Re: Intruducing myself

tis 2002-11-05 klockan 16.13 skrev Josef.Irnberger:
> Hi Squid-developers,

Hi and welcome to squid-dev.

> Currently, I use Squid/3.0-DEVEL-20021021 and Simon Loaders ldap_auth program to
> archieve this. Ldap_auth currently uses ldap_simple_bind_s and I would like to
> write a program that is capable of authenticating users with SSL/TLS/DIGEST-MD5,
> but this doesn't make much sense at the moment, as SQUID uses
> plaintext/BASE64-encoding to transmit the username/password. Therefore I wanted
> to ask, if there is any possibility to extend this to some secure method.

The biggest problem in this area is how Squid is to receive the user
credentials from the browser. There is only three known browser
authentication methods:

 * Basic HTTP authentication (login:password base64 encoded)
 * Digest HTTP authentication (See RFC2617)
 * MS NTLM over HTTP authentication (see devel.squid-cache.org for some
references) Note that this is NOT HTTP compliant and only supported by
MSIE.. apart from beeing quite restricted to MS environments..

The only one of these that maps easily to LDAP is Basic HTTP
authentication, but in theory a LDAP server could be used to store the
password hashes used by Digest HTTP authentication instead of using a
text "password" file but that is another story.

The standard squid_ldap_auth Basic auth helper shipped with Squid do
support SSL/TLS encrypted simple bind operation if your LDAP library is
compiled with support for SSL/TLS connections. But this only applies to
the communication between the helper and your LDAP server, not between
the browser and Squid.

There is also a external_acl helper shipped with Squid for LDAP group
integration.

I am not very familiar with the ldap_auth program by Simon Loaders, but
from what it looks this is a very old LDAP helper for Squid-1.X. You
should probably use the one shipped with Squid instead of this one for a
considerably richer set of features.

Squid also supports SSL/TLS connections, and I have patches extending
this to support browser certificates for authentication, but this only
applies to reverse proxy cenarios as there is no browsers supporting the
use of SSL/TLS to connect to a HTTP proxy (i.e. Squid) for general
Internet HTTP proxying.

Apart from the above HTTP authentication methods it is also possible to
build other authentication methods whereby the client IP address is
connected to a username. If you have a system whereby you can reliably
identify the user by the IP address seen by the Squid proxy then the
external_acl scheme in Squid can be used to forward this information to
Squid. Note that such schemes are usually quite weak in nature.

Another option is to use the IDENT protocol. Also supported by Squid,
but of all alternatives this is perhaps the weakest one..

Regards
Henrik Nordström
Squid Developer
Received on Tue Nov 05 2002 - 09:44:27 MST