On 7/25/05, Corey Tyndall <CTyndall@xxxxxxxx> wrote:
> I am looking at implementing squid proxy for internet authentication
> purposes. We will not be utilizing the cache just the authentication
> piece.
If all you really need is authentication, Squid may not be the best
solution, as Squid does a lot of extra work and rewriting of requests,
necessary for caching but not really useful for just user authentication.
Personally, I would instead consider something like the Cisco PIX or any
other hardware or software product which can provide a "Single Sign On"
approach to authenticating users for outbound (and/or inbound) access.
If you do want to proceed with Squid, may I inquire as to what type of
authentication will you be using?
Will the credential store be local on the box running Squid, or will the
authentication requests be forwarded using a network protocol to a remote
host? If so, what protocol will be used for the network authentication?
> We will have hundreds of users authenticating at any given time.
Squid will cache the password for a successful authentication for one
hour by default:
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.3
So for each unique user who successfully authenticates, the Squid server
will only need to contact the "authentication helper" at most once per hour.
Kevin Kadow
(P.S. Squid caches local authentication usernames and passwords
in memory in cleartext, so you may wish to look into encrypting swap.)
