> I see. So I guess I need to use Hamidi's method: set up some webserver > that unauthenticated users are redirected to, have the user submit his > data to it, have some script on the webserver check against the password > list (in my case LDAP), if the user was valid add the user's IP address > to the proxy server's ACL list, then redirect the user to some other > page so that the proxy accepts the newly authenticated user and allows > him through. I guess I'll need some manner of measuring the how long a > user has been logged in so I can give him a certain amount of access > time. It just seems...kludgy somehow. Maybe its just me. It would be > nice if this were more supported natively by squid, but I guess that's > how guys like Amos make their money! Thanks for all your help guys! You mean turn squid into a fully-fledged webserver that can process POSTs? Or making it easy for admin to open a major security hole in their systems? Without some care the web-form login can be attacked and broken. On top of that a network where NAT is in use (read most places in IPv4 where users come from) users are able to piggy-back on each others authorised sessions relatively easily unless specific protection is added, which kludged protection is even easier to break open than the web-form itself. The box is provided in HTTP to give the best (medium-secure) authentication the protocol is capable of, bypassing it with a home-brew is not a good thing in most cases. You will note that I provide help for people wanting it, but choose to use the HTTP login box on my own proxy when it can be used. Amos > > Amos Jeffries wrote: >>> Is there no way to do this securely and in such a way that squid is >>> able >>> to log the IP address of the user? I mean, all I really want to do is >>> ask the same questions of the user, just in a slightly different way. >>> It >>> seems hard to believe that this is so difficult in squid, every coffee >>> shop and airport in the U.S. has something similar to this in their >>> wifi >>> hotspots. I am willing to accept that I may not know how it works, so I >>> will explain what I believe to be the proper authentication steps: >> >> You misunderstand the basic HTTP/HTTPS authentication behaviour of web >> browsers. Over which you have absolutely no control. >> >>> 1) User connects to proxy server >>> 2) Squid sends an authentication request to the user with a method >>> similar to .htaccess in Apache (I am using basic ncsa_auth at the >>> moment, I realize that in digest and NTLM, this different and more >>> secure) >> >> *nix that. Squid must check source of 'logged-in' users, redirecting any >> not found to the web server for 'authentication'. >> >>> 3) User submits his information >> >> ** to the 'authenticating' web server via the page POST. >> which gets handled by a out-of-band script >> which on success then redirects user back to original requested page. >> >>> 4) Squid uses ncsa_auth to compare the user's data with a password list >>> somewhere on the proxy server >> >> * nix this too. proxy CANNOT use HTTP authentication for this remember? >> browsers provide the login box. >> >>> 5) If the user is authorized, his IP address is added to a list of >>> authorized users. If no, he is rejected. >> >> ** by the 'authenticating' web server via the POST. >> >> Proxy MUST scan source of 'logged-in' users again.. repeat ad infinitum >> until success or failure blocks the users loop. >> >>> If I am right about that, then all I really want to do can be done by >>> slightly modifying step 2, and send a complete webpage to the user. >>> Since I am using basic authentication, I realize that the user's >>> credentials are sent in plain text, so is it possible to use SSL in >>> this >>> scenario? The data is only being sent to the proxy server, so there >>> shouldn't be a problem with any men-in-the-middle. >> >> Nope, the browsers behaviour on seeing browser-level credential request >> is >> to send credentials or show the box. There is no way you can use any of >> the *_auth and not have the box. >> >> In a way out-of-band authentication is much more secure for the proxy >> interaction part of the cycle and for all traffic once a user is >> authorized. >> But the authentication web server takes up all the usual security holes >> any other clear-text password mechanism has. >> >> Thus, I give away a secure code for the risky bit free, with advice >> available on it. While charging for the config part. >> >> Amos >> >>> >>> Adrian Chadd wrote: >>>> You misunderstand how it works. >>>> >>>> The browser pops up that box to gather authentication credentials it >>>> then uses for all subsequent connections to the proxy server. >>>> >>>> Using a login page won't magically place authentication credentials >>>> in the web browser for it to then use for subsequent connections. >>>> The proxy has to track which IP addresses have had users log >>>> and then pass them through. >>>> >>>> This has security implications which noone really seems to care >>>> about... >>>> >>>> >>>> >>>> Adrian >>>> >>>> On Sun, Dec 02, 2007, Taylor Jones wrote: >>>>> Thanks for the offer, but I'm not looking for a way to login, I'm >>>>> looking for a way to change the way in which squid lets users log in. >>>>> As you know, the user authenticates himself via a little pop-up box >>>>> in >>>>> his browser. This is fine for most people, but like I said, I'm >>>>> slightly obsessive, and I would like to design my own webpage through >>>>> which the users log in. I could write the actual login script myself >>>>> and implement it with LDAP or MySQL or something like that, but I >>>>> can't figure out how to make squid show a login page instead of a >>>>> login box. >>>>> >>>>> >>>>>> On Dec 1, 2007 10:08 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>>>>>> Taylor Jones wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> I read the guidelines for this mailing list, and I really do hope >>>>>>>> I'm >>>>>>>> not asking a question you've all heard a million times. If I am, >>>>>>>> feel >>>>>>>> free to berate me, I probably deserve it. >>>>>>>> >>>>>>>> I am looking for a way to use a webpage with a GET/POST form to >>>>>>>> get >>>>>>>> the user's name and password for authentication instead of the >>>>>>>> pop-up >>>>>>>> that the user receives by default. I realize that this is just an >>>>>>>> aesthetic kind of thing, but I'm nothing if not obsessive, and I >>>>>>>> hate >>>>>>>> that I can't tell a user where he is and what he needs to do to >>>>>>>> gain >>>>>>>> access to our proxy server. Honestly, this shouldn't be that hard >>>>>>>> to >>>>>>>> implement, I just don't really know where I should start. Any help >>>>>>>> you >>>>>>>> guys could give me would be much appreciated! >>>>>>> I'm happy to supply a system. >>>>>>> http://treenet.co.nz/projects/ >>>>>>> >>>>>>> The web login code is freeware. The server and proxy integration is >>>>>>> not. >>>>>>> If you are interested get in touch off-list and we can discuss the >>>>>>> price >>>>>>> for that part. >>>>>>> >>>>>>> Amos Jeffries >>>>>>> -- >>>>>>> amos@xxxxxxxxxxxxx >>>>>>> Treehouse Networks Ltd. >>>>>>> +64 21 293 4049 >>>>>>> >>> >> >> > >
