On Tue, 18 Oct 2011 13:53:18 +0200, E.S. Rosenberg wrote:
Hi all, We currently have a setup with proxies that use NTLM authentication (we hope to upgrade to kerberos in the future) and based on the username send the user to one of several parent proxies, to improve caching we would like to instead route all traffic through one proxy that is heavily optimized for caching (has it's own large storage etc.). I saw in the documentation that it is possible to pass the authentication to the parent, as far as I can tell I can 'tell' the parent in several ways how to route the client: - I can pass the username to the parent
Yes via the login= parameter. It is sent as Basic auth (and a dummy or fake password is best there). So you can use it safely for logging purposes, but not reliable security.
- I can 'NAT' the users connection as it leaves the child proxy (src ip rewrite rules) and have source IP based rules on the parent.
Hmm? never heard of this one before. Any details you can point me at for my education?
- I could setup multiple instances of the same parent with different login details and 'route' based on username to each of said 'parents' It seems to me that the second option would result in better performance on the one hand but on the other hand it would add more obfuscation, however performance is more important to me. Am I correct in my analysis? Is passing the username to parent a lot slower, would it require another ntlm-auth binary running on the parent or can the username just pass cleartext between the proxies and therefor the whole 'authentication' is a lot faster....
Username as such is okay as clear-text. NTLM does not let squid know the password, so there is no security leak by adding a fake one of your own.
NTLM on the parent has a major flaw that will bite you if you try to do NTLM there. Namely that NTLM (and Kerberos) do not authenticate the HTTP request particularly, they authenticate the TCP connection. So all they can guarantee is that the connection came from the child proxy. Squid 2.7 and 3.1+ add a bit more surety in that they "pinn" the connections, preventing multiple clients using the TCP connection to the parent. This is nasty for performance and resource usage, but the only way to get NTLM and Kerberos to work without regular popups.
On the whole, I think reconsider carefully your need for auth credentials to get to the backend. Whether you need full auth, or just the username for example. You can add in SSL, IP, and/or MAC checks to harden the surety that parent proxy traffic is coming from the child proxy.
Amos
