Re: [squid-users] Authenticating users with a webpage form

From: Taylor Jones <monitorjbl@dont-contact.us>
Date: Sun, 02 Dec 2007 17:58:08 -0500

I see. So I guess I need to use Hamidi's method: set up some webserver
that unauthenticated users are redirected to, have the user submit his
data to it, have some script on the webserver check against the password
list (in my case LDAP), if the user was valid add the user's IP address
to the proxy server's ACL list, then redirect the user to some other
page so that the proxy accepts the newly authenticated user and allows
him through. I guess I'll need some manner of measuring the how long a
user has been logged in so I can give him a certain amount of access
time. It just seems...kludgy somehow. Maybe its just me. It would be
nice if this were more supported natively by squid, but I guess that's
how guys like Amos make their money! Thanks for all your help guys!

Amos Jeffries wrote:
>> Is there no way to do this securely and in such a way that squid is able
>> to log the IP address of the user? I mean, all I really want to do is
>> ask the same questions of the user, just in a slightly different way. It
>> seems hard to believe that this is so difficult in squid, every coffee
>> shop and airport in the U.S. has something similar to this in their wifi
>> hotspots. I am willing to accept that I may not know how it works, so I
>> will explain what I believe to be the proper authentication steps:
>
> You misunderstand the basic HTTP/HTTPS authentication behaviour of web
> browsers. Over which you have absolutely no control.
>
>> 1) User connects to proxy server
>> 2) Squid sends an authentication request to the user with a method
>> similar to .htaccess in Apache (I am using basic ncsa_auth at the
>> moment, I realize that in digest and NTLM, this different and more secure)
>
> *nix that. Squid must check source of 'logged-in' users, redirecting any
> not found to the web server for 'authentication'.
>
>> 3) User submits his information
>
> ** to the 'authenticating' web server via the page POST.
> which gets handled by a out-of-band script
> which on success then redirects user back to original requested page.
>
>> 4) Squid uses ncsa_auth to compare the user's data with a password list
>> somewhere on the proxy server
>
> * nix this too. proxy CANNOT use HTTP authentication for this remember?
> browsers provide the login box.
>
>> 5) If the user is authorized, his IP address is added to a list of
>> authorized users. If no, he is rejected.
>
> ** by the 'authenticating' web server via the POST.
>
> Proxy MUST scan source of 'logged-in' users again.. repeat ad infinitum
> until success or failure blocks the users loop.
>
>> If I am right about that, then all I really want to do can be done by
>> slightly modifying step 2, and send a complete webpage to the user.
>> Since I am using basic authentication, I realize that the user's
>> credentials are sent in plain text, so is it possible to use SSL in this
>> scenario? The data is only being sent to the proxy server, so there
>> shouldn't be a problem with any men-in-the-middle.
>
> Nope, the browsers behaviour on seeing browser-level credential request is
> to send credentials or show the box. There is no way you can use any of
> the *_auth and not have the box.
>
> In a way out-of-band authentication is much more secure for the proxy
> interaction part of the cycle and for all traffic once a user is
> authorized.
> But the authentication web server takes up all the usual security holes
> any other clear-text password mechanism has.
>
> Thus, I give away a secure code for the risky bit free, with advice
> available on it. While charging for the config part.
>
> Amos
>
>>
>> Adrian Chadd wrote:
>>> You misunderstand how it works.
>>>
>>> The browser pops up that box to gather authentication credentials it
>>> then uses for all subsequent connections to the proxy server.
>>>
>>> Using a login page won't magically place authentication credentials
>>> in the web browser for it to then use for subsequent connections.
>>> The proxy has to track which IP addresses have had users log
>>> and then pass them through.
>>>
>>> This has security implications which noone really seems to care about...
>>>
>>>
>>>
>>> Adrian
>>>
>>> On Sun, Dec 02, 2007, Taylor Jones wrote:
>>>> Thanks for the offer, but I'm not looking for a way to login, I'm
>>>> looking for a way to change the way in which squid lets users log in.
>>>> As you know, the user authenticates himself via a little pop-up box in
>>>> his browser. This is fine for most people, but like I said, I'm
>>>> slightly obsessive, and I would like to design my own webpage through
>>>> which the users log in. I could write the actual login script myself
>>>> and implement it with LDAP or MySQL or something like that, but I
>>>> can't figure out how to make squid show a login page instead of a
>>>> login box.
>>>>
>>>>
>>>>> On Dec 1, 2007 10:08 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
>>>>>> Taylor Jones wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I read the guidelines for this mailing list, and I really do hope
>>>>>>> I'm
>>>>>>> not asking a question you've all heard a million times. If I am,
>>>>>>> feel
>>>>>>> free to berate me, I probably deserve it.
>>>>>>>
>>>>>>> I am looking for a way to use a webpage with a GET/POST form to get
>>>>>>> the user's name and password for authentication instead of the
>>>>>>> pop-up
>>>>>>> that the user receives by default. I realize that this is just an
>>>>>>> aesthetic kind of thing, but I'm nothing if not obsessive, and I
>>>>>>> hate
>>>>>>> that I can't tell a user where he is and what he needs to do to gain
>>>>>>> access to our proxy server. Honestly, this shouldn't be that hard to
>>>>>>> implement, I just don't really know where I should start. Any help
>>>>>>> you
>>>>>>> guys could give me would be much appreciated!
>>>>>> I'm happy to supply a system.
>>>>>> http://treenet.co.nz/projects/
>>>>>>
>>>>>> The web login code is freeware. The server and proxy integration is
>>>>>> not.
>>>>>> If you are interested get in touch off-list and we can discuss the
>>>>>> price
>>>>>> for that part.
>>>>>>
>>>>>> Amos Jeffries
>>>>>> --
>>>>>> amos@treenet.co.nz
>>>>>> Treehouse Networks Ltd.
>>>>>> +64 21 293 4049
>>>>>>
>>
>
>
Received on Sun Dec 02 2007 - 15:57:56 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST