1 Index: squid/src/cf.data.pre
2 diff -c squid/src/cf.data.pre:1.245.2.51 squid/src/cf.data.pre:1.245.2.52
3 *** squid/src/cf.data.pre:1.245.2.51 Tue Oct 14 14:17:45 2003
4 --- squid/src/cf.data.pre Thu Nov 6 07:54:20 2003
7 basic authentication sheme is not used unless a program is specified.
9 If you want to use the traditional proxy authentication,
10 ! jump over to the ../auth_modules/NCSA directory and
15 basic authentication sheme is not used unless a program is specified.
17 If you want to use the traditional proxy authentication,
18 ! jump over to the helpers/basic_auth/NCSA directory and
24 Then, set this line to something like
26 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
28 "children" numberofchildren
29 ! The number of authenticator processes to spawn (no default).
30 If you start too few Squid will have to wait for them to
31 process a backlog of usercode/password verifications, slowing
32 it down. When password verifications are done via a (slow)
34 Then, set this line to something like
36 auth_param basic program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
38 "children" numberofchildren
39 ! The number of authenticator processes to spawn.
40 If you start too few Squid will have to wait for them to
41 process a backlog of usercode/password verifications, slowing
42 it down. When password verifications are done via a (slow)
45 Specifies the realm name which is to be reported to the
46 client for the basic proxy authentication scheme (part of
47 the text the user will see when prompted their username and
48 ! password). There is no default.
49 auth_param basic realm Squid proxy-caching web server
51 "credentialsttl" timetolive
53 Specifies the realm name which is to be reported to the
54 client for the basic proxy authentication scheme (part of
55 the text the user will see when prompted their username and
57 auth_param basic realm Squid proxy-caching web server
59 "credentialsttl" timetolive
63 system (such as SecureID). If you are using such a system,
64 you will be vulnerable to replay attacks unless you also
65 use the max_user_ip ACL in an http_access rule.
66 + auth_param basic credentialsttl 2 hours
68 === Parameters for the digest scheme follow ===
72 replies with the appropriate H(A1) value base64 encoded.
73 See rfc 2616 for the definition of H(A1). If you use an
74 authenticator, make sure you have 1 acl of type proxy_auth.
75 ! By default, authentication is not used.
77 ! If you want to use build an authenticator,
78 ! jump over to the ../digest_auth_modules directory and choose the
79 authenticator to use. It it's directory type
83 replies with the appropriate H(A1) value base64 encoded.
84 See rfc 2616 for the definition of H(A1). If you use an
85 authenticator, make sure you have 1 acl of type proxy_auth.
86 ! By default, the digest authentication scheme is not used
87 ! unless a program is specified.
89 ! If you want to use a digest authenticator, jump over to
90 ! the helpers/digest_auth/ directory and choose the
91 authenticator to use. It it's directory type
96 Specifies the realm name which is to be reported to the
97 client for the digest proxy authentication scheme (part of
98 the text the user will see when prompted their username and
99 ! password). There is no default.
100 auth_param digest realm Squid proxy-caching web server
102 "nonce_garbage_interval" timeinterval
103 Specifies the interval that nonces that have been issued
104 to client_agent's are checked for validity.
106 "nonce_max_duration" timeinterval
107 Specifies the maximum length of time a given nonce will be
110 "nonce_max_count" number
111 Specifies the maximum number of times a given nonce can be
114 "nonce_strictness" on|off
115 Determines if squid requires strict increment-by-1 behaviour
116 for nonce counts, or just incrementing (off - for use when
117 useragents generate nonce counts that occasionally miss 1
118 ! (ie, 1,2,4,6)). Default off.
120 "check_nonce_count" on|off
121 This directive if set to off can disable the nonce count check
122 completely to work around buggy digest qop implementations in
123 certain mainstream browser versions. Default on to check the
124 nonce count to protect from authentication replay attacks.
126 "post_workaround" on|off
127 This is a workaround to certain buggy browsers who sends
128 an incorrect request digest in POST requests when reusing
129 the same nonce as aquired earlier on a GET request.
