On 7/29/2015 5:20 PM, Amos Jeffries wrote:
Found this post asking the same question:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Ldap-Authen-AD-how-to-make-authentication-persistent-td3604487.html
and it
There were two suggestions that stood out:
There used to be a "authenticate_ip_shortcircuit_ttl" option in squid
2.7 that when authenticated successfully, it would remember the users
IP for X amount of time and would let you avoid logging in every time
you reopen your browser. They removed that in later versions
unfortunately, I guess because someone could take over your IP and
would be able to authenticate as you(which is not a concern to me, at
all).
It should.
Theres this thing called NAT you see, which places multiple users behind
a single IP. The first one to login with IP-based auth. Since IPv4 ran
out back in 2003 a number of networks have started using one layer.
Since 2010 when IPv4 stopped being readily available its become more and
more popular to use 2 and even 3 layers of NAT between any two machines.
Just so they can talk.
Then there is this thing called DHCP. I guess this is what you mean by
one user taking over anothers IP. Since the DHCP service allocates any
available IP to user devices on request. If a device goes away its IP
can get re-used immediately by another device. Its uite difficult to get
Squid to be aware of any of those changes and update its auth information.
Then there is the thing called "privacy addressing". In IPv6 its
built-in, with IPv4 its done using DHCP short dynamic assignments. It
means the IP address assigned to user devices is guaranteed to change
frequently and randomly.
Now, if your network can operate without NAT or DHCP, or IPv6. You are
one of the very rare lucky people for whom IP-shortcut based auth
*might* work. But only until you have a malicious user contact the
network and start spoofing users IPs.
IP address based authentication is, well. Dead.
Okay, well I know how NAT and DHCP works, so I guess I am one of those
rare cases you talk about. We have no NATs, I am only trying to use
squid on a small section of our network which has statically assigned IP
addresses and they have no admin rights to change it. They are open 24/7
so some stranger walking in, plugging his laptop on our network and
trying to figure out which IP is already authenticated is very unlikely
since everybody knows each other and it noticed/reported. That's why
this does not concern me. I was also only planning to have it remember
the IP for maybe 1 hour.
On the other hand, having users re-authenticate every time they close
their browser would irritate them and possibly cause confusion as most
of them are not very technical(It might just be something they will need
to adjust to after all).
So in my case, either I figure out a way to go about this (I saw your
suggestions below and am going to do some reading) or I might have to
not implement any authentication at all, which I think is worse.
The other suggestion would be to use an external ACL helper but they
did not include one or any example in the post.
Would anyone happen to have an example of a helper that does this or
some other way I can go about pulling this off?
"Windows Integrated Authentication" is what IE is using not to have to
ask user for credentials. Some credentials were given when they logged
into the machine, and are used by the browser to send to Squid as needed
(and only as needed). Sometimes called Single-Sign-On or Federated
authentication.
I hear the other browsers need some config to use it. But can't recall
right now what that is.
I will look around for this config option and check out SSO/Federated
authentication, I appreciate the hint.
If I can't figure out a way to get this going I will speak to management
to see if this is an acceptable tradeoff. I am just exploring my options
before I do.
For Squid it should work with Basic auth. Dont believe the myths that
say Windows auth == NTLM.
Whether *a* popup is seen also depends on whether the browser password
manager is in use. One always need to unlock that manually when opening
a browser. The actual Squid credentials are fetched from there after its
opened. And no that popup is *not* part of HTTP auth.
Thanks for clearing that up and your responses, much appreciated.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users