RE: [squid-users] squid 2.5, ldap and ssl

Many thanks for your help and advice.

        Rick Barns

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: 04 March 2004 20:50
To: Barns,R
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] squid 2.5, ldap and ssl

On Thu, 4 Mar 2004, Barns,R wrote:

> I have squid 2.5 working with ldap authentication in a test environment.
> If I understand correctly what I have read in FAQ 23.1 when the
> username/password pair is passed from the user's browser to squid it is
> unencrypted and hence at risk of interception.

Correct.

> To protect against this we are considering using SSL. My question about
> this is: Am I right in thinking that there is no way to encrypt just the
> username/password pair and that we will have to encrypt all traffic to
> squid to prevent the password details being read.

Correct.

And further very few browsers supports SSL encryption of proxy
connections, so for now the SSL support in Squid is mostly of interest for
reverse proxies providing a SSL frontend do your web server.

It is rumored that the very latest Mozilla versions do support SSL
encrypted proxy connection, but I have not yet verified this claim.

But this is not the end of the story. There is other options. You could
consider using Digest or NTLM authentication, both uses one-time hashes on
the network and the users password is protected from sniffing. Drawback is
the backend database integration capabilities as the proxy never sees the
actual password (NTLM requires a NT Domain compatible backend, Digest
requires a plain-text or Digest specific password file), but MARA Systems
is working on a Digest LDAP integration which could prove interesting
depending on your environment.

Regards
Henrik
Received on Fri Mar 05 2004 - 03:57:45 MST