  By default, the ntlm authenticator_program
! 	is not used.
  
  	auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
  
--- 1394,1401 ----
  	and replies with the ntlm CHALLENGE, then waits for the
  	response and answers with "OK" or "ERR" in an endless loop.
  	If you use an ntlm authenticator, make sure you have 1 acl
! 	of type proxy_auth.  By default, the ntlm authentication scheme
! 	is not used unless a program is specified.
  
  	auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
  
Index: squid/src/auth/basic/auth_basic.c
diff -c squid/src/auth/basic/auth_basic.c:1.14.2.3 squid/src/auth/basic/auth_basic.c:1.14.2.4
*** squid/src/auth/basic/auth_basic.c:1.14.2.3	Sun Aug 10 12:53:38 2003
--- squid/src/auth/basic/auth_basic.c	Thu Nov  6 07:54:20 2003
***************
*** 321,326 ****
--- 321,327 ----
  	scheme->scheme_data = xmalloc(sizeof(auth_basic_config));
  	memset(scheme->scheme_data, 0, sizeof(auth_basic_config));
  	basicConfig = scheme->scheme_data;
+ 	basicConfig->basicAuthRealm = xstrdup("Squid proxy-caching web server");
  	basicConfig->authenticateChildren = 5;
  	basicConfig->credentialsTTL = 2 * 60 * 60;	/* two hours */
      }
Index: squid/src/auth/digest/auth_digest.c
diff -c squid/src/auth/digest/auth_digest.c:1.10.2.9 squid/src/auth/digest/auth_digest.c:1.10.2.10
*** squid/src/auth/digest/auth_digest.c:1.10.2.9	Thu Nov  6 07:47:53 2003
--- squid/src/auth/digest/auth_digest.c	Thu Nov  6 07:54:21 2003
***************
*** 960,965 ****
--- 960,966 ----
  	memset(scheme->scheme_data, 0, sizeof(auth_digest_config));
  	digestConfig = scheme->scheme_data;
  	digestConfig->authenticateChildren = 5;
+ 	digestConfig->digestAuthRealm = xstrdup("Squid proxy-caching web server");
  	/* 5 minutes */
  	digestConfig->nonceGCInterval = 5 * 60;
  	/* 30 minutes */
***************
*** 970,975 ****
--- 971,977 ----
  	digestConfig->NonceStrictness = 0;
  	/* Verify nonce count */
  	digestConfig->CheckNonceCount = 1;
+ 	digestConfig->PostWorkaround = 0;
      }
      digestConfig = scheme->scheme_data;
      if (strcasecmp(param_str, "program") == 0) {
Commit	Line	Data
495e7591 AM	1	Index: squid/src/cf.data.pre
	2	diff -c squid/src/cf.data.pre:1.245.2.51 squid/src/cf.data.pre:1.245.2.52
	3	*** squid/src/cf.data.pre:1.245.2.51 Tue Oct 14 14:17:45 2003
	4	--- squid/src/cf.data.pre Thu Nov 6 07:54:20 2003
	5	***************
	6	* 1277,1283 **
	7	basic authentication sheme is not used unless a program is specified.
	8
	9	If you want to use the traditional proxy authentication,
	10	! jump over to the ../auth_modules/NCSA directory and
	11	type:
	12	% make
	13	% make install
	14	--- 1277,1283 ----
	15	basic authentication sheme is not used unless a program is specified.
	16
	17	If you want to use the traditional proxy authentication,
	18	! jump over to the helpers/basic_auth/NCSA directory and
	19	type:
	20	% make
	21	% make install
	22	***************
	23	* 1285,1293 **
	24	Then, set this line to something like
	25
	26	auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
	27	!
	28	"children" numberofchildren
	29	! The number of authenticator processes to spawn (no default).
	30	If you start too few Squid will have to wait for them to
	31	process a backlog of usercode/password verifications, slowing
	32	it down. When password verifications are done via a (slow)
	33	--- 1285,1293 ----
	34	Then, set this line to something like
	35
	36	auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
	37	!
	38	"children" numberofchildren
	39	! The number of authenticator processes to spawn.
