Greetings / cookie auth for transparent mode

Greetings all Squid developers,

First off, thanks for all your hard work - Squid is a great proxy and a
credit to the open source community.

I use Squid at work, and hope to contribute back to the Squid project
and add some functionality for my employer at the same time.

In particular, I'm interested in adding an authentication mechanism that
can be used in transparent proxying mode. I've seen this idea used in
at least one commercial proxy; the basic idea is to redirect all
unauthenticated traffic to HTTPS on a local web server (Apache), which
allows the user to sign in, and sets a cookie in the client browser that
will last for the life of the browser (or possibly have a time limit,
e.g. 24 hours).

The process would go like this:
1) Client opens browser which attempts to go to some homepage, e.g.
google
2) Squid intercepts the request in transparent mode, checks for its
authentication cookie, and not finding it, redirects the browser to a
local Apache server.
3) The local Apache server presents a login form, and once the user has
successfully authenticated, assigns a cookie. The
cookie/username/IP/timelimit/etc would be stored in either a MySQL or
Berkeley database.
4) Squid intercepts any subsequent requests, finds the authentication
cookie, and passes this info to an authentication helper program. The
helper program checks the MySQL/Berkeley DB, finds the user is
authenticated, and returns a successful result to Squid, which fulfills
the request.

This approach would provide some advantages:
a) Authentication in transparent mode (this is the main motivation)
b) Won't break connections that rely on basic authentication

I haven't delved too deeply into the Squid code yet, but I imagine it
would require the following modifications:
1) Intercepting the cookie (suggestions for where to do this or what
functions may be useful are welcome!)
2) If the cookie is not present, serving the page from the local Apache
server (hopefully not too difficult)
3) Passing the cookie to Squid's internal authentication code
(suggestions for where in the code this belongs are welcome!)
4) Calling the helper program (hopefully the existing auth_type/helper
program system can be reused)
 

Has anyone attempted something like this, or can anyone suggest possible
pitfalls with my approach? Advice is much appreciated.

Mark Bouldin
Director of Product Development
Securiant, Inc.
Received on Wed Jun 22 2005 - 13:27:42 MDT