Is there no way to do this securely and in such a way that squid is able
to log the IP address of the user? I mean, all I really want to do is
ask the same questions of the user, just in a slightly different way. It
seems hard to believe that this is so difficult in squid, every coffee
shop and airport in the U.S. has something similar to this in their wifi
hotspots. I am willing to accept that I may not know how it works, so I
will explain what I believe to be the proper authentication steps:
1) User connects to proxy server
2) Squid sends an authentication request to the user with a method
similar to .htaccess in Apache (I am using basic ncsa_auth at the
moment, I realize that in digest and NTLM, this different and more secure)
3) User submits his information
4) Squid uses ncsa_auth to compare the user's data with a password list
somewhere on the proxy server
5) If the user is authorized, his IP address is added to a list of
authorized users. If no, he is rejected.
If I am right about that, then all I really want to do can be done by
slightly modifying step 2, and send a complete webpage to the user.
Since I am using basic authentication, I realize that the user's
credentials are sent in plain text, so is it possible to use SSL in this
scenario? The data is only being sent to the proxy server, so there
shouldn't be a problem with any men-in-the-middle.
Adrian Chadd wrote:
You misunderstand how it works.
The browser pops up that box to gather authentication credentials it
then uses for all subsequent connections to the proxy server.
Using a login page won't magically place authentication credentials
in the web browser for it to then use for subsequent connections.
The proxy has to track which IP addresses have had users log
and then pass them through.
This has security implications which noone really seems to care about...
Adrian
On Sun, Dec 02, 2007, Taylor Jones wrote:
Thanks for the offer, but I'm not looking for a way to login, I'm
looking for a way to change the way in which squid lets users log in.
As you know, the user authenticates himself via a little pop-up box in
his browser. This is fine for most people, but like I said, I'm
slightly obsessive, and I would like to design my own webpage through
which the users log in. I could write the actual login script myself
and implement it with LDAP or MySQL or something like that, but I
can't figure out how to make squid show a login page instead of a
login box.
On Dec 1, 2007 10:08 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
Taylor Jones wrote:
Hello,
I read the guidelines for this mailing list, and I really do hope I'm
not asking a question you've all heard a million times. If I am, feel
free to berate me, I probably deserve it.
I am looking for a way to use a webpage with a GET/POST form to get
the user's name and password for authentication instead of the pop-up
that the user receives by default. I realize that this is just an
aesthetic kind of thing, but I'm nothing if not obsessive, and I hate
that I can't tell a user where he is and what he needs to do to gain
access to our proxy server. Honestly, this shouldn't be that hard to
implement, I just don't really know where I should start. Any help you
guys could give me would be much appreciated!
I'm happy to supply a system.
http://treenet.co.nz/projects/
The web login code is freeware. The server and proxy integration is not.
If you are interested get in touch off-list and we can discuss the price
for that part.
Amos Jeffries
--
amos@xxxxxxxxxxxxx
Treehouse Networks Ltd.
+64 21 293 4049