On 6/16/05, Emilio Salgari <mustyc@xxxxxxxxxxx> wrote: > I have squid perfectly running on a linux server. > Till now, since this server has only a private IP address I have put no > authentication for my clients (inside lan) using squid. > In the next days I will give a public static IP address to this machine but > I want that only MY clients can access my proxy (my clients will have public > dinamic IP addresses, since they will connect from outside lan). > My clients are on a win2000 or winxp box. If your clients are members of a Windows domain, you might look at Winbind: http://www.squid-cache.org/Doc/FAQ/FAQ.html#toc23.5 Another option would be to have your clients bring up a Windows VPN tunnel to your squid server, and use strong authentication on the tunnel, this way the "outside" users look the same to squid as "inside" users. Or you could use SSH, either by taking advantage of the port forwarding features of SSH, or by using something akin to OpenBSD's "authpf" so that when your customers bring up a SSH session from the Internet, packet filter rules are updated on the server which permit their source IP to access the proxy server so long as their SSH session is up. > What kind of strong authentication method should I use? > Is there something stronger than simple username-password? 1) Something your users and your squid server can deal with. 2) Stronger methods include SSL certificates, Challenge-Response, and one time passwords (OTP) such as OPIE(S/Key), SecurID, etc. It can be difficult to get Squid to support a strong authentication scheme directly. The core of the problem is that when using an authenticated non-transparent proxy, "The browser authenticates on behalf of the user on every request sent to Squid." This requires the browser to cache and reuse credentials, but the whole point of OTP is that the passcodes are not reusable. Kevin Kadow
