Re: [squid-users] Custom header based authentication module

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 25 Sep 2008 05:09:29 +1200

Christoph Rabel wrote:
> Amos Jeffries wrote:
>> Christoph Rabel wrote:
>>> To condense my question: Is it possible to specify which header
>>> information is given to the auth module? And to specify that no 407 but
>>> a redirect is sent?
>>
>> Not for auth modules. They only use the regular Proxy-Authentication:
>> headers. Maybe WWW-Authentication: header in accelerators.
>>
>> For checking custom headers you need to make your authenticator an
>> external_acl_type helper. And pass it the custom request header by name.
> Ok, just looked that up in the manual, looks doable ;-)
>
>>> Another thing that bothers me are SSL requests. What happens when the
>>> proxy encounters a request for a https site? Can it access the cookie
>>> anyway?
>> Depends on how Squid receives the HTTPS request.
>> a) as a plain URL for squid to handle. Okay, squid has access to all
>> the headers etc.
>>
>> b) as a CONNECT tunnel setup request. Squid has access to destination
>> hostname and port. very little else. The sslbump feature coming in 3.1
>> has been designed to get around those limits but has its own issues
>> with privacy doing a man-in-middle attack on your users.
> Hmm, hmm...
>
> Because authentication by the proxy is done plain text, security
> department requests that we find another solution. It should not be
> possible to simply sniff out all passwords. So we thought that we could
> use the sso cookie we already have, but I fear that it is not possible
> to do this.

Squid can handle digest authentication for proxy auth.
However the proxy-auth is not being done when you use your custom
headers. They should not include the password plain-text anyway in case
they leak.

>
> Let me rephrase my question:
>
> How do other people handle the need for secure proxy authentication? Is
> there some kind of trick or browser extension or whatever? We have to
> support IE 7.

Most don't care and use basic auth. It only occurs between squid and the
client anyway (usually internal network stuff).

Those who do care use digest auth (encrypted hash of the passwords),
or HTTPS (TLS) between client and squid. Or both for the very paranoid.

Amos

-- 
Please use Squid 2.7.STABLE4 or 3.0.STABLE9
Received on Wed Sep 24 2008 - 17:09:51 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 24 2008 - 12:00:03 MDT