Index: acl.c
===================================================================
RCS file: /cvsroot/squid/squid/src/acl.c,v
retrieving revision 1.1.1.3.12.26.2.7
diff -u -r1.1.1.3.12.26.2.7 acl.c
--- acl.c	2000/11/24 00:19:20	1.1.1.3.12.26.2.7
+++ acl.c	2000/12/10 13:55:18
@@ -1656,11 +1634,14 @@
                 ae->name); return -1;
 #endif
         }
+#if 0
+   /* we no longer check this here. See http.c - it's now a peer based option */
 	/*
 	 * Register that we used the proxy authentication header so that
 	 * it is not forwarded to the next proxy
 	 */
 	r->flags.used_proxy_auth = 1;
+#endif
         /* Check the password */
 	switch (aclMatchProxyAuth(ae->data, headertype,
 		checklist->auth_user, checklist, ae->type)) {
Index: cache_cf.c
===================================================================
RCS file: /cvsroot/squid/squid/src/cache_cf.c,v
retrieving revision 1.1.1.3.4.1.2.9.2.2
diff -u -r1.1.1.3.4.1.2.9.2.2 cache_cf.c
--- cache_cf.c	2000/11/30 10:52:01	1.1.1.3.4.1.2.9.2.2
+++ cache_cf.c	2000/12/10 13:55:23
@@ -1119,6 +1119,8 @@
 #endif
 	} else if (!strcasecmp(token, "allow-miss")) {
 	    p->options.allow_miss = 1;
+        } else if (!strcasecmp(token, "pass_on_auth_headers")) {
+            p->options.pass_on_auth_headers = 1;
 	} else {
 	    debug(3, 0) ("parse_peer: token='%s'\n", token);
 	    self_destruct();
Index: cf.data.pre
===================================================================
RCS file: /cvsroot/squid/squid/src/cf.data.pre,v
retrieving revision 1.1.1.3.4.1.2.18.2.2
diff -u -r1.1.1.3.4.1.2.18.2.2 cf.data.pre
--- cf.data.pre	2000/12/04 12:36:10	1.1.1.3.4.1.2.18.2.2
+++ cf.data.pre	2000/12/10 13:55:34
@@ -232,6 +232,7 @@
 		     connect-timeout=nn
 		     digest-url=url
 		     allow-miss
+                     pass_on_auth_headers
 
 		     use 'proxy-only' to specify that objects fetched
 		     from this cache should not be saved locally.
@@ -298,6 +299,12 @@
 		     requests from peer by denying cache_peer_access if the
 		     source is a peer)
 
+	             use 'pass_on_auth_headers' to instruct squid to pass authentication
+	   	     headers (if present) onto the next upstream cache server. They will 
+		     not get sent to origin servers. 
+		     ****WARNING: use of this option may result in unintended exposure of
+		     your users login details across the internet. USE WITH CAUTION****
+
 	NOTE: non-ICP neighbors must be specified as 'parent'.
 DOC_END
 
Index: http.c
===================================================================
RCS file: /cvsroot/squid/squid/src/http.c,v
retrieving revision 1.1.1.3.4.1.2.10
diff -u -r1.1.1.3.4.1.2.10 http.c
--- http.c	2000/11/16 11:47:00	1.1.1.3.4.1.2.10
+++ http.c	2000/12/10 13:55:39
@@ -684,13 +684,19 @@
 	    continue;
 	switch (e->id) {
 	case HDR_PROXY_AUTHORIZATION:
-	    /* If we're not doing proxy auth, then it must be passed on */
+	    /* If we're configured to pass proxy auth, then it must be passed on */
+#if 0
 	    if (!request->flags.used_proxy_auth)
+#endif
+            if (!flags.used_proxy_auth)
 		httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
 	    break;
 	case HDR_AUTHORIZATION:
 	    /* If we're not doing www auth, then it must be passed on */
+#if 0
 	    if (!request->flags.accelerated || !request->flags.used_proxy_auth)
+#endif
+            if (!request->flags.accelerated || !flags.used_proxy_auth)
 		httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
 	    else
 		request->flags.auth = 0;	/* We have used the authentication */
@@ -867,7 +873,15 @@
 	cfd = entry->mem_obj->fd;
     assert(-1 == cfd || FD_SOCKET == fd_table[cfd].type);
     if (p != NULL)
+    {
 	httpState->flags.proxying = 1;
+        httpState->flags.used_proxy_auth=p->options.pass_on_auth_headers ? 0:1;
+    }
+    else
+    {
+        /* direct connection - never send on auth credentials */
+        httpState->flags.used_proxy_auth=1;
+    }
     /*
      * Is keep-alive okay for all request methods?
      */
Index: structs.h
===================================================================
RCS file: /cvsroot/squid/squid/src/structs.h,v
retrieving revision 1.1.1.3.4.1.2.26.2.9
diff -u -r1.1.1.3.4.1.2.26.2.9 structs.h
--- structs.h	2000/12/07 10:46:58	1.1.1.3.4.1.2.26.2.9
+++ structs.h	2000/12/10 13:55:42
@@ -870,6 +870,7 @@
     unsigned int proxying:1;
     unsigned int keepalive:1;
     unsigned int only_if_cached:1;
+    unsigned int used_proxy_auth:1;
 };
 
 struct _HttpStateData {
@@ -1175,6 +1176,7 @@
 	unsigned int no_delay:1;
 #endif
 	unsigned int allow_miss:1;
+        unsigned int pass_on_auth_headers:1;
     } options;
     int weight;
     struct {
@@ -1495,7 +1497,9 @@
     unsigned int proxy_keepalive:1;
     unsigned int proxying:1;
     unsigned int refresh:1;
+#if 0
     unsigned int used_proxy_auth:1;
+#endif
     unsigned int redirected:1;
     unsigned int need_validation:1;
 #if HTTP_VIOLATIONS