Re: [squid-users] Remote access acls

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 14 Jun 2008 02:46:29 +1200

ffredrixson_at_comcast.net wrote:
> -------------- Original message ----------------------
> From: Amos Jeffries <squid3_at_treenet.co.nz>
>> ffredrixson_at_comcast.net wrote:
>>> I'm trying to provide an externally available proxy to our employees. This way
>> they can have the same basic protection when traveling that they get when
>> they're inside our corporate walls.
>>> What acls or rules do I need to be looking at?
>>>
>>> I'm a newbie and just trying to keep my job.
>>>
>>> Thank you in advance.
>> Safest ones are auth IMO. They can use any net connection, and link in
>> through the proxy to get anywhere.
>> After the local accepts and before the global external denial.
>>
>> Amos
>> --
>> Please use Squid 2.7.STABLE2 or 3.0.STABLE6
>
> Thank you for your quick reply.
>
> What auth would you recommend? The powers above decided it shouldn't be Active Directory. What other auth is recommended? is there any based on a cert installed on the laptops? Or could it be cookie based? (I know it sounds like a dumb question but I know I'll be asked) Anything to avoid login and password would be great.
>
> Thank you again.

Well, the thing about login/password is that its built into HTTP and
gets through almost any intermediate systems. You could implement some
fancy side-band setups, but they are more risky and prone to errors.

There are plenty of back ends to Basic Auth, its simple and users do
understand it. If its a problem with security there is digest auth with
encrypted name/password nonce.

Amos

-- 
Please use Squid 2.7.STABLE2 or 3.0.STABLE6
Received on Fri Jun 13 2008 - 14:46:27 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 13 2008 - 12:00:04 MDT