> Is there no way to do this securely and in such a way that squid is able > to log the IP address of the user? I mean, all I really want to do is > ask the same questions of the user, just in a slightly different way. It > seems hard to believe that this is so difficult in squid, every coffee > shop and airport in the U.S. has something similar to this in their wifi > hotspots. I am willing to accept that I may not know how it works, so I > will explain what I believe to be the proper authentication steps: You misunderstand the basic HTTP/HTTPS authentication behaviour of web browsers. Over which you have absolutely no control. > > 1) User connects to proxy server > 2) Squid sends an authentication request to the user with a method > similar to .htaccess in Apache (I am using basic ncsa_auth at the > moment, I realize that in digest and NTLM, this different and more secure) *nix that. Squid must check source of 'logged-in' users, redirecting any not found to the web server for 'authentication'. > 3) User submits his information ** to the 'authenticating' web server via the page POST. which gets handled by a out-of-band script which on success then redirects user back to original requested page. > 4) Squid uses ncsa_auth to compare the user's data with a password list > somewhere on the proxy server * nix this too. proxy CANNOT use HTTP authentication for this remember? browsers provide the login box. > 5) If the user is authorized, his IP address is added to a list of > authorized users. If no, he is rejected. ** by the 'authenticating' web server via the POST. Proxy MUST scan source of 'logged-in' users again.. repeat ad infinitum until success or failure blocks the users loop. > > If I am right about that, then all I really want to do can be done by > slightly modifying step 2, and send a complete webpage to the user. > Since I am using basic authentication, I realize that the user's > credentials are sent in plain text, so is it possible to use SSL in this > scenario? The data is only being sent to the proxy server, so there > shouldn't be a problem with any men-in-the-middle. Nope, the browsers behaviour on seeing browser-level credential request is to send credentials or show the box. There is no way you can use any of the *_auth and not have the box. In a way out-of-band authentication is much more secure for the proxy interaction part of the cycle and for all traffic once a user is authorized. But the authentication web server takes up all the usual security holes any other clear-text password mechanism has. Thus, I give away a secure code for the risky bit free, with advice available on it. While charging for the config part. Amos > > > Adrian Chadd wrote: >> You misunderstand how it works. >> >> The browser pops up that box to gather authentication credentials it >> then uses for all subsequent connections to the proxy server. >> >> Using a login page won't magically place authentication credentials >> in the web browser for it to then use for subsequent connections. >> The proxy has to track which IP addresses have had users log >> and then pass them through. >> >> This has security implications which noone really seems to care about... >> >> >> >> Adrian >> >> On Sun, Dec 02, 2007, Taylor Jones wrote: >>> Thanks for the offer, but I'm not looking for a way to login, I'm >>> looking for a way to change the way in which squid lets users log in. >>> As you know, the user authenticates himself via a little pop-up box in >>> his browser. This is fine for most people, but like I said, I'm >>> slightly obsessive, and I would like to design my own webpage through >>> which the users log in. I could write the actual login script myself >>> and implement it with LDAP or MySQL or something like that, but I >>> can't figure out how to make squid show a login page instead of a >>> login box. >>> >>> >>>> On Dec 1, 2007 10:08 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>>>> Taylor Jones wrote: >>>>>> Hello, >>>>>> >>>>>> I read the guidelines for this mailing list, and I really do hope >>>>>> I'm >>>>>> not asking a question you've all heard a million times. If I am, >>>>>> feel >>>>>> free to berate me, I probably deserve it. >>>>>> >>>>>> I am looking for a way to use a webpage with a GET/POST form to get >>>>>> the user's name and password for authentication instead of the >>>>>> pop-up >>>>>> that the user receives by default. I realize that this is just an >>>>>> aesthetic kind of thing, but I'm nothing if not obsessive, and I >>>>>> hate >>>>>> that I can't tell a user where he is and what he needs to do to gain >>>>>> access to our proxy server. Honestly, this shouldn't be that hard to >>>>>> implement, I just don't really know where I should start. Any help >>>>>> you >>>>>> guys could give me would be much appreciated! >>>>> I'm happy to supply a system. >>>>> http://treenet.co.nz/projects/ >>>>> >>>>> The web login code is freeware. The server and proxy integration is >>>>> not. >>>>> If you are interested get in touch off-list and we can discuss the >>>>> price >>>>> for that part. >>>>> >>>>> Amos Jeffries >>>>> -- >>>>> amos@xxxxxxxxxxxxx >>>>> Treehouse Networks Ltd. >>>>> +64 21 293 4049 >>>>> >> > >
