Is there no way to do this securely and in such a way that squid is able
to log the IP address of the user? I mean, all I really want to do is
ask the same questions of the user, just in a slightly different way. It
seems hard to believe that this is so difficult in squid, every coffee
shop and airport in the U.S. has something similar to this in their wifi
hotspots. I am willing to accept that I may not know how it works, so I
will explain what I believe to be the proper authentication steps:
1) User connects to proxy server
2) Squid sends an authentication request to the user with a method
similar to .htaccess in Apache (I am using basic ncsa_auth at the
moment, I realize that in digest and NTLM, this different and more secure)
3) User submits his information
4) Squid uses ncsa_auth to compare the user's data with a password list
somewhere on the proxy server
5) If the user is authorized, his IP address is added to a list of
authorized users. If no, he is rejected.
If I am right about that, then all I really want to do can be done by
slightly modifying step 2, and send a complete webpage to the user.
Since I am using basic authentication, I realize that the user's
credentials are sent in plain text, so is it possible to use SSL in this
scenario? The data is only being sent to the proxy server, so there
shouldn't be a problem with any men-in-the-middle.
Adrian Chadd wrote:
> You misunderstand how it works.
>
> The browser pops up that box to gather authentication credentials it
> then uses for all subsequent connections to the proxy server.
>
> Using a login page won't magically place authentication credentials
> in the web browser for it to then use for subsequent connections.
> The proxy has to track which IP addresses have had users log
> and then pass them through.
>
> This has security implications which noone really seems to care about...
>
>
>
> Adrian
>
> On Sun, Dec 02, 2007, Taylor Jones wrote:
>> Thanks for the offer, but I'm not looking for a way to login, I'm
>> looking for a way to change the way in which squid lets users log in.
>> As you know, the user authenticates himself via a little pop-up box in
>> his browser. This is fine for most people, but like I said, I'm
>> slightly obsessive, and I would like to design my own webpage through
>> which the users log in. I could write the actual login script myself
>> and implement it with LDAP or MySQL or something like that, but I
>> can't figure out how to make squid show a login page instead of a
>> login box.
>>
>>
>>> On Dec 1, 2007 10:08 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
>>>> Taylor Jones wrote:
>>>>> Hello,
>>>>>
>>>>> I read the guidelines for this mailing list, and I really do hope I'm
>>>>> not asking a question you've all heard a million times. If I am, feel
>>>>> free to berate me, I probably deserve it.
>>>>>
>>>>> I am looking for a way to use a webpage with a GET/POST form to get
>>>>> the user's name and password for authentication instead of the pop-up
>>>>> that the user receives by default. I realize that this is just an
>>>>> aesthetic kind of thing, but I'm nothing if not obsessive, and I hate
>>>>> that I can't tell a user where he is and what he needs to do to gain
>>>>> access to our proxy server. Honestly, this shouldn't be that hard to
>>>>> implement, I just don't really know where I should start. Any help you
>>>>> guys could give me would be much appreciated!
>>>> I'm happy to supply a system.
>>>> http://treenet.co.nz/projects/
>>>>
>>>> The web login code is freeware. The server and proxy integration is not.
>>>> If you are interested get in touch off-list and we can discuss the price
>>>> for that part.
>>>>
>>>> Amos Jeffries
>>>> --
>>>> amos@treenet.co.nz
>>>> Treehouse Networks Ltd.
>>>> +64 21 293 4049
>>>>
>
Received on Sun Dec 02 2007 - 11:15:14 MST
This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST