On Tue, 18 Oct 2011 13:53:18 +0200, E.S. Rosenberg wrote:
> Hi all,
> We currently have a setup with proxies that use NTLM authentication
> (we hope to upgrade to kerberos in the future) and based on the
> username send the user to one of several parent proxies, to improve
> caching we would like to instead route all traffic through one proxy
> that is heavily optimized for caching (has it's own large storage
> etc.).
>
> I saw in the documentation that it is possible to pass the
> authentication to the parent, as far as I can tell I can 'tell' the
> parent in several ways how to route the client:
> - I can pass the username to the parent
Yes via the login= parameter. It is sent as Basic auth (and a dummy or
fake password is best there). So you can use it safely for logging
purposes, but not reliable security.
> - I can 'NAT' the users connection as it leaves the child proxy (src
> ip rewrite rules) and have source IP based rules on the parent.
Hmm? never heard of this one before. Any details you can point me at
for my education?
> - I could setup multiple instances of the same parent with different
> login details and 'route' based on username to each of said 'parents'
>
> It seems to me that the second option would result in better
> performance on the one hand but on the other hand it would add more
> obfuscation, however performance is more important to me.
>
> Am I correct in my analysis? Is passing the username to parent a lot
> slower, would it require another ntlm-auth binary running on the
> parent or can the username just pass cleartext between the proxies
> and therefor the whole 'authentication' is a lot faster....
Username as such is okay as clear-text. NTLM does not let squid know
the password, so there is no security leak by adding a fake one of your
own.
NTLM on the parent has a major flaw that will bite you if you try to do
NTLM there. Namely that NTLM (and Kerberos) do not authenticate the HTTP
request particularly, they authenticate the TCP connection. So all they
can guarantee is that the connection came from the child proxy. Squid
2.7 and 3.1+ add a bit more surety in that they "pinn" the connections,
preventing multiple clients using the TCP connection to the parent. This
is nasty for performance and resource usage, but the only way to get
NTLM and Kerberos to work without regular popups.
On the whole, I think reconsider carefully your need for auth
credentials to get to the backend. Whether you need full auth, or just
the username for example. You can add in SSL, IP, and/or MAC checks to
harden the surety that parent proxy traffic is coming from the child
proxy.
Amos
Received on Tue Oct 18 2011 - 23:38:54 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 20 2011 - 12:00:03 MDT