RE: [SQU] source IP restriction problem

From: Robert Collins <robert.collins@dont-contact.us>
Date: Wed, 15 Nov 2000 15:27:54 +1100

The problem with doing what you are asking is that the source IP is used
as the destination for reply packets. So to use squid you need your
routers and switches to 'know' that the reply is destined for squid even
though the source address is not squid.

I would suggest discussing the requirement with the service provider,
and point out your concerns. IP based security is not _that_ secure.
Anyone on the route can potentially fake traffic from one of the
licenced address's.

I suggest that they use some other authentication method - say digest
authentication or cookie based tokens combined with SSL to validate the
password.

Or perhaps they can allow the squid servers direct access as well, and
trust you to restrict access by user at your squid boxen.

Rob

> -----Original Message-----
> From: Carl Li [mailto:zmli@cernet.edu.cn]
> Sent: Wednesday, 15 November 2000 3:08 PM
> To: squid-users@ircache.net
> Subject: Fw: [SQU] source IP restriction problem
>
>
> Is there anyone can help me? Can Squid forward client's
> request with client's original IP ?
>
> thanks!
>
> Carl
>
>
> ----- Original Message -----
> From: "Jens-S. Voeckler" <voeckler@rvs.uni-hannover.de>
> To: "Carl Li" <zmli@cernet.edu.cn>
> Sent: Tuesday, November 14, 2000 6:26 PM
> Subject: Re: [SQU] source IP restriction problem
>
>
> > On Tue, 14 Nov 2000, Carl Li wrote:
> >
> > ]Thank you sir. You know, we have bought some web database
> service from
> > ]foreign university's library which uses source-IP for
> authentication. If
> > ]we use Squid as a proxy and Squid's IP cannot be
> authenticated by the
> > ]web server, then we will not get the service we bought.
> It's a critical
> > ]problem. So, we want Squid just forward client's request to the web
> > ]server without any change to the request's IP address. Can
> Squid do it
> > ]in this way?
> >
> > This is the n-th time I have heard that some university
> libraries use IP
> > based authentication. Probably some lib thought it is a
> great idea and
> > everylib else followed the Lemmings. IP based
> authentication is as much a
> > quick hack as it is *not* secure. So if everyone pressures their
> > respective library services to use a *decent* scheme,
> supposedly based on
> > some secure authentication protocol which is independent of
> the transport
> > protocol, hopefully the issue will die out some day soon.
> >
> > Your question, though, can better be answered by someone
> who actually does
> > "transparent" things with Squid.
> >
> > Sigh,
> > Dipl.-Ing. Jens-S. Vöckler (voeckler@rvs.uni-hannover.de)
> > Institute for Computer Networks and Distributed Systems (RVS)
> > University of Hanover, Germany; ++49 511 762 4726
> >
> >
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Tue Nov 14 2000 - 21:32:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:22 MST