Proxy authentication is not working when coming from behind another proxy server

  • 3997214
  • 11-Dec-2007
  • 26-Apr-2012

Environment


Novell BorderManager 3.8 Support Pack 5
Novell BorderManager 3.9

Situation

Proxy authentication is not working when coming from behind another proxy server.
SSl authentication is enable on the BorderManager Proxy server. when browser points directly to the BorderManager Proxy ip address, user is presented with the SSL authentication before allow the request to go thru. If no valid credential are entered, authentication fails and no access is granted. This is the default and desired behavior.
When browser points to another proxy server, for example Squid, and Squid has configured BorderManager as CERN proxy, when Squid forwards the request from browser to BorderManager, Proxy is not asking for authentication and let the request go thru, by passing any access control rules.

Resolution

This has been fixed in:

NBM 3.8: proxy version 5.10.04 and above available in bm38sp5_ir1.exe patch.
NBM 3.9 released code.

Additional Information

This is the default behavior from Novell BorderManager when the request is coming from another proxy if the other proxy is adding the VIA HTTP Header to the request. As authentication and access control should be applied at the lower proxy, if a VIA Header is detected by BorderManager, it will not ask for authentication and will service the request. As this functionality has arise serious concerns between customers, the default behavior has been changed and since the above mentioned proxy versions, BorderManager will require authentication even if the VIA Header is present.
In case that customers would like to have back the old behavior and let BorderManager server the request without asking for authentication when the VIA Header is present, a new flag"SkipAuthForViaHeader" under [Extra Configuration] to proxy.cfg file has been created.
So, to have the behavior what BM 3.8 and at present BM 3.9 (withoutthis change), this flag should be enabled.
If proxy.cfg looks like,
[Extra Configuration]
SkipAuthForViaHeader=1
then, BM won't ask for Authentication if via header is present.
If this flag is not present in proxy.cfg or if flag is set to 0 in proxy.cfg, BM will
asks for authentication and this is the default behavior since the above mentioned proxy versions.