	40	If you start too few Squid will have to wait for them to
	41	process a backlog of usercode/password verifications, slowing
	42	it down. When password verifications are done via a (slow)
	43	***************
	44	* 1299,1305 **
	45	Specifies the realm name which is to be reported to the
	46	client for the basic proxy authentication scheme (part of
	47	the text the user will see when prompted their username and
	48	! password). There is no default.
	49	auth_param basic realm Squid proxy-caching web server
	50
	51	"credentialsttl" timetolive
	52	--- 1299,1305 ----
	53	Specifies the realm name which is to be reported to the
	54	client for the basic proxy authentication scheme (part of
	55	the text the user will see when prompted their username and
	56	! password).
	57	auth_param basic realm Squid proxy-caching web server
	58
	59	"credentialsttl" timetolive
	60	***************
	61	* 1312,1317 **
	62	--- 1312,1318 ----
	63	system (such as SecureID). If you are using such a system,
	64	you will be vulnerable to replay attacks unless you also
65	use the max_user_ip ACL in an http_access rule.
66	+ auth_param basic credentialsttl 2 hours
67
68	=== Parameters for the digest scheme follow ===
69
70	***************
71	* 1321,1330 **
72	replies with the appropriate H(A1) value base64 encoded.
73	See rfc 2616 for the definition of H(A1). If you use an
74	authenticator, make sure you have 1 acl of type proxy_auth.
75	! By default, authentication is not used.
76
77	! If you want to use build an authenticator,
78	! jump over to the ../digest_auth_modules directory and choose the
79	authenticator to use. It it's directory type
80	% make
81	% make install
82	--- 1322,1332 ----
83	replies with the appropriate H(A1) value base64 encoded.
84	See rfc 2616 for the definition of H(A1). If you use an
85	authenticator, make sure you have 1 acl of type proxy_auth.
86	! By default, the digest authentication scheme is not used
87	! unless a program is specified.
88
89	! If you want to use a digest authenticator, jump over to
90	! the helpers/digest_auth/ directory and choose the
91	authenticator to use. It it's directory type
92	% make
93	% make install
94	***************
95	* 1346,1382 **
96	Specifies the realm name which is to be reported to the
97	client for the digest proxy authentication scheme (part of
98	the text the user will see when prompted their username and
99	! password). There is no default.
100	auth_param digest realm Squid proxy-caching web server
101
102	"nonce_garbage_interval" timeinterval
103	Specifies the interval that nonces that have been issued
104	to client_agent's are checked for validity.
105
106	"nonce_max_duration" timeinterval
107	Specifies the maximum length of time a given nonce will be
108	valid for.
109
110	"nonce_max_count" number
111	Specifies the maximum number of times a given nonce can be
112	used.
113
114	"nonce_strictness" on\|off
115	Determines if squid requires strict increment-by-1 behaviour
116	for nonce counts, or just incrementing (off - for use when
117	useragents generate nonce counts that occasionally miss 1
118	! (ie, 1,2,4,6)). Default off.
119
120	"check_nonce_count" on\|off
121	This directive if set to off can disable the nonce count check
122	completely to work around buggy digest qop implementations in
123	certain mainstream browser versions. Default on to check the
124	nonce count to protect from authentication replay attacks.
125
126	"post_workaround" on\|off
127	This is a workaround to certain buggy browsers who sends
128	an incorrect request digest in POST requests when reusing
129	the same nonce as aquired earlier on a GET request.
130
131	=== NTLM scheme options follow ===
132
133	--- 1348,1390 ----
134	Specifies the realm name which is to be reported to the
135	client for the digest proxy authentication scheme (part of
136	the text the user will see when prompted their username and
137	! password).
138	auth_param digest realm Squid proxy-caching web server
139
140	"nonce_garbage_interval" timeinterval
141	Specifies the interval that nonces that have been issued
142	to client_agent's are checked for validity.
143	+ auth_param digest nonce_garbage_interval 5 minutes
144
145	"nonce_max_duration" timeinterval
146	Specifies the maximum length of time a given nonce will be
147	valid for.
