Say I have a squid reverse proxy with https enabled on it at https://apps.example.com. This serves a number of apps including:
/owa - outlook web access
/rpc - ms terminal server gateway
/intranet
/bugtracker
/svn - svn anon browser access
/procedures
These are spread across a bunch of completely different servers (some linux, some windows) and works really really well. It has been decided that some of the individual applications are not secure enough. /owa, /rpc, and /bugtracker are fine, while /intranet, /procedures, and /svn are not. I have set up acls to deny external access to the insecure apps but now want to put some front end security on them such that when a user first tries to access one with a browser they are redirected and required to sign in to a web forms based page. The idea I have for this is:
. create an sqlite database in /var/run or some other throwaway location
. redirect users using deny_info to the sign in page (php)
. on successful authentication, set a cookie (some random string eg md5 hash of username, password, and time) and create a corresponding entry in the database then redirect user to original page (only possible with squid 3.2.x I believe...)
. create an external acl helper that is passed in the request header corresponding to the cookie, decodes the cookie value from the header, and looks up the entry in the database (and maybe timestamp last access). If present, report OK
. create a cron job nightly (or hourly or whatever) to delete stale records from the database to keep the size reasonable
The cookie here only serves as a lookup into the database, and I believe will be supplied by the browser on any user request.
The number of users is under 100 and of those the number actually using external access is likely to only be around 10-20 at this time, so I'm not too worried about scalability but I guess if I'm making any mistakes now is the time to correct them.
Any comments before I write too much code would be greatly appreciated!
Thanks
James
Received on Mon Mar 18 2013 - 11:57:31 MDT
This archive was generated by hypermail 2.2.0 : Tue Mar 19 2013 - 12:00:06 MDT