On mån, 2007-08-06 at 16:57 +0800, Adrian Chadd wrote: > I don't know why this isn't better documented Not sure how it can be better documented. It's both in squid.conf and the FAQ, and additionally Squid emits a quite clear warning in cache.log if you try to use it. But yes, it probably could be placed better in the squid.conf comments. Currently in the proxy_auth acl, should be in auth_params. > alas. No, transparent > interception doesn't function with proxy authentication. Its a shortcoming > of the HTTP RFC spec. I wouldn't say it's a shortcoming. It's a very reasonable security restriction to not allow random web servers to fish for proxy authentication credentials, and only allow proxy authentication to known proxies. > I hear rumours about commercial products supporting > cookie-type hacks to do authentication but I've never seen it live. Done it for Squid earlier. Requires a web server which maintains logins tracks the cookie sessions (any cookie based server will do fine) and an external_acl helper which can query the same server to check if a cookie is valid. No modifications to Squid itself required. But it's worth noting that cookie based authentication can never work very well. There will always be cases where the proxy either has to allow access, or break communication. (non-GET methods without a valid cookie). Another possibility is to abuse NTLM authentication. As NTLM is connection oriented it kind of works to authenticate to multiple hops. Never done this with Squid, and it will require a bit of modifications to make it work. > Use WPAD+proxy.pac to autodiscover proxy services for a LAN. Yes. Regards Henrik
Attachment:
signature.asc
Description: This is a digitally signed message part
