Re: [squid-users] Authenticating users with a webpage form

From: Amos Jeffries <squid3@dont-contact.us>
Date: Mon, 3 Dec 2007 15:20:55 +1300 (NZDT)

> I see. So I guess I need to use Hamidi's method: set up some webserver
> that unauthenticated users are redirected to, have the user submit his
> data to it, have some script on the webserver check against the password
> list (in my case LDAP), if the user was valid add the user's IP address
> to the proxy server's ACL list, then redirect the user to some other
> page so that the proxy accepts the newly authenticated user and allows
> him through. I guess I'll need some manner of measuring the how long a
> user has been logged in so I can give him a certain amount of access
> time. It just seems...kludgy somehow. Maybe its just me. It would be
> nice if this were more supported natively by squid, but I guess that's
> how guys like Amos make their money! Thanks for all your help guys!

You mean turn squid into a fully-fledged webserver that can process POSTs?
Or making it easy for admin to open a major security hole in their systems?

Without some care the web-form login can be attacked and broken. On top of
that a network where NAT is in use (read most places in IPv4 where users
come from) users are able to piggy-back on each others authorised sessions
relatively easily unless specific protection is added, which kludged
protection is even easier to break open than the web-form itself.

The box is provided in HTTP to give the best (medium-secure)
authentication the protocol is capable of, bypassing it with a home-brew
is not a good thing in most cases. You will note that I provide help for
people wanting it, but choose to use the HTTP login box on my own proxy
when it can be used.

Amos

>
> Amos Jeffries wrote:
>>> Is there no way to do this securely and in such a way that squid is
>>> able
>>> to log the IP address of the user? I mean, all I really want to do is
>>> ask the same questions of the user, just in a slightly different way.
>>> It
>>> seems hard to believe that this is so difficult in squid, every coffee
>>> shop and airport in the U.S. has something similar to this in their
>>> wifi
>>> hotspots. I am willing to accept that I may not know how it works, so I
>>> will explain what I believe to be the proper authentication steps:
>>
>> You misunderstand the basic HTTP/HTTPS authentication behaviour of web
>> browsers. Over which you have absolutely no control.
>>
>>> 1) User connects to proxy server
>>> 2) Squid sends an authentication request to the user with a method
>>> similar to .htaccess in Apache (I am using basic ncsa_auth at the
>>> moment, I realize that in digest and NTLM, this different and more
>>> secure)
>>
>> *nix that. Squid must check source of 'logged-in' users, redirecting any
>> not found to the web server for 'authentication'.
>>
>>> 3) User submits his information
>>
>> ** to the 'authenticating' web server via the page POST.
>> which gets handled by a out-of-band script
>> which on success then redirects user back to original requested page.
>>
>>> 4) Squid uses ncsa_auth to compare the user's data with a password list
>>> somewhere on the proxy server
>>
>> * nix this too. proxy CANNOT use HTTP authentication for this remember?
>> browsers provide the login box.
>>
>>> 5) If the user is authorized, his IP address is added to a list of
>>> authorized users. If no, he is rejected.
>>
>> ** by the 'authenticating' web server via the POST.
>>
>> Proxy MUST scan source of 'logged-in' users again.. repeat ad infinitum
>> until success or failure blocks the users loop.
>>
>>> If I am right about that, then all I really want to do can be done by
>>> slightly modifying step 2, and send a complete webpage to the user.
>>> Since I am using basic authentication, I realize that the user's
>>> credentials are sent in plain text, so is it possible to use SSL in
>>> this
>>> scenario? The data is only being sent to the proxy server, so there
>>> shouldn't be a problem with any men-in-the-middle.
>>
>> Nope, the browsers behaviour on seeing browser-level credential request
>> is
>> to send credentials or show the box. There is no way you can use any of
>> the *_auth and not have the box.
>>
>> In a way out-of-band authentication is much more secure for the proxy
>> interaction part of the cycle and for all traffic once a user is
>> authorized.
>> But the authentication web server takes up all the usual security holes
>> any other clear-text password mechanism has.
>>
>> Thus, I give away a secure code for the risky bit free, with advice
>> available on it. While charging for the config part.
>>
>> Amos
>>
>>>
>>> Adrian Chadd wrote:
>>>> You misunderstand how it works.
>>>>
>>>> The browser pops up that box to gather authentication credentials it
>>>> then uses for all subsequent connections to the proxy server.
>>>>
>>>> Using a login page won't magically place authentication credentials
>>>> in the web browser for it to then use for subsequent connections.
>>>> The proxy has to track which IP addresses have had users log
>>>> and then pass them through.
>>>>
>>>> This has security implications which noone really seems to care
>>>> about...
>>>>
>>>>
>>>>
>>>> Adrian
>>>>
>>>> On Sun, Dec 02, 2007, Taylor Jones wrote:
>>>>> Thanks for the offer, but I'm not looking for a way to login, I'm
>>>>> looking for a way to change the way in which squid lets users log in.
>>>>> As you know, the user authenticates himself via a little pop-up box
>>>>> in
>>>>> his browser. This is fine for most people, but like I said, I'm
>>>>> slightly obsessive, and I would like to design my own webpage through
>>>>> which the users log in. I could write the actual login script myself
>>>>> and implement it with LDAP or MySQL or something like that, but I
>>>>> can't figure out how to make squid show a login page instead of a
>>>>> login box.
>>>>>
>>>>>
>>>>>> On Dec 1, 2007 10:08 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
>>>>>>> Taylor Jones wrote:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I read the guidelines for this mailing list, and I really do hope
>>>>>>>> I'm
>>>>>>>> not asking a question you've all heard a million times. If I am,
>>>>>>>> feel
>>>>>>>> free to berate me, I probably deserve it.
>>>>>>>>
>>>>>>>> I am looking for a way to use a webpage with a GET/POST form to
>>>>>>>> get
>>>>>>>> the user's name and password for authentication instead of the
>>>>>>>> pop-up
>>>>>>>> that the user receives by default. I realize that this is just an
>>>>>>>> aesthetic kind of thing, but I'm nothing if not obsessive, and I
>>>>>>>> hate
>>>>>>>> that I can't tell a user where he is and what he needs to do to
>>>>>>>> gain
>>>>>>>> access to our proxy server. Honestly, this shouldn't be that hard
>>>>>>>> to
>>>>>>>> implement, I just don't really know where I should start. Any help
>>>>>>>> you
>>>>>>>> guys could give me would be much appreciated!
>>>>>>> I'm happy to supply a system.
>>>>>>> http://treenet.co.nz/projects/
>>>>>>>
>>>>>>> The web login code is freeware. The server and proxy integration is
>>>>>>> not.
>>>>>>> If you are interested get in touch off-list and we can discuss the
>>>>>>> price
>>>>>>> for that part.
>>>>>>>
>>>>>>> Amos Jeffries
>>>>>>> --
>>>>>>> amos@treenet.co.nz
>>>>>>> Treehouse Networks Ltd.
>>>>>>> +64 21 293 4049
>>>>>>>
>>>
>>
>>
>
>
Received on Sun Dec 02 2007 - 19:20:58 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST