Hello, I have a little task regarding integration of secure users authorization scheme at our proxy server. As far as I know there are two possible ways to achieve this goal: 1. squid + digest_pw_auth. In this case we have to use HTTP digest, but at the moment we are storing users' passwords in openldap directory as _crypted_ attribute "userPassword". At the same time, to use the digest authorization we have to store MD5(username:realm:password), but it's difficult in our environment. Storing clear password in openldap directory also is not a case. Does any one know if there is any working schemas utilizing openldap + HTTP digest auth? Unfortunatelly, I only found ideas of such schemas impementation in list archives. 2. HTTPS connection between proxy server and end-user's browser. This way we encrypt all traffic with no differences for HTTP/FTP/HTTPS. User's password also encrypted because it's trasfered after the secure channel has been initiated. It's also better than variant (1) because all content encrypted and we can avoid man in the middle attacks. http://www.squid-cache.org/Doc/FAQ/FAQ-1.htm#ss1.12 says that "..As of version 2.5, Squid can terminate SSL connections. This is perhaps only useful in a surrogate (http accelerator) configuration. You must run configure with --enable-ssl. See https_port in squid.conf for more information." Thank you for your suggestions. -- Sergey Shepshelevich, Ulyanovsk State Technical University NOC, System administrator
