Proxies have become vital applications and/or computing devices (e.g., servers) for organizations. Proxies provide more efficient use and handling of limited network resources. Thus, end-users can experience improved response time for desired content when the content is available in the proxy cache. Moreover, proxies can also be configured to act as firewalls (e.g., by enforcing security policies), routers, (e.g., by forwarding network packets to a next address within the network), gateways (e.g., by interfacing disparate network protocols), and/or multi-homing appliances (e.g., by permitting a single network port/address to be used to address a plurality of origin servers and/or origin sites).
One class of proxies is typically installed within close proximity (e.g., Local Area Network (LAN), and the like) to local client computing devices that they serve. These proxies are referred to as forward and/or transparent proxies. Forward and transparent proxies generally handle outbound network traffic originating from the clients that they serve. The forward and transparent proxies provide client access to external origin servers/sites via a Wide Area Network (WAN) connection, such as the Internet.
A forward proxy is known to and configured by each of the clients, before the clients can take advantage of the forward proxies capabilities. In contrast, a transparent proxy is neither known to nor configured by the clients; rather, the transparent proxy intercepts outgoing client requests to access origin servers/sites and transparently processes the requests on behalf of the clients. Therefore, transparent proxies can be more secure than forward proxies, since the clients do not know about the transparent proxies. Furthermore, transparent proxies can be more easily integrated into a network than forward proxies, since no client configuration is required.
Another class of proxies is reverse proxies that are generally installed in proximity to the origin servers that they serve within the network. Reverse proxies handle inbound network traffic destined for their origin servers. These proxies can also provide multi-homing capabilities to the network, such that requests for content originating at remote locations within the network are redirected to the reverse proxy, and services processing on or in communication with the reverse proxy resolve the correct origin server that is being requested.
A single server or computing device can be used as a forward proxy, a transparent proxy, and a reverse proxy. Alternatively, multiple computing devices can be used to install a forward proxy, a transparent proxy, and a reverse proxy. Moreover, a network configuration need not include each of a forward proxy, a transparent proxy, and a reverse proxy. Therefore, clients can access all three proxies, one of the three proxies, or two of the proxies within a network configuration. Moreover, depending upon the operation being performed by a client, the client can assume the designation of a server, and vice versa.
Conventionally, in network configurations having proxies, the clients are authenticated to the proxies and/or the origin servers and are identified as authenticated by using the IP addresses of the clients. This becomes problematic in systems where a single real IP address is used for multiple clients or where a single IP address is used to send and receive data for all of the clients within the system (e.g., Network Address Translation (NAT)). Thus, as soon as one client authenticates then all the clients within the system of the authenticated client are authenticated. As a result, authentication techniques have moved toward techniques that account for not only the clients being used, but also the users of the clients.
One application executed on clients that is omnipresent today, is a web browser that is used to access the World-Wide Web (WWW) over the Internet. A variety of commercially available web browsers exists and are well known to one of ordinary skill in the art. These existing web browsers have basic authentication for forward and reverse proxies, but not transparent proxies. Thus, if basic authentication is desired on a transparent proxy for user authentication, a different approach is needed. One approach is to have the transparent proxy engage in interactions with the web browser in order to create a cookie within the web browser that is used for subsequent transactions to the transparent proxy. A cookie is data that is stored by a remote server within a web browser, and used by the web browser when interacting with the remote server. However, since existing browser are configured to handle authentication for forward and reverse proxies through the use of specialized events referred to as authorization-required errors, in order to initially acquire the information necessary to create the cookie specialized web pages are sent by or redirected from the transparent proxy to the client browser.
A 407-authentication error is used for forward proxy authentication, where the client is authenticating directly to the forward proxy. Accordingly, once a user initially authenticates to the forward proxy, all subsequent requests to the forward proxy include authentication information from the client. A 401-authentication error is used for origin server/reverse proxy authentication, where the client is authenticating directly to a specific site or origin server. Thus, existing web browsers are not equipped to authenticate to transparent proxies that require independent authentication, where the web browsers have no knowledge of the existence of the transparent proxies, and where the transparent proxies are used to authenticate on behalf of the sites and/or origin servers, without having specialized interfaces that are pushed or redirected to the web browsers from the transparent proxies. Therefore, single sign-on with basic authentication that exists within conventional browsers is not available when web browsers use a transparent proxy and desire to use a web browser's existing basic authentication mechanisms.
As is now apparent to one of ordinary skill in the art, there exists a need for improved techniques that permit single sign-on using basic authentication to authenticate through transparent proxies. This need is particularly desirable with networks accessing the Internet through transparent proxies that handle outbound traffic destined for a plurality of sites/servers.