Re: [squid-users] Question about NTLM and transparent proxy.

From: Joe Cooper <joe@dont-contact.us>
Date: Mon, 22 Jul 2002 03:07:55 -0500

Michael wrote:
>
> Joe Cooper wrote:
>
>> Michael wrote:
>>> Hi there, i have an problem to get squid run as an transparent
>>> proxy and an NTLM authentification Server.
>>
>> From the FAQ:
>>
>> 17.15 Can I use proxy_auth with interception?
>>
>> No, you cannot. With interception proxying, the client thinks it is
>> talking to an origin server and would never send the
>> Proxy-authorization request header.
>>
>> I don't see how it could be any clearer than that. squid.conf also
>> has the helpful words:
>>
>> # WARNING: proxy_auth can't be used in a transparent proxy. It #
>> collides with any authentication done by origin servers. It may #
>> seem like it works at first, but it doesn't.
>>
>> What more does it need to say on the subject to be convincing?
>
>
> Ok. thx .. that was what I found my self. And the logfile was telling
> me the same. The question was just asked to find out if there exists
> an workaround. Next time i won 't waste your time, sorry. I always
> read the faq and I also read the squid.conf

And yet you still asked the question because you didn't like the answer
the FAQ, documentation, and log file, gave you. ;-)

For future reference: When the FAQ says "no", the configuration file
documentation says "no" /and/ "WARNING", and the log file says "no"
after you've tried to do it anyway against the advice of the FAQ and the
conf file docs, the odds are very /very/ good that you are barking up
the wrong tree. This is the proper time to look for alternative
solutions to your problem.

>> That isn't strictly accurate. If you are operating an accelerator
>> (which also uses the httpd_accel options), it would be possible to
>> authenticate users at the Squid machine. But not a transparent
>> proxy.
>
> My problem is I need an transparent proxy with authentication. Is
> there an other way to make one. Maybe I add an Proxy after the
> transparent proxy and make the auth there ???

That /is/ a problem. Because it cannot be done.

> Idea: cache_peer IP *foo*
>
> ntlm_auth@IP ???
>
> could that work ???

No. You're asking the same question (actually, an even more complicated
question), and just don't realize it. If you have another proxy, there
still needs to be room in the protocol for the authentication to happen
on a per-client basis, and adding another proxy to the equation doesn't
give you room to add the authentication.

You're missing the point here...This isn't a limitation of Squid, nor is
it a bug or misfeature. It is a behavior (note that I don't call it a
limitation) of the HTTP protocol. You cannot transparently proxy, and
use proxy authentication. Interception proxying, or 'transparent
proxying', is a hack of the networking layer that takes advantage of the
faith the browser puts in having an 'end-to-end' connection. When doing
interception proxying, you are fooling the browser client into thinking
it is talking to the origin server, when in fact it is talking to the
proxy. Why on earth would the browser send proxy authentication
credentials to every random website on the planet? When a browser is
configured to use the proxy, there is a place in the request for these
credentials, and they are stripped off of the request before it goes out
to the web. This is just the way it is.

> Other Idea: can I get the userdata into an perl script (from
> squid_redirect) to say pass thru the proxy or deny. how can I realize
> for windoof an (transparent, was my idea to make it) proxy without
> changing any settings in the internet exploder. I knowit is hell, but
> it is a stupid policy taking affect so the users should not see that
> they are surfing thru an proxy ..... and people which are not
> complaining to the company should not access the internet
> withoutcontacting the helpdesk and get an temp user. Installing
> additional software @ the clients is also not possible (ident etc.).
> Everthing is welcome mic

There was a discussion not two weeks ago about how to implement an
authentication scheme via a redirector and a cgi login page (no code,
just directions for how to begin such a project--you'll still need to
write the code yourself or hire someone to do it). But that
isn't what you're asking for. You want transparent logins /and/ an
interception proxy, correct?...It just can't happen with HTTP 1.0/1.1.
There is no room in the protocol for it to happen.

Besides, is it legal in your part of the world for you to know the user
and where he browses, without the user knowing you know him? (I
understand the reasons for wanting to log this data...but I don't see
any legitimate reason why the user shouldn't know that the administrator
is logging this data.)

Why not do a little more research, and come back to us with questions
about WPAD and proxy .pac files? I bet you'll find a good solution is
looking you right in the face while you're busy arguing with the HTTP
RFC about what should be possible, but is not. ;-)

-- 
Joe Cooper <joe@swelltech.com>
Web caching appliances and support.
http://www.swelltech.com
Received on Mon Jul 22 2002 - 02:10:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:19 MST