Re: [squid-users] NTLM with a fall back to anonymous

From: Jason Fitzpatrick <jayfitzpatrick_at_gmail.com>
Date: Sat, 4 Feb 2012 13:23:31 +0000

Hi Amos,,

Yet again thanks for a very complete reply!

Our problem is that the upstream system is the one with all the
content filtering on it, and I have started creating a whitelist for
the known destinations but it is quickly going to become unmanageable.

I was hoping that if a client failed to authenticate then it would be
forwarded to the upstream and fall under what ever the default (un
authorized) ruleset is, known risky sites etc would be getting
filtered there,

Jay

On 4 February 2012 12:02, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 5/02/2012 12:30 a.m., Jason Fitzpatrick wrote:
>>
>> Morning all..
>>
>> I have a requirement to have my squid servers authenticate users
>> before forwarding requests to an upstream server which does content
>> filtering based on the X-Forwarded headers in the requests and all
>> seems to be working quite well so far, (internal traffic is routed via
>> the squids without the need to authenticate)
>>
>> I do have one issue though, clients that are unable to authenticate
>> (windows update / Java updates etc) and want to set up the system so
>> that it will attempt to authenticate the user, and if the
>> authentication fails the request is routed regardless
>>
>> Is such a thing possible? I have tried all sorts of configurations but
>> the logic to the rules still escapes me!
>
>
> This is a side case of security which seems to boggle many an admins mind.
> The core of the problem is that missing credentials is only one *sub-set* of
> all failed authentications. You cannot simply take "failed auth" and assume
> its one of the "good" software which is failing. These days it will quite
> frequently be someone malicious, possibly even forging the "good" software
> user-agent header to get access.
>
> In particular missing credentials is a type of failure indistinguishable
> from an HTTP request which has not yet even been challenged for credentials.
> HTTP is stateless so there is no way to identify two clients sharing a
> downstream proxy and one client re-trying without credentials. You must
> hard-code that distinction for the specific cases you know of, thus all the
> well published config hacks.
>
> Amos

--
"The only difference between saints and sinners is that every saint
has a past while every sinner has a future. "
— Oscar Wilde
Received on Sat Feb 04 2012 - 13:23:38 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 05 2012 - 12:00:02 MST