[squid-users] ssl'ing squid trafic

From: Sergey Shepshelevich <sergey@dont-contact.us>
Date: Tue, 15 Mar 2005 16:45:08 +0300

        Hello,

I have a little task regarding integration of secure users authorization scheme at our
proxy server.

As far as I know there are two possible ways to achieve this goal:

1. squid + digest_pw_auth. In this case we have to use HTTP digest, but at the moment
we are storing users' passwords in openldap directory as _crypted_ attribute "userPassword".
At the same time, to use the digest authorization we have to store
MD5(username:realm:password), but it's difficult in our environment.
Storing clear password in openldap directory also is not a case.

Does any one know if there is any working schemas utilizing openldap + HTTP digest auth?
Unfortunatelly, I only found ideas of such schemas impementation in list archives.

2. HTTPS connection between proxy server and end-user's browser. This way we encrypt all
traffic with no differences for HTTP/FTP/HTTPS. User's password also encrypted because
it's trasfered after the secure channel has been initiated.

It's also better than variant (1) because all content encrypted and we can avoid man in the middle attacks.

http://www.squid-cache.org/Doc/FAQ/FAQ-1.htm#ss1.12 says that

"..As of version 2.5, Squid can terminate SSL connections.
This is perhaps only useful in a surrogate (http accelerator) configuration.
You must run configure with --enable-ssl. See https_port in squid.conf
for more information."

Thank you for your suggestions.

-- 
Sergey Shepshelevich,
Ulyanovsk State Technical University
NOC, System administrator
Received on Tue Mar 15 2005 - 06:45:41 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST