Search squid archive

Re: Transparent Proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/08/2013 11:38 p.m., Alfredo Rezinovsky wrote:
El 07/08/13 16:02, Roman Gelfand escribió:
Is there a way I could control access to various sites based on user
irregardless of workstation they are on?  All in transparent proxy.

Thanks in advance

I did this a long time ago.

I had a terminal server, so all the users came from the same IP.
I did an ident authentication.

Rant warning...

Sigh. "IDENT" is an abbreviation of "Identification Protocol". That is what it does and all it does.

There is no such thing as "ident authentication". In fact "ident" and "authentication" in the same sentence is almost a contradiction. Username with AND without verification.

\rant over


ident is a simple (and very old) protocol.
1. A client with clientIP/ connects from sourcePort to ProxyIP/ProxyPort
2. Ident helper in squid asks clientIP who was the user connecting from SourcePort to ProxyPort 3. ident daemon (or service in windows) replies with the username in plain text.

Problems:
* Some antivirus in the clients can see the ident service as a security threat * Because ident is a very old and insecure protocol, you need to be the only admin in the clients so you can trust the ident answer. * There are a lot of fake ident services for windows. They answers allways with the same username. You need a real ident. * When using transparent proxy there's some NAT involved so the client doesn't really connect to proxyIP/ProxyPort. You need and ident NAT handler in your server. * Because of the nat handling, the nat and the proxy should be in the same server (usually the default gateway for the clients) * I did this a long time ago, so I don't remember how to workaround the NAT problem. All I remember is that is possible.

AFAIK the IDENT does not care who is querying the username. So it should not matter that Squid is asking instead of the real origin server. It is designed for things like firewalls and proxies in the middle to easily access the users name without complex authentication or security being needed. BUT, the NAT must be done on the Squid box for the accurate TCP level details to be available to Squid. For this and may other reasons, most of which are security related - this is a *MUST* requirement for 3.2 and later.


If the clients are windows logged in a domain I think you can also try ntlm

No. Any form of HTTP *authentication* requires that the user has credentials specific to the website or service they are requesting access to. Browsers (and such) *will not* send proxy-auth credentials to an origin server. This is browser security, nothing to do with Squid. Otherwise any old attacker could simply send the user a proxy-auth challenge and get told what credentials to use for accessing their ISP or corporate proxy.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux