Re: [squid-users] Transparent, Authentication proxy + addons

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 19 Oct 2010 02:11:36 +1300

On 19/10/10 01:31, ayman bs wrote:
> Hi,
>
> Suppose I have a wireless network, with different AP linked to a
> router-modem (same device). I decided that, internet access should be
> granted to only clients with logins. I don't want them to exchange
> logins (so 1 MAC to 1 Logins).
>
> I thought about installing squid as an Authentication proxy and the
> idea of the transparent mode is really tempting me, although I found
> many people denying its possibility... So what about the IP tables
> prerouting technique, I didn't test it but what do you think about it?
> I read about https issues too, any guidance?

Yes "transparent mode", or correctly named *NAT* interception has many
limits.
  Security or interception: pick one.

Sadly a lot of people seem to think it *is* a type of security.

>
> Anyway, so I'll need to generate logins, and choose an expiry
> duration... So my question is, if squid accepted a client for valid
> logins, after how long time it will recheck again if they're still
> valid? Is it with every Http request? (I need to know when expired
> logins will stop working)

Browser is required to send them in every HTTP request. How often Squid
re-checks with the backend for changes to the "account" depends on the
authentication protocol and the auth_param settings in squid.conf.
  credentials stop working at most TTL seconds after you make them
invalid. Except NTLM and Kerberos credentials. Which are valid for the
lifetime of the TCP connection they sign.

>
> Besides, could you suggest an implementation of this system, how will
> expired accounts get deleted? and how I will implement 1 Mac<=> 1
> account, without asking the client for his mac address beforehand.
>
> I know you hate lazy people, so I'll give you my modest approach:
> I believe Auth helper could be functioning with Mysql database so I'll
> add mac@ field and it gets populated in the first authentication, and
> from that step a valid account will be correct user+password+mac@.
> Will the proxy receive the mac of the cient with each request?
>
> Then, I'll make a thread that will keep checking for expired accounts
> and deletes them from the MySql DB.
>
> I would be pleased with any of your suggestions and advices, I'm sure
> there's always a more efficient way to do it!

Similar to whats popular in captive portals. db_auth or squid_session
helpers can help with that design. The squid-3.2 EUI stuff was added to
help portals play with EUI-48 (aka MAC) addresses like that. Although
sightly incomplete.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.8
   Beta testers wanted for 3.2.0.2
Received on Mon Oct 18 2010 - 13:11:42 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 18 2010 - 12:00:03 MDT