Search squid archive

Re: handling Proxy-Authorization field

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 19/08/2013 10:20 p.m., Attila Gömbös wrote:

Hi guys!

I have the following setup:

LAN -> UTM firewall with transparent proxy -> Squid -> WAN

The UTM is taking care of user authentication (SSO).
Meaning it is not transparent. Transparent proxies *cannot* do authentication. 
The reason is very simple:
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F

At most a transparent proxy can do two things:
1) IP-based *authorization*. Which may also be based on request fingerprint details other than IP address, such as custom headers, Cookies, User-Agent, etc. But notice that none of this involves user credentials being validated by the proxy. 

2) spying on credentials delivered to other software.
But notice that it prohibits being able to challenge for one when they are absent, and requires the proxy to be *able* to decrypt any credentials token delivered. Schemes such as Digest, NTLM or Kerberos (and some forms of OAuth) are designed to protect credentials against such interception. 


  I need to pass
the user ID to Squid. We need to have AD-group based rules on Squid as
well.

But the UTM is able to add only this field to the HTTP request:

Proxy-Authorization: Basic YmlnYm9zczptYW5hZ2VtZW50

So there is only username and group membership in the header.
There should be no group membership in there. It is supposed to be username:password with a simple easily decrypted encoding. The purpose of that is to have the Squid validate that user "bigboss" knows their password is "management" and probably who they claim to be. Once that is confirmed the group check is a simple lookup in your local account database for extra data about "bigboss". 


How can i make the squid to trust and handle this properly?
Since your Squid is not the proxy doing interception you can use any of the proxy authentication features of Squid. auth_param helpers can validate the credentials delivered by UTM, and the external ACL helpers doing group checks should all work for finding the groups associated with those credentials. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux