RE: [squid-users] Squid auth methods that work without direct app support? Wrappers or "helper" apps for clients to auth to Squid?

From: McKenzie, David <damckenzie_at_csu.edu.au>
Date: Mon, 20 Sep 2010 08:34:13 +1000

> -----Original Message-----
> From: Bucci, David G [mailto:david.g.bucci_at_lmco.com]
> Sent: Saturday, 18 September 2010 3:45 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Squid auth methods that work without direct app
> support? Wrappers or "helper" apps for clients to auth to Squid?
>
> Hi, all -- we have a situation where we would benefit (or are at least
> exploring) turning on authentication in Squid. But we have several
> apps that use HTTP (REST, basically) for their communication, and don't
> have built-in support for basic auth, Kerberos, etc.
>
> So, a basic question. Is anyone aware of any approaches to leveraging
> proxy authentication with custom-coded applications in such situations?
> Are there any auth methods that can be configured to work from Windows
> clients "automagically", via built-in support at the network stack
> level, invisibly or independent of the custom application issuing the
> HTTP calls that are being proxied? Or, alternatively, are there
> "wrapper" approaches that can be used to enable proxy authentication
> for the apps?
>
> The client and server environments are both Windows, btw. And we have
> flexibility to run Squid on the client as well as the servers, if it
> makes approaches possible (this indirectly relates to the chains a
> month ago about using Squid on both a client and server to create a
> poor-man's SSL VPN - which we ended up not doing, because of the
> instability of the SSL support in the Squid install from Acme,
> unfortunately, we instead leveraged Squid only on the server, and are
> sending proxy calls through Stunnel).
>
> This might sound like an arcane situation (or maybe not, not sure) -
> but we're forced to secure 3rd party applications for which we aren't
> allowed to touch the code <sigh>.
>
> Tia!
>
>
> ----
> David G. Bucci
>
> Chuck Norris can kick through all 6 degrees of separation,
> hitting anyone, anywhere, in the face, at any time.
> -- ChuckNorrisFacts.com

Over here we added exceptions for URLs that are required by applications with no support for proxy. I'd be interested to see if anyone has a "cleaner" solution.

-Dave

YOU MUST READ THIS NOTICE

This email has been sent by Charles Sturt University (CSU) (ABN 83 878 708 551, CRICOS 00005F). This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. The views expressed in this email are not necessarily those of CSU. Email should be checked for viruses and defects before opening. CSU does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at CSU. The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) Provider Number for Charles Sturt University is 00005F (NSW) and 01947G (VIC) and 02960B (ACT).
Received on Sun Sep 19 2010 - 22:34:29 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 20 2010 - 12:00:03 MDT