Search squid archive

Re: Re: authenticate_ip_shortcircuit_ttl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 26/01/2012 9:31 p.m., botner@xxxxxxxxxxxxx wrote:
Does anybody know if its possible to setup something similar to
authenticate_ip_shortcircuit in squid 3?
Thinking... yes it should be possible to implement
authenticate_ip_shortcircuit as an external acl for most purposes,
working similar to squid_session but remembering the user name.
Are there plans to port the "authenticate_ip_shortcircuit" feature to
squid3?

Not at this point. It risks opening a huge security hole on the assumption that all requests from an IP are the same client. In the age of NAT, cloud services and IP address randomisation (for "privacy") the risk is getting far too high to be reasonable. Basic auth itself (the only one where this works) is also loosing popularity behind more secure authentication systems which can't be cached easily like that option does. Modern browsers password manager integration and e-wallet systems can handle the login requirements of SSO and automated sign-in a lot better than this option can hope to achieve at its best. We felt it time was ripe to deprecate.

I will accept patch submissions for 3.HEAD/trunk if anyone feels a strong need to port it. But dont plan to do the portage myself.

Is this http://devel.squid-cache.org/projects.html#ntlm_ip_cache still
useful?
As a basis for understanding how that option works only. The squid-3 overall auth logic is similar but function names and locations are very different.

How would a equivalent configuration with external acl's look like?

external_acl_type authBypassT negative_ttl=1 ttl=300 %SRC %{Proxy-Authenticate}<h /some/path
acl authBypass external authBypassT
http_access allow authBypass
http_access deny !auth

With the helper checking the headers login details validate if given.
If the login does validate is needs to store the IP+login and return OK
If just the IP is given and it is already known with any login, just return OK
return ERR if any problems or no known cached result is found.


I have experienced some stability issues with winbind in a samba domain
and a ntlm squid authentication. The "authenticate_ip_shortcircuit" feature
was a kind of workaround for that.

Squid-3 has better persistent connection and HTTP/1.1 abilities than squid-2 did. You may find that the instability is gone now when these features are used.

Negotiate/Kerberos is also the better way forward. It halves the overhead load that NTLM imposes on setting up connections.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux