Re: [squid-users] NTLM with a fall back to anonymous

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 05 Feb 2012 01:02:10 +1300

On 5/02/2012 12:30 a.m., Jason Fitzpatrick wrote:
> Morning all..
>
> I have a requirement to have my squid servers authenticate users
> before forwarding requests to an upstream server which does content
> filtering based on the X-Forwarded headers in the requests and all
> seems to be working quite well so far, (internal traffic is routed via
> the squids without the need to authenticate)
>
> I do have one issue though, clients that are unable to authenticate
> (windows update / Java updates etc) and want to set up the system so
> that it will attempt to authenticate the user, and if the
> authentication fails the request is routed regardless
>
> Is such a thing possible? I have tried all sorts of configurations but
> the logic to the rules still escapes me!

This is a side case of security which seems to boggle many an admins
mind. The core of the problem is that missing credentials is only one
*sub-set* of all failed authentications. You cannot simply take "failed
auth" and assume its one of the "good" software which is failing. These
days it will quite frequently be someone malicious, possibly even
forging the "good" software user-agent header to get access.

In particular missing credentials is a type of failure indistinguishable
from an HTTP request which has not yet even been challenged for
credentials. HTTP is stateless so there is no way to identify two
clients sharing a downstream proxy and one client re-trying without
credentials. You must hard-code that distinction for the specific cases
you know of, thus all the well published config hacks.

Amos
Received on Sat Feb 04 2012 - 12:02:15 MST

This archive was generated by hypermail 2.2.0 : Sat Feb 04 2012 - 12:00:02 MST