Amos Jeffries wrote:
> Christoph Rabel wrote:
>> To condense my question: Is it possible to specify which header
>> information is given to the auth module? And to specify that no 407 but
>> a redirect is sent?
>
> Not for auth modules. They only use the regular Proxy-Authentication:
> headers. Maybe WWW-Authentication: header in accelerators.
>
> For checking custom headers you need to make your authenticator an
> external_acl_type helper. And pass it the custom request header by name.
Ok, just looked that up in the manual, looks doable ;-)
>> Another thing that bothers me are SSL requests. What happens when the
>> proxy encounters a request for a https site? Can it access the cookie
>> anyway?
> Depends on how Squid receives the HTTPS request.
> a) as a plain URL for squid to handle. Okay, squid has access to all
> the headers etc.
>
> b) as a CONNECT tunnel setup request. Squid has access to destination
> hostname and port. very little else. The sslbump feature coming in 3.1
> has been designed to get around those limits but has its own issues
> with privacy doing a man-in-middle attack on your users.
Hmm, hmm...
Because authentication by the proxy is done plain text, security
department requests that we find another solution. It should not be
possible to simply sniff out all passwords. So we thought that we could
use the sso cookie we already have, but I fear that it is not possible
to do this.
Let me rephrase my question:
How do other people handle the need for secure proxy authentication? Is
there some kind of trick or browser extension or whatever? We have to
support IE 7.
Thanks, Christoph
Received on Wed Sep 24 2008 - 13:49:40 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 24 2008 - 12:00:03 MDT