]>
Commit | Line | Data |
---|---|---|
495e7591 AM |
1 | Index: squid/src/cf.data.pre |
2 | diff -c squid/src/cf.data.pre:1.245.2.51 squid/src/cf.data.pre:1.245.2.52 | |
3 | *** squid/src/cf.data.pre:1.245.2.51 Tue Oct 14 14:17:45 2003 | |
4 | --- squid/src/cf.data.pre Thu Nov 6 07:54:20 2003 | |
5 | *************** | |
6 | *** 1277,1283 **** | |
7 | basic authentication sheme is not used unless a program is specified. | |
8 | ||
9 | If you want to use the traditional proxy authentication, | |
10 | ! jump over to the ../auth_modules/NCSA directory and | |
11 | type: | |
12 | % make | |
13 | % make install | |
14 | --- 1277,1283 ---- | |
15 | basic authentication sheme is not used unless a program is specified. | |
16 | ||
17 | If you want to use the traditional proxy authentication, | |
18 | ! jump over to the helpers/basic_auth/NCSA directory and | |
19 | type: | |
20 | % make | |
21 | % make install | |
22 | *************** | |
23 | *** 1285,1293 **** | |
24 | Then, set this line to something like | |
25 | ||
26 | auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd | |
27 | ! | |
28 | "children" numberofchildren | |
29 | ! The number of authenticator processes to spawn (no default). | |
30 | If you start too few Squid will have to wait for them to | |
31 | process a backlog of usercode/password verifications, slowing | |
32 | it down. When password verifications are done via a (slow) | |
33 | --- 1285,1293 ---- | |
34 | Then, set this line to something like | |
35 | ||
36 | auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd | |
37 | ! | |
38 | "children" numberofchildren | |
39 | ! The number of authenticator processes to spawn. | |
40 | If you start too few Squid will have to wait for them to | |
41 | process a backlog of usercode/password verifications, slowing | |
42 | it down. When password verifications are done via a (slow) | |
43 | *************** | |
44 | *** 1299,1305 **** | |
45 | Specifies the realm name which is to be reported to the | |
46 | client for the basic proxy authentication scheme (part of | |
47 | the text the user will see when prompted their username and | |
48 | ! password). There is no default. | |
49 | auth_param basic realm Squid proxy-caching web server | |
50 | ||
51 | "credentialsttl" timetolive | |
52 | --- 1299,1305 ---- | |
53 | Specifies the realm name which is to be reported to the | |
54 | client for the basic proxy authentication scheme (part of | |
55 | the text the user will see when prompted their username and | |
56 | ! password). | |
57 | auth_param basic realm Squid proxy-caching web server | |
58 | ||
59 | "credentialsttl" timetolive | |
60 | *************** | |
61 | *** 1312,1317 **** | |
62 | --- 1312,1318 ---- | |
63 | system (such as SecureID). If you are using such a system, | |
64 | you will be vulnerable to replay attacks unless you also | |
65 | use the max_user_ip ACL in an http_access rule. | |
66 | + auth_param basic credentialsttl 2 hours | |
67 | ||
68 | === Parameters for the digest scheme follow === | |
69 | ||
70 | *************** | |
71 | *** 1321,1330 **** | |
72 | replies with the appropriate H(A1) value base64 encoded. | |
73 | See rfc 2616 for the definition of H(A1). If you use an | |
74 | authenticator, make sure you have 1 acl of type proxy_auth. | |
75 | ! By default, authentication is not used. | |
76 | ||
77 | ! If you want to use build an authenticator, | |
78 | ! jump over to the ../digest_auth_modules directory and choose the | |
79 | authenticator to use. It it's directory type | |
80 | % make | |
81 | % make install | |
82 | --- 1322,1332 ---- | |
83 | replies with the appropriate H(A1) value base64 encoded. | |
84 | See rfc 2616 for the definition of H(A1). If you use an | |
85 | authenticator, make sure you have 1 acl of type proxy_auth. | |
86 | ! By default, the digest authentication scheme is not used | |
87 | ! unless a program is specified. | |
88 | ||
89 | ! If you want to use a digest authenticator, jump over to | |
90 | ! the helpers/digest_auth/ directory and choose the | |
91 | authenticator to use. It it's directory type | |
92 | % make | |
93 | % make install | |
94 | *************** | |
95 | *** 1346,1382 **** | |
96 | Specifies the realm name which is to be reported to the | |
97 | client for the digest proxy authentication scheme (part of | |
98 | the text the user will see when prompted their username and | |
99 | ! password). There is no default. | |
100 | auth_param digest realm Squid proxy-caching web server | |
101 | ||
102 | "nonce_garbage_interval" timeinterval | |
103 | Specifies the interval that nonces that have been issued | |
104 | to client_agent's are checked for validity. | |
105 | ||
106 | "nonce_max_duration" timeinterval | |
107 | Specifies the maximum length of time a given nonce will be | |
108 | valid for. | |
109 | ||
110 | "nonce_max_count" number | |
111 | Specifies the maximum number of times a given nonce can be | |
112 | used. | |
113 | ||
114 | "nonce_strictness" on|off | |
115 | Determines if squid requires strict increment-by-1 behaviour | |
116 | for nonce counts, or just incrementing (off - for use when | |
117 | useragents generate nonce counts that occasionally miss 1 | |
118 | ! (ie, 1,2,4,6)). Default off. | |
119 | ||
120 | "check_nonce_count" on|off | |
121 | This directive if set to off can disable the nonce count check | |
