Hi Amos, thanks for your response. On 04/20/2012 04:22 PM, Amos Jeffries wrote: >> I found the following solution, but I'm not suire if that's a good way >> to go. >> http://www.mikealeonetti.com/wiki/index.php/Squid_LDAP_transparent_proxy_authentication_script >> > > Not relevant. That is for session-based authorization on intercepted traffic. > It is not authentication despite the authors use of the term. > Basic auth protocol with its clear-text credentials is more secure. Commercial solutions seem to offer similar solutions with a web-based form. http://demo04.astaro.com/help/en_US/Content/ASG/websec/HTTPs_Profiles-Proxy_Profiles.html Isn't there a way to build something like that with squid? >> What can you recommend? > > What does the backend you are using LDAP protocol to access capable of? We are using OpenLDAP directly, there is no other backend. > Kerberos is best you can get in the way of secure authentication these days. > Despite the limits it imposes on HTTP performance. That would mean clients would have to be configured for Kerberos usage correctly. Firefox for example would then authenticate via GSS-API Negotiation Mechanism (SPNEGO). I would love to see a solution that is more flexible without the need to integrate clients with Kerberos. > Alternatively you can try using a TLS connection to secure the transport > between the web clients and Squid. > http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection I think that would be the best solution for us. Are there other browsers that support TLS secured connections too? Thank you, Christoph