148	+ auth_param digest nonce_max_duration 30 minutes
149
150	"nonce_max_count" number
151	Specifies the maximum number of times a given nonce can be
152	used.
153	+ auth_param digest nonce_max_count 50
154
155	"nonce_strictness" on\|off
156	Determines if squid requires strict increment-by-1 behaviour
157	for nonce counts, or just incrementing (off - for use when
158	useragents generate nonce counts that occasionally miss 1
159	! (ie, 1,2,4,6)).
160	! auth_param digest nonce_strictness off
161
162	"check_nonce_count" on\|off
163	This directive if set to off can disable the nonce count check
164	completely to work around buggy digest qop implementations in
165	certain mainstream browser versions. Default on to check the
166	nonce count to protect from authentication replay attacks.
167	+ auth_param digest check_nonce_count on
168
169	"post_workaround" on\|off
170	This is a workaround to certain buggy browsers who sends
171	an incorrect request digest in POST requests when reusing
172	the same nonce as aquired earlier on a GET request.
173	+ auth_param digest post_workaround off
174
175	=== NTLM scheme options follow ===
176
177	***************
178	* 1386,1393 **
179	and replies with the ntlm CHALLENGE, then waits for the
180	response and answers with "OK" or "ERR" in an endless loop.
181	If you use an ntlm authenticator, make sure you have 1 acl
182	! of type proxy_auth. By default, the ntlm authenticator_program
183	! is not used.
184
185	auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
186
187	--- 1394,1401 ----
188	and replies with the ntlm CHALLENGE, then waits for the
189	response and answers with "OK" or "ERR" in an endless loop.
190	If you use an ntlm authenticator, make sure you have 1 acl
191	! of type proxy_auth. By default, the ntlm authentication scheme
192	! is not used unless a program is specified.
193
194	auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
195
196	Index: squid/src/auth/basic/auth_basic.c
197	diff -c squid/src/auth/basic/auth_basic.c:1.14.2.3 squid/src/auth/basic/auth_basic.c:1.14.2.4
198	*** squid/src/auth/basic/auth_basic.c:1.14.2.3 Sun Aug 10 12:53:38 2003
199	--- squid/src/auth/basic/auth_basic.c Thu Nov 6 07:54:20 2003
200	***************
201	* 321,326 **
202	--- 321,327 ----
203	scheme->scheme_data = xmalloc(sizeof(auth_basic_config));
204	memset(scheme->scheme_data, 0, sizeof(auth_basic_config));
205	basicConfig = scheme->scheme_data;
206	+ basicConfig->basicAuthRealm = xstrdup("Squid proxy-caching web server");
207	basicConfig->authenticateChildren = 5;
208	basicConfig->credentialsTTL = 2 * 60 * 60; /* two hours */
209	}
210	Index: squid/src/auth/digest/auth_digest.c
211	diff -c squid/src/auth/digest/auth_digest.c:1.10.2.9 squid/src/auth/digest/auth_digest.c:1.10.2.10
212	*** squid/src/auth/digest/auth_digest.c:1.10.2.9 Thu Nov 6 07:47:53 2003
213	--- squid/src/auth/digest/auth_digest.c Thu Nov 6 07:54:21 2003
214	***************
215	* 960,965 **
216	--- 960,966 ----
217	memset(scheme->scheme_data, 0, sizeof(auth_digest_config));
218	digestConfig = scheme->scheme_data;
219	digestConfig->authenticateChildren = 5;
220	+ digestConfig->digestAuthRealm = xstrdup("Squid proxy-caching web server");
221	/* 5 minutes */
222	digestConfig->nonceGCInterval = 5 * 60;
223	/* 30 minutes */
224	***************
225	* 970,975 **
226	--- 971,977 ----
227	digestConfig->NonceStrictness = 0;
228	/* Verify nonce count */
229	digestConfig->CheckNonceCount = 1;
230	+ digestConfig->PostWorkaround = 0;
231	}
232	digestConfig = scheme->scheme_data;
233	if (strcasecmp(param_str, "program") == 0) {