Re: [squid-users] Can squid catch authentication info between end user and real web server?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 20 Jul 2012 23:04:30 +1200

On 20/07/2012 3:20 p.m., Tian You wrote:
> Hi Guys,
>
> I'd like to do a scenario like this:
>
> The squid works as a reverse proxy, and itself does not do
> authentication to end user, the real web server will do this.
> But I want squid to catch that authentication info between them, like
> who is going to login the web server, and whether him/her logged in
> successfully.
>
> Does squid support this kind of feature? Or any suggestion about how
> to reach the goal?

Er. Only if the authentication is VERY insecure (ie Basic auth).

The key part of your situation being that your Squid "does not do
authentication to end user". Authentication is required to get access to
all the details you are trying to record.

Squid has access to the HTTP headers content. Basic auth is just base-64
encoded credentials and so can be decoded by an external_acl helper. All
other authentication schemes are opaque blobs of data. There is no way
to identify successful login without validating that login (aka
authenticating the credentials data).

What Squid does support is doing the authentication in the front-end
proxy and passing the user credentials to the backend as well. This is
better security overall, in that the proxy can perform proper security
control when user login fails. Attack attempts do not make it to the
backend server and waste proxy->server bandwidth/connections.

Amos
Received on Fri Jul 20 2012 - 11:04:42 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 20 2012 - 12:00:01 MDT