131 === NTLM scheme options follow ===
134 Specifies the realm name which is to be reported to the
135 client for the digest proxy authentication scheme (part of
136 the text the user will see when prompted their username and
138 auth_param digest realm Squid proxy-caching web server
140 "nonce_garbage_interval" timeinterval
141 Specifies the interval that nonces that have been issued
142 to client_agent's are checked for validity.
143 + auth_param digest nonce_garbage_interval 5 minutes
145 "nonce_max_duration" timeinterval
146 Specifies the maximum length of time a given nonce will be
148 + auth_param digest nonce_max_duration 30 minutes
150 "nonce_max_count" number
151 Specifies the maximum number of times a given nonce can be
153 + auth_param digest nonce_max_count 50
155 "nonce_strictness" on|off
156 Determines if squid requires strict increment-by-1 behaviour
157 for nonce counts, or just incrementing (off - for use when
158 useragents generate nonce counts that occasionally miss 1
160 ! auth_param digest nonce_strictness off
162 "check_nonce_count" on|off
163 This directive if set to off can disable the nonce count check
164 completely to work around buggy digest qop implementations in
165 certain mainstream browser versions. Default on to check the
166 nonce count to protect from authentication replay attacks.
167 + auth_param digest check_nonce_count on
169 "post_workaround" on|off
170 This is a workaround to certain buggy browsers who sends
171 an incorrect request digest in POST requests when reusing
172 the same nonce as aquired earlier on a GET request.
173 + auth_param digest post_workaround off
175 === NTLM scheme options follow ===
179 and replies with the ntlm CHALLENGE, then waits for the
180 response and answers with "OK" or "ERR" in an endless loop.
181 If you use an ntlm authenticator, make sure you have 1 acl
182 ! of type proxy_auth. By default, the ntlm authenticator_program
185 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
188 and replies with the ntlm CHALLENGE, then waits for the
189 response and answers with "OK" or "ERR" in an endless loop.
190 If you use an ntlm authenticator, make sure you have 1 acl
191 ! of type proxy_auth. By default, the ntlm authentication scheme
192 ! is not used unless a program is specified.
194 auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth
196 Index: squid/src/auth/basic/auth_basic.c
197 diff -c squid/src/auth/basic/auth_basic.c:1.14.2.3 squid/src/auth/basic/auth_basic.c:1.14.2.4
198 *** squid/src/auth/basic/auth_basic.c:1.14.2.3 Sun Aug 10 12:53:38 2003
199 --- squid/src/auth/basic/auth_basic.c Thu Nov 6 07:54:20 2003
203 scheme->scheme_data = xmalloc(sizeof(auth_basic_config));
204 memset(scheme->scheme_data, 0, sizeof(auth_basic_config));
205 basicConfig = scheme->scheme_data;
206 + basicConfig->basicAuthRealm = xstrdup("Squid proxy-caching web server");
207 basicConfig->authenticateChildren = 5;
208 basicConfig->credentialsTTL = 2 * 60 * 60; /* two hours */
210 Index: squid/src/auth/digest/auth_digest.c
211 diff -c squid/src/auth/digest/auth_digest.c:1.10.2.9 squid/src/auth/digest/auth_digest.c:1.10.2.10
212 *** squid/src/auth/digest/auth_digest.c:1.10.2.9 Thu Nov 6 07:47:53 2003
213 --- squid/src/auth/digest/auth_digest.c Thu Nov 6 07:54:21 2003
217 memset(scheme->scheme_data, 0, sizeof(auth_digest_config));
218 digestConfig = scheme->scheme_data;
219 digestConfig->authenticateChildren = 5;
220 + digestConfig->digestAuthRealm = xstrdup("Squid proxy-caching web server");
222 digestConfig->nonceGCInterval = 5 * 60;
227 digestConfig->NonceStrictness = 0;
228 /* Verify nonce count */
229 digestConfig->CheckNonceCount = 1;
230 + digestConfig->PostWorkaround = 0;
232 digestConfig = scheme->scheme_data;
233 if (strcasecmp(param_str, "program") == 0) {