122 | completely to work around buggy digest qop implementations in | |
123 | certain mainstream browser versions. Default on to check the | |
124 | nonce count to protect from authentication replay attacks. | |
125 | ||
126 | "post_workaround" on|off | |
127 | This is a workaround to certain buggy browsers who sends | |
128 | an incorrect request digest in POST requests when reusing | |
129 | the same nonce as aquired earlier on a GET request. | |
130 | ||
131 | === NTLM scheme options follow === | |
132 | ||
133 | --- 1348,1390 ---- | |
134 | Specifies the realm name which is to be reported to the | |
135 | client for the digest proxy authentication scheme (part of | |
136 | the text the user will see when prompted their username and | |
137 | ! password). | |
138 | auth_param digest realm Squid proxy-caching web server | |
139 | ||
140 | "nonce_garbage_interval" timeinterval | |
141 | Specifies the interval that nonces that have been issued | |
142 | to client_agent's are checked for validity. | |
143 | + auth_param digest nonce_garbage_interval 5 minutes | |
144 | ||
145 | "nonce_max_duration" timeinterval | |
146 | Specifies the maximum length of time a given nonce will be | |
147 | valid for. | |
148 | + auth_param digest nonce_max_duration 30 minutes | |
149 | ||
150 | "nonce_max_count" number | |
151 | Specifies the maximum number of times a given nonce can be | |
152 | used. | |
153 | + auth_param digest nonce_max_count 50 | |
154 | ||
155 | "nonce_strictness" on|off | |
156 | Determines if squid requires strict increment-by-1 behaviour | |
157 | for nonce counts, or just incrementing (off - for use when | |
158 | useragents generate nonce counts that occasionally miss 1 | |
159 | ! (ie, 1,2,4,6)). | |
160 | ! auth_param digest nonce_strictness off | |
161 | ||
162 | "check_nonce_count" on|off | |
163 | This directive if set to off can disable the nonce count check | |
164 | completely to work around buggy digest qop implementations in | |
165 | certain mainstream browser versions. Default on to check the | |
166 | nonce count to protect from authentication replay attacks. | |
167 | + auth_param digest check_nonce_count on | |
168 | ||
169 | "post_workaround" on|off | |
170 | This is a workaround to certain buggy browsers who sends | |
171 | an incorrect request digest in POST requests when reusing | |
172 | the same nonce as aquired earlier on a GET request. | |
173 | + auth_param digest post_workaround off | |
174 | ||
175 | === NTLM scheme options follow === | |
176 | ||
177 | *************** | |
178 | *** 1386,1393 **** | |
179 | and replies with the ntlm CHALLENGE, then waits for the | |
180 | response and answers with "OK" or "ERR" in an endless loop. | |
181 | If you use an ntlm authenticator, make sure you have 1 acl | |
182 | ! of type proxy_auth. By default, the ntlm authenticator_program | |
183 | ! is not used. | |
184 | ||
185 | auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth | |
186 | ||
187 | --- 1394,1401 ---- | |
188 | and replies with the ntlm CHALLENGE, then waits for the | |
189 | response and answers with "OK" or "ERR" in an endless loop. | |
190 | If you use an ntlm authenticator, make sure you have 1 acl | |
191 | ! of type proxy_auth. By default, the ntlm authentication scheme | |
192 | ! is not used unless a program is specified. | |
193 | ||
194 | auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth | |
195 | ||
196 | Index: squid/src/auth/basic/auth_basic.c | |
197 | diff -c squid/src/auth/basic/auth_basic.c:1.14.2.3 squid/src/auth/basic/auth_basic.c:1.14.2.4 | |
198 | *** squid/src/auth/basic/auth_basic.c:1.14.2.3 Sun Aug 10 12:53:38 2003 | |
199 | --- squid/src/auth/basic/auth_basic.c Thu Nov 6 07:54:20 2003 | |
200 | *************** | |
201 | *** 321,326 **** | |
202 | --- 321,327 ---- | |
203 | scheme->scheme_data = xmalloc(sizeof(auth_basic_config)); | |
204 | memset(scheme->scheme_data, 0, sizeof(auth_basic_config)); | |
205 | basicConfig = scheme->scheme_data; | |
206 | + basicConfig->basicAuthRealm = xstrdup("Squid proxy-caching web server"); | |
207 | basicConfig->authenticateChildren = 5; | |
208 | basicConfig->credentialsTTL = 2 * 60 * 60; /* two hours */ | |
209 | } | |
210 | Index: squid/src/auth/digest/auth_digest.c | |
211 | diff -c squid/src/auth/digest/auth_digest.c:1.10.2.9 squid/src/auth/digest/auth_digest.c:1.10.2.10 | |
212 | *** squid/src/auth/digest/auth_digest.c:1.10.2.9 Thu Nov 6 07:47:53 2003 | |
213 | --- squid/src/auth/digest/auth_digest.c Thu Nov 6 07:54:21 2003 | |
214 | *************** | |
215 | *** 960,965 **** | |
216 | --- 960,966 ---- | |
217 | memset(scheme->scheme_data, 0, sizeof(auth_digest_config)); | |
218 | digestConfig = scheme->scheme_data; | |
219 | digestConfig->authenticateChildren = 5; | |
220 | + digestConfig->digestAuthRealm = xstrdup("Squid proxy-caching web server"); | |
221 | /* 5 minutes */ | |
222 | digestConfig->nonceGCInterval = 5 * 60; | |
223 | /* 30 minutes */ | |
224 | *************** | |
225 | *** 970,975 **** | |
226 | --- 971,977 ---- | |
227 | digestConfig->NonceStrictness = 0; | |
228 | /* Verify nonce count */ | |
229 | digestConfig->CheckNonceCount = 1; | |
230 | + digestConfig->PostWorkaround = 0; | |
231 | } | |
232 | digestConfig = scheme->scheme_data; | |
233 | if (strcasecmp(param_str, "program") == 0) { |