Environment
Novell BorderManager 3.8 Support Pack 5
Novell BorderManager 3.9
Situation
Proxy authentication is not working when coming from behind another
proxy server.
SSl authentication is enable on the BorderManager Proxy server. when browser points directly to the BorderManager Proxy ip address, user is presented with the SSL authentication before allow the request to go thru. If no valid credential are entered, authentication fails and no access is granted. This is the default and desired behavior.
When browser points to another proxy server, for example Squid, and Squid has configured BorderManager as CERN proxy, when Squid forwards the request from browser to BorderManager, Proxy is not asking for authentication and let the request go thru, by passing any access control rules.
SSl authentication is enable on the BorderManager Proxy server. when browser points directly to the BorderManager Proxy ip address, user is presented with the SSL authentication before allow the request to go thru. If no valid credential are entered, authentication fails and no access is granted. This is the default and desired behavior.
When browser points to another proxy server, for example Squid, and Squid has configured BorderManager as CERN proxy, when Squid forwards the request from browser to BorderManager, Proxy is not asking for authentication and let the request go thru, by passing any access control rules.
Resolution
This has been fixed in:
NBM 3.8: proxy version 5.10.04 and above available in bm38sp5_ir1.exe patch.
NBM 3.9 released code.
NBM 3.8: proxy version 5.10.04 and above available in bm38sp5_ir1.exe patch.
NBM 3.9 released code.
Additional Information
This is the default behavior from Novell BorderManager when the
request is coming from another proxy if the other proxy is adding
the VIA HTTP Header to the request. As authentication and access
control should be applied at the lower proxy, if a VIA Header is
detected by BorderManager, it will not ask for authentication
and will service the request. As this functionality has arise
serious concerns between customers, the default behavior has been
changed and since the above mentioned proxy versions, BorderManager
will require authentication even if the VIA Header is
present.
In case that customers would like to have back the old behavior and let BorderManager server the request without asking for authentication when the VIA Header is present, a new flag"SkipAuthForViaHeader" under [Extra Configuration] to proxy.cfg file has been created.
So, to have the behavior what BM 3.8 and at present BM 3.9 (withoutthis change), this flag should be enabled.
If proxy.cfg looks like,
[Extra Configuration]
SkipAuthForViaHeader=1
then, BM won't ask for Authentication if via header is present.
If this flag is not present in proxy.cfg or if flag is set to 0 in proxy.cfg, BM will
asks for authentication and this is the default behavior since the above mentioned proxy versions.
In case that customers would like to have back the old behavior and let BorderManager server the request without asking for authentication when the VIA Header is present, a new flag"SkipAuthForViaHeader" under [Extra Configuration] to proxy.cfg file has been created.
So, to have the behavior what BM 3.8 and at present BM 3.9 (withoutthis change), this flag should be enabled.
If proxy.cfg looks like,
[Extra Configuration]
SkipAuthForViaHeader=1
then, BM won't ask for Authentication if via header is present.
If this flag is not present in proxy.cfg or if flag is set to 0 in proxy.cfg, BM will
asks for authentication and this is the default behavior since the above mentioned proxy versions.