In front of our web gateway (v18.104.22.168) we have a squid proxy with digest authentication.
The squid sends the authentication data to the web gateway also ("Proxy-Authorization: Digest username="user1" ,realm="realm1", nonce="xxxxxx"......").
The next step should be, that the web gateway checks the LDAP-Directory for specific attributes to operate with different policies for different user groups.
Because of, web gateway is not able to made digest auth to the LDAP itself, it should get the user attributes with the transmitted username from squid only (no authentication, just getting the attributes and work with them).
How can I implement such a policy without authentication (the user should not get a second popup from the web gateway)?
With Basic-Auth at the squid it works with authentication at the web gateway. But, I have to use Digest-Auth at the proxy.
Solved! Go to Solution.
How exactly does the squid server send the proxy authorization header?
Is it litterally:
Proxy-Authorization: Digest username="user1" ,realm="realm1", nonce="xxxxxx"......
Where "username" is the first value, followed by realm?
There is a ruleset in the library called "Lookup Username From "Proxy-Authorization: Basic" Header" which is similar to what you most likley want.
After I found the small error (the mistake was in my first mail too; there is no space between " and ,realm) it works perfectly.
I cannot test with SSL-Scanner, becuase this option we didn't use.
But with the normal policies for blocking and coaching it works very fine.