>
> On 16/02/2013 3:23 p.m., James Harper wrote:
> > On a Windows desktop there are often a bunch of system services that
> make http connections, either running as a system account or running as a
> user but that don't know how to authenticate. The list of these exceptions is
> tedious to maintain so it would be good to be able to authorise the users IP
> address once they have successfully authenticated to squid, sort of like the
> old style 'pop before smtp' auth used to work.
>
> Tedious to maintain? what exactly are you listing?
> I list services by approving and whitelisting destination domains.
> That is no much work, as the listing only needs adapting when the first
> time you encounter a service. A second, third... thousandth client
> system using that service does not make any difference.
>
That's what I thought originally, but things like CRL's (every CA seems to use a new one - I've 'fixed' java 5 times in the past week) and skydrive (breaks every month or so as Microsoft change things) require continual maintenance and doesn't fail nicely.
> Some Warnings first:
>
> * Be careful with this. It is not very safe to trust an IP just because
> you saw credentials from it earlier on a completely different connection.
Credentials will time out
> * Clients are able to run proxy software and share their internet
> connection with the world very easily these days.
That's true of the existing username/password authentication anyway. But the site is small enough that we'd notice.
> * You loose all tracking of any infections or malicious software they
> may be infected with.
How so? Username is first logged against IP address, then IP address is logged. Tracking is easy.
> * You loose the ability for users to share machines. User A can shut
> down the machine, user B restart it and if they are fast enough the
> proxy shares the session started by user A.
I thought about that. Firstly, the above scenario doesn't happen, and if it did the login records are present on the PC anyway.
> * the above means you loose the ability to identify which user is doing
> what actions (once the IP-based session is active the credentials are
> not used or logged).
But the IP address is, so the problem becomes a reporting problem.
>
> Anyways....
>
> What you want to look at is the session helper, with its active mode (-a
> command line parameter).
> http://www.squid-
> cache.org/Versions/v3/3.2/manuals/ext_session_acl.html
>
Thanks for taking the time to write all of this. Now I know that what I want to do is possible I can consider whether it is the best road forward.
Have you ever considered integrating a SOCKS style proxy into squid? It requires a smart client of course but I can do that much under Windows.
James
Received on Sat Feb 16 2013 - 04:22:00 MST
This archive was generated by hypermail 2.2.0 : Sat Feb 16 2013 - 12:00:05 MST