Search squid archive

Re: ssl_bump + ldap authentication problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 06 Sep 2011 15:15:08 +0200, Łukasz Makowski wrote:
W dniu 2011-09-06 08:08, Amos Jeffries pisze:
On 05/09/11 22:03, Łukasz Makowski wrote:
Hello everyone,

I'm using Squid and ldap_authentication, and recently decided do deploy
ssl_bump feature.

I have made tests for ssl_bump and everything works just fine, but when
combined with ldap authentication,
it appeared to have one big disadvantage.

For every site user try to visit, squid pops with its authentication
window.
I see that for regular, http traffic message looks like this : "Server
My_Squid_Server needs authentication blablabla".
But when ssl_bump triggers during visiting https web page, it states :
"Server Https_Site_Domain needs authentication blablabla".

I know that this behaviour can be caused by a way that ssl_bump works.
Please tell me is there any possible method to overcome this ?

Thanks for help.

Lukasz

I suspect you have the recommended "deny !authedUsers" or similar.

Bumped traffic should match "acl HTTPS proto HTTPS". So you should be able to bypass the auth using that ACL.

Amos

Thanks for your reply.

My auth acl looks like this:
acl password proxy_auth REQUIRED

and rules for traffic:

http_access allow password
ssl_bump allow all

I also tried following, when experimenting with ssl_bump :
acl https_traffic method CONNECT
ssl_bump allow https_traffic

but it works the same for me.

My point when trying to implement ssl_bump was to log https urls and
users accesing them, as I am doing it for http.
I'm concerned about part of your statement "So you should be able to
bypass the auth using that ACL".
Did I understand you correctlly ? Is there no possibility to force
squid to auth my users when accesing https?

The original CONNECT request still passes through the http_access controls before it gets bumped. So auth will happen on that request. Which unfortunately is not logged yet, but still happens.

Once the bump occurs the unwrapped requests cannot be individually authenticated due to the same reasons the other forms of intercepted traffic cannot. The browser believes it is talking down a secure tunnel to the host the CONNECT specified and will not send proxy credentials to MITM agents. This is why you got the error pages showing to the browser instead of an auth handshake.

NP: I believe we can bind the CONNECT credentials to the unwrapped requests using the NTLM connection-auth mechanisms. But so far nobody has worked on that yet.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux