Configure Upstream Proxy Authentication in a Proxy Chain Deployment on a ProxySG or ASG Appliance
Last Updated January 05, 2018
Consider a parent/child (downstream/upstream) proxy chaining deployment where authentication is configured on the parent proxy not on child proxy. But the authentication fails and can't view the users in the Authenticated user list at https://<proxy-ip>:8082/Auth/User-Logins/Summary/Realm/
This article uses explicit proxy to demonstrate the configuration.
The downstream proxy does not pass the HTTP 407 challenges from upstream back to the client. This is proxy's default behavior and a security measure to prevent the client credentials being forwarded to a malicious OCS (Origin Content Server). However in a chaining proxy deployment, the upstream is a legitimate proxy server.
On the downstream proxy, permit 407 challenges by executing the below command on CLI.
If you need to revert this change, use this command: #(config) http no allow-upstream-407
In addition, the downstream proxy may also strips off the authorization header when the credentials are forwarded to upstream as shown in the following packet captures.This is also due to the default action of proxy by choosing not to forward the credentials to avoid leaking them to a third-party OCS.
Child proxy PCAP:
Parent proxy PCAP: The proxy-authorization header is not present in the http GET request received on the upstream proxy.
In order to forward the credentials to upstream, the below cpl script can be added to the local policy file on the downstream ProxySG. This example enforces the action only for the domain www.example.com.