David Boyer wrote:
> I've been using squid_ldap_auth (Squid 2.7, SLES 11) for basic
> authentication, and it wasn't terribly difficult to set up. What
> concerns me is the passing of credentials from the browser to Squid
> in plain text. When we use basic authentication anywhere else, the
> web site usually requires HTTPS. I'm not seeing an easy way to do
> that with Squid.
Digest is the secure authentication designed to work across the web with
HTTP. Failing that HTTPS as a wrapper protocol is used by websites.
Most webmasters and server admin understand that NTLM family of
protocols will die horribly on many occasions when such auth is required
of external visitors so they don't use it. Only IIS admins seem to
sometimes ask it, then their users wonder why they can't access the website.
>
> We have a full Active Directory environment, and everyone using Squid
> has a domain account. Our users use a combination of Firefox 3.x, IE,
> and Safari.
>
> What options are there for using authentication with Squid while also
> ensuring the credentials passed between the browser and Squid are
> encrypted? The stunnel approach would not be an option for us.
>
For proxy-browser authentication:
The preferred option is Kerberos / Negotiate authentication. I'm not
sure of the Safari support level. IE needs to be version 7 or newer.
Second best is NTLM. They should all support that. Squid has some
helpers to authenticate through winbind to the AD.
http://wiki.squid-cache.org/ConfigExamples#Authentication
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14Received on Wed Sep 30 2009 - 05:10:52 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 30 2009 - 12:00:03 MDT