Re: [squid-users] Transparent Authentication from Henrik Nordstrom on 2007-04-30 (squid-users)

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 30 Apr 2007 16:25:02 +0200

mån 2007-04-30 klockan 15:28 +0200 skrev Ian:

> Please excuse my ignorance on this one, but I cant seem to get this
> working correctly. What im trying to do is run an LDAP authenticator
> for anyone that isnt part of the local network (i.e. remote cache from
> home or something).

> I am also transparently redirecting all traffic
> inbound on an interface to the cache.

Ok, except that you can't use authentication for users transparently
intercepted without browser proxy settings.

> Okay. So the first problem is in cache.log i have the following:
> 2007/04/30 13:16:40| strtokFile: /usr/cache/lists/allowip.list not found
> 2007/04/30 13:16:40| aclParseAclLine: WARNING: empty ACL: acl ALLOWIP
> src "/usr/cache/lists/allowip.list"
>
> Now that file exists fine:
> [root@my] ~ # ls -l /usr/cache/lists/allowip.list
> -rwxrwxrwx 1 root www 44 Apr 30 12:57 /usr/cache/lists/allowip.list
> [root@my] ~ #

Also check the permissions on the directory.

> Then the second problem is that for the LDAP auth I am getting this in
> the cache.log when someone is transparently redirects and their ip
> isnt in the ACL:
>
> aclAuthenticated: authentication not applicable on transparently
> intercepted requests.

Correct.

> Now, I have done transparent auth using LDAP before and its only since
> I upgraded to 2.6 from 2.5 that this started.

has never worked. In some versions Squid has not complained, but you
then
a) Hijack the web servers possibility to ask for login, making it
impossible for users to log in to the web server.
b) Leak out your users login details

> The transparent cache works fine if I dont have any authenticators
> running or if I point to it. I am running squid 2.6 Stable 10. The
> authenticators work fine if I point to the cache so its just the
> combination of the two thats causing the problem.

You can't combine proxy authentication and transparent interception for
the same user. Protocol security limitation where the browser is
required to be aware it's speaking to a proxy to perform proxy
authentication, not a limitation of Squid.

Regards
Henrik

application/pgp-signature attachment: Detta �r en digitalt signerad meddelandedel

Received on Mon Apr 30 2007 - 08:25:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue May 01 2007 - 12:00:01 MDT