[squid-users] the perennial question of transparent proxy authentication...

From: Graham Toal <gtoal@dont-contact.us>
Date: Thu, 8 May 2003 00:07:50 -0500

Hello folks - long time no see, to some of you! (I haven't been a squid
hacker since '97 I'm afraid - a bit out of touch... but I see a few
of the same old faces around... Hi Henrik)

I want to set up an authenticating gateway. I've looked at the
free captive portals which do tricks with firewall rules (such as
"nocat") and they all have one problem or another that has made
them impractical to use here.

I realised yesterday that for my current users, they don't need a
full transparent NAT gateway and in fact having them on a non-routable
subnet whose only access to the net was via a transparent web proxy
was actually better for us security wise than the more complex systems
we'd looked at and failed to get working well.

So... I set up a test system tonight with "smoothwall" - 10 minutes
work to create a proper firewall (how times have changed...) and
configured it to run squid in transparent proxy mode. Then I turned
on auth... and learned what everyone here already knew, which is that
web-based authorization is fundamentally incompatible with transparent
proxying.

However undaunted I've read the archives and see that there are two possible
workarounds...

1) ip redirection first to a web page which does the authorization and
which modifies the ip redirection after it has done so (pretty much
the same mechanism as captive portals)

[Richard Stagg wrote in '99 that he had written code like this but
his email address is no longer valid]

2) use squids dynamic redirectors to redirect *urls* until authenticated
and then stop redirecting them afterwards.

I've looked on the web site at the redirectors and authenticators
and the most promising one appears to be squidguard but it looks
rather complicated for what I want.

Has anyone else already used squid to create an authenticating
gateway? (it has to be transparent - my users would never cope
with manually configuring a proxy, and since they're coming in
over wireless (it's a library) even if they did, they'd have to
undo it as soon as they went elsewhere... too much hassle - transparent
is clearly the way to go...)

I'm not too fussy about the details of the authenticator code as
long as I can write it myself (either the squid plugin or even
a cgi page)

If there isn't such a system yet, got any tips if I try to write
one myself using redirectors?

I can see how a redirector could dynamically decide to block or pass
depending on whether someone had authenticated or not, and I know
that an external cgi can tweak the iptables or ipchains, but I'm
not at all sure how one might tweak squid acls dynamically after
someone has authenticated externally - would you have to rewrite the
squid.conf file and send squid a HUP signal (or restart it?), or is
there a better way of communicating acl changes to squid dynamically?

thanks

Graham
Received on Wed May 07 2003 - 23:00:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:21 MST