Re: [squid-users] Encrypted (Basic) Authentication

From: Christoph Mitasch <cmitasch_at_thomas-krenn.com>
Date: Wed, 25 Apr 2012 11:29:43 +0200

Hi Amos,

thanks for your response.

On 04/20/2012 04:22 PM, Amos Jeffries wrote:
>> I found the following solution, but I'm not suire if that's a good way
>> to go.
>> http://www.mikealeonetti.com/wiki/index.php/Squid_LDAP_transparent_proxy_authentication_script
>>
>
> Not relevant. That is for session-based authorization on intercepted traffic.
> It is not authentication despite the authors use of the term.
> Basic auth protocol with its clear-text credentials is more secure.

Commercial solutions seem to offer similar solutions with a web-based form.
http://demo04.astaro.com/help/en_US/Content/ASG/websec/HTTPs_Profiles-Proxy_Profiles.html

Isn't there a way to build something like that with squid?

>> What can you recommend?
>
> What does the backend you are using LDAP protocol to access capable of?

We are using OpenLDAP directly, there is no other backend.

> Kerberos is best you can get in the way of secure authentication these days.
> Despite the limits it imposes on HTTP performance.

That would mean clients would have to be configured for Kerberos usage
correctly. Firefox for example would then authenticate via GSS-API Negotiation
Mechanism (SPNEGO).

I would love to see a solution that is more flexible without the need to
integrate clients with Kerberos.

> Alternatively you can try using a TLS connection to secure the transport
> between the web clients and Squid.
> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection

I think that would be the best solution for us. Are there other browsers that
support TLS secured connections too?

Thank you,
Christoph
Received on Wed Apr 25 2012 - 09:30:05 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 25 2012 - 12:00:03 MDT