Re: [squid-users] Authenticating users with a webpage form

From: Amos Jeffries <squid3@dont-contact.us>
Date: Mon, 3 Dec 2007 11:37:09 +1300 (NZDT)

> Is there no way to do this securely and in such a way that squid is able
> to log the IP address of the user? I mean, all I really want to do is
> ask the same questions of the user, just in a slightly different way. It
> seems hard to believe that this is so difficult in squid, every coffee
> shop and airport in the U.S. has something similar to this in their wifi
> hotspots. I am willing to accept that I may not know how it works, so I
> will explain what I believe to be the proper authentication steps:

You misunderstand the basic HTTP/HTTPS authentication behaviour of web
browsers. Over which you have absolutely no control.

>
> 1) User connects to proxy server
> 2) Squid sends an authentication request to the user with a method
> similar to .htaccess in Apache (I am using basic ncsa_auth at the
> moment, I realize that in digest and NTLM, this different and more secure)

*nix that. Squid must check source of 'logged-in' users, redirecting any
not found to the web server for 'authentication'.

> 3) User submits his information

** to the 'authenticating' web server via the page POST.
which gets handled by a out-of-band script
which on success then redirects user back to original requested page.

> 4) Squid uses ncsa_auth to compare the user's data with a password list
> somewhere on the proxy server

* nix this too. proxy CANNOT use HTTP authentication for this remember?
browsers provide the login box.

> 5) If the user is authorized, his IP address is added to a list of
> authorized users. If no, he is rejected.

** by the 'authenticating' web server via the POST.

Proxy MUST scan source of 'logged-in' users again.. repeat ad infinitum
until success or failure blocks the users loop.

>
> If I am right about that, then all I really want to do can be done by
> slightly modifying step 2, and send a complete webpage to the user.
> Since I am using basic authentication, I realize that the user's
> credentials are sent in plain text, so is it possible to use SSL in this
> scenario? The data is only being sent to the proxy server, so there
> shouldn't be a problem with any men-in-the-middle.

Nope, the browsers behaviour on seeing browser-level credential request is
to send credentials or show the box. There is no way you can use any of
the *_auth and not have the box.

In a way out-of-band authentication is much more secure for the proxy
interaction part of the cycle and for all traffic once a user is
authorized.
But the authentication web server takes up all the usual security holes
any other clear-text password mechanism has.

Thus, I give away a secure code for the risky bit free, with advice
available on it. While charging for the config part.

Amos

>
>
> Adrian Chadd wrote:
>> You misunderstand how it works.
>>
>> The browser pops up that box to gather authentication credentials it
>> then uses for all subsequent connections to the proxy server.
>>
>> Using a login page won't magically place authentication credentials
>> in the web browser for it to then use for subsequent connections.
>> The proxy has to track which IP addresses have had users log
>> and then pass them through.
>>
>> This has security implications which noone really seems to care about...
>>
>>
>>
>> Adrian
>>
>> On Sun, Dec 02, 2007, Taylor Jones wrote:
>>> Thanks for the offer, but I'm not looking for a way to login, I'm
>>> looking for a way to change the way in which squid lets users log in.
>>> As you know, the user authenticates himself via a little pop-up box in
>>> his browser. This is fine for most people, but like I said, I'm
>>> slightly obsessive, and I would like to design my own webpage through
>>> which the users log in. I could write the actual login script myself
>>> and implement it with LDAP or MySQL or something like that, but I
>>> can't figure out how to make squid show a login page instead of a
>>> login box.
>>>
>>>
>>>> On Dec 1, 2007 10:08 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
>>>>> Taylor Jones wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I read the guidelines for this mailing list, and I really do hope
>>>>>> I'm
>>>>>> not asking a question you've all heard a million times. If I am,
>>>>>> feel
>>>>>> free to berate me, I probably deserve it.
>>>>>>
>>>>>> I am looking for a way to use a webpage with a GET/POST form to get
>>>>>> the user's name and password for authentication instead of the
>>>>>> pop-up
>>>>>> that the user receives by default. I realize that this is just an
>>>>>> aesthetic kind of thing, but I'm nothing if not obsessive, and I
>>>>>> hate
>>>>>> that I can't tell a user where he is and what he needs to do to gain
>>>>>> access to our proxy server. Honestly, this shouldn't be that hard to
>>>>>> implement, I just don't really know where I should start. Any help
>>>>>> you
>>>>>> guys could give me would be much appreciated!
>>>>> I'm happy to supply a system.
>>>>> http://treenet.co.nz/projects/
>>>>>
>>>>> The web login code is freeware. The server and proxy integration is
>>>>> not.
>>>>> If you are interested get in touch off-list and we can discuss the
>>>>> price
>>>>> for that part.
>>>>>
>>>>> Amos Jeffries
>>>>> --
>>>>> amos@treenet.co.nz
>>>>> Treehouse Networks Ltd.
>>>>> +64 21 293 4049
>>>>>
>>
>
>
Received on Sun Dec 02 2007 - 15:37:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST