Re: [squid-users] username and password in TRANSPARENT mode

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Thu, 09 Aug 2007 12:12:22 +0200

On mån, 2007-08-06 at 16:57 +0800, Adrian Chadd wrote:

> I don't know why this isn't better documented

Not sure how it can be better documented. It's both in squid.conf and
the FAQ, and additionally Squid emits a quite clear warning in cache.log
if you try to use it.

But yes, it probably could be placed better in the squid.conf comments.
Currently in the proxy_auth acl, should be in auth_params.

> alas. No, transparent
> interception doesn't function with proxy authentication. Its a shortcoming
> of the HTTP RFC spec.

I wouldn't say it's a shortcoming. It's a very reasonable security
restriction to not allow random web servers to fish for proxy
authentication credentials, and only allow proxy authentication to known
proxies.

> I hear rumours about commercial products supporting
> cookie-type hacks to do authentication but I've never seen it live.

Done it for Squid earlier. Requires a web server which maintains logins
tracks the cookie sessions (any cookie based server will do fine) and an
external_acl helper which can query the same server to check if a cookie
is valid. No modifications to Squid itself required.

But it's worth noting that cookie based authentication can never work
very well. There will always be cases where the proxy either has to
allow access, or break communication. (non-GET methods without a valid
cookie).

Another possibility is to abuse NTLM authentication. As NTLM is
connection oriented it kind of works to authenticate to multiple hops.
Never done this with Squid, and it will require a bit of modifications
to make it work.

> Use WPAD+proxy.pac to autodiscover proxy services for a LAN.

Yes.

Regards
Henrik

Received on Thu Aug 09 2007 - 04:12:37 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT