Re: [squid-users] Trying to authenticate a user only once per working day

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 20 Dec 2009 23:41:14 +1300

Rodrigo Castanheira wrote:
> Hi,
>
> I wish to authenticate (NTLM) our users only once per working day:
>
> authenticate_ip_shortcircuit_ttl 8 hours
>
> When the user browses for the first time, he will be authenticated and his
> IP will be cached so that, for the next 8 hours, Squid believes that
> requests coming from this IP belong to that user. Now comes the tricky part:
> if that user logs off and somebody else logs in before those 8 hours expire,
> Squid would mistakenly associate the same IP with the previous identity.

This is the downside of IP-based authorization. (NOTE: this is NOT
authentication).

> As
> our IE browsers are pre-configured with a standard home page, and the new
> user couldn't avoid opening it before being able to go elsewhere, I tried
> enforcing (re)authentication for the home page:
>
> acl HOME_PAGE url_regex -i homepage.intranet
> authenticate_ip_shortcircuit_access deny HOME_PAGE
>
> It didn't work.
> Does authenticate_ip_shortcircuit_access accept only IP acl's ?
>

One of the benefits of NTLM is that Windows can be configured to do it
without generating the authentication popups ("single sign-on"). That is
the best way to configure what you want. If you set it up that way the
IP-based bypass does not need to be long.

The short-circuit setting is a very risky bypass to reduce load on slow
or overloaded auth servers. As you have seen, it allows people to
trivially access resources under some other persons accounts. The longer
its set to the more security risk you face.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.15
Received on Sun Dec 20 2009 - 10:41:25 MST

This archive was generated by hypermail 2.2.0 : Sun Dec 20 2009 - 12:00:02 MST