Hello, I am setting up Squid to enable users to use it as a web proxy server. My problem is how to enable encrypted user authentication.On the back-end we are using an LDAP Server (openldap) for user account management and authentication. Squid works fine with LDAP, but browser-level encryption is not supported (so the password is sent in clear text) unless using DIGEST auth, which is not possible in our case, because passwords are stored encrypted in LDAP (DIGEST authentication requires that passwords are stored in clear-text).
I was thinking of a scenario using client certificates: Client browsers (to be authenticated) would have their own certificates (with their own private key) and the proxy server (Squid) would authenticate them against LDAP where the public keys of the user certs are stored.
So: Is this solution feasible and does it really offer a safe authentication (at the browser level), without using TLS/SSL (which I know is not available during proxy authentication since browsers do not support it)? I understand that when using this kind of auth (with certificates), no password exchange is needed: Authentication is done using the certs only.
If the answer is yes, can you please direct me to some web page or other manual detailing how to configure Squid to operate with this kind of authentication?
Finally, any other ideas for secure authentication at the browser level? (I have also evaluated NTLM - in which case we would use Samba to create a DC - but my understanding is that NTLM is bound to particular LANs where clients are expected to be on, whereas we want to be able to authenticate clients - without using a VPN - on any network they might be.)
Thanks in advance, Nick
<<attachment: smime.p7s>>
