On 8/08/2013 11:38 p.m., Alfredo Rezinovsky wrote:
El 07/08/13 16:02, Roman Gelfand escribió:
Is there a way I could control access to various sites based on user
irregardless of workstation they are on? All in transparent proxy.
Thanks in advance
I did this a long time ago.
I had a terminal server, so all the users came from the same IP.
I did an ident authentication.
Rant warning...
Sigh. "IDENT" is an abbreviation of "Identification Protocol". That is
what it does and all it does.
There is no such thing as "ident authentication". In fact "ident" and
"authentication" in the same sentence is almost a contradiction.
Username with AND without verification.
\rant over
ident is a simple (and very old) protocol.
1. A client with clientIP/ connects from sourcePort to ProxyIP/ProxyPort
2. Ident helper in squid asks clientIP who was the user connecting
from SourcePort to ProxyPort
3. ident daemon (or service in windows) replies with the username in
plain text.
Problems:
* Some antivirus in the clients can see the ident service as a
security threat
* Because ident is a very old and insecure protocol, you need to be
the only admin in the clients so you can trust the ident answer.
* There are a lot of fake ident services for windows. They answers
allways with the same username. You need a real ident.
* When using transparent proxy there's some NAT involved so the client
doesn't really connect to proxyIP/ProxyPort. You need and ident NAT
handler in your server.
* Because of the nat handling, the nat and the proxy should be in the
same server (usually the default gateway for the clients)
* I did this a long time ago, so I don't remember how to workaround
the NAT problem. All I remember is that is possible.
AFAIK the IDENT does not care who is querying the username. So it should
not matter that Squid is asking instead of the real origin server. It is
designed for things like firewalls and proxies in the middle to easily
access the users name without complex authentication or security being
needed.
BUT, the NAT must be done on the Squid box for the accurate TCP level
details to be available to Squid. For this and may other reasons, most
of which are security related - this is a *MUST* requirement for 3.2 and
later.
If the clients are windows logged in a domain I think you can also try
ntlm
No. Any form of HTTP *authentication* requires that the user has
credentials specific to the website or service they are requesting
access to. Browsers (and such) *will not* send proxy-auth credentials to
an origin server. This is browser security, nothing to do with Squid.
Otherwise any old attacker could simply send the user a proxy-auth
challenge and get told what credentials to use for accessing their ISP
or corporate proxy.
Amos