Search squid archive

Re: Authenticating users with a webpage form

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I see. So I guess I need to use Hamidi's method: set up some webserver that unauthenticated users are redirected to, have the user submit his data to it, have some script on the webserver check against the password list (in my case LDAP), if the user was valid add the user's IP address to the proxy server's ACL list, then redirect the user to some other page so that the proxy accepts the newly authenticated user and allows him through. I guess I'll need some manner of measuring the how long a user has been logged in so I can give him a certain amount of access time. It just seems...kludgy somehow. Maybe its just me. It would be nice if this were more supported natively by squid, but I guess that's how guys like Amos make their money! Thanks for all your help guys! 

Amos Jeffries wrote:

Is there no way to do this securely and in such a way that squid is able
to log the IP address of the user? I mean, all I really want to do is
ask the same questions of the user, just in a slightly different way. It
seems hard to believe that this is so difficult in squid, every coffee
shop and airport in the U.S. has something similar to this in their wifi
hotspots. I am willing to accept that I may not know how it works, so I
will explain what I believe to be the proper authentication steps:


You misunderstand the basic HTTP/HTTPS authentication behaviour of web
browsers. Over which you have absolutely no control.


1) User connects to proxy server
2) Squid sends an authentication request to the user with a method
similar to .htaccess in Apache (I am using basic ncsa_auth at the
moment, I realize that in digest and NTLM, this different and more secure)


*nix that. Squid must check source of 'logged-in' users, redirecting any
not found to the web server for 'authentication'.


3) User submits his information


** to the 'authenticating' web server via the page POST.
which gets handled by a out-of-band script
which on success then redirects user back to original requested page.


4) Squid uses ncsa_auth to compare the user's data with a password list
somewhere on the proxy server


* nix this too. proxy CANNOT use HTTP authentication for this remember?
browsers provide the login box.


5) If the user is authorized, his IP address is added to a list of
authorized users. If no, he is rejected.


** by the 'authenticating' web server via the POST.

Proxy MUST scan source of 'logged-in' users again.. repeat ad infinitum
until success or failure blocks the users loop.


If I am right about that, then all I really want to do can be done by
slightly modifying step 2, and send a complete webpage to the user.
Since I am using basic authentication, I realize that the user's
credentials are sent in plain text, so is it possible to use SSL in this
scenario? The data is only being sent to the proxy server, so there
shouldn't be a problem with any men-in-the-middle.


Nope, the browsers behaviour on seeing browser-level credential request is
to send credentials or show the box. There is no way you can use any of
the *_auth and not have the box.

In a way out-of-band authentication is much more secure for the proxy
interaction part of the cycle and for all traffic once a user is
authorized.
But the authentication web server takes up all the usual security holes
any other clear-text password mechanism has.

Thus, I give away a secure code for the risky bit free, with advice
available on it. While charging for the config part.

Amos



Adrian Chadd wrote:

You misunderstand how it works.

The browser pops up that box to gather authentication credentials it
then uses for all subsequent connections to the proxy server.

Using a login page won't magically place authentication credentials
in the web browser for it to then use for subsequent connections.
The proxy has to track which IP addresses have had users log
and then pass them through.

This has security implications which noone really seems to care about...



Adrian

On Sun, Dec 02, 2007, Taylor Jones wrote:

Thanks for the offer, but I'm not looking for a way to login, I'm
looking for a way to change the way in which squid lets users log in.
As you know, the user authenticates himself via a little pop-up box in
his browser. This is fine for most people, but like I said, I'm
slightly obsessive, and I would like to design my own webpage through
which the users log in. I could write the actual login script myself
and implement it with LDAP or MySQL or something like that, but I
can't figure out how to make squid show a login page instead of a
login box.



On Dec 1, 2007 10:08 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:

Taylor Jones wrote:

Hello,

I read the guidelines for this mailing list, and I really do hope
I'm
not asking a question you've all heard a million times. If I am,
feel
free to berate me, I probably deserve it.

I am looking for a way to use a webpage with a GET/POST form to get
the user's name and password for authentication instead of the
pop-up
that the user receives by default. I realize that this is just an
aesthetic kind of thing, but I'm nothing if not obsessive, and I
hate
that I can't tell a user where he is and what he needs to do to gain
access to our proxy server. Honestly, this shouldn't be that hard to
implement, I just don't really know where I should start. Any help
you
guys could give me would be much appreciated!

I'm happy to supply a system.
    http://treenet.co.nz/projects/

The web login code is freeware. The server and proxy integration is
not.
If you are interested get in touch off-list and we can discuss the
price
for that part.

Amos Jeffries
--
amos@xxxxxxxxxxxxx
Treehouse Networks Ltd.
+64 21 293 4049
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux