Here's a question: if I use SSL or TLS encryption between squid and browser, would even the basic auth login be encrypted?
I'm thinking that instead of trying to use the proxy to SSH through, I could use something like shellinabox over the proxy if the link is encrypted. This would be much easier and serve the purpose.
According to this link, it seems pretty straightforward to get Firefox or Chrome to do it: wiki.squid-cache.org/Features/HTTPS#Chrome
Would the default config located at wiki.squid-cache.org/SquidFaq/ConfiguringSquid#Squid-3.5_default_config allow this?
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Sent: Monday, May 1, 2017 7:06 PM
Subject: Re: Tutorial for better authentication than basic
On 02/05/17 09:04, j m wrote:
> Wow, I didn't find that one. Not super secure, but better than clear
> text and I'm not too worried about someone sniffing my packets.
>
The security level with Digest depends on the nonce lifetime and reuse
counter, both of which you can tune to your liking. The shorter those
are the more secure, up to the point where it is a purely one-time
token. That said, some clients (most often browsers) have big trouble
managing nonces in correct order and with dozens of connections open to
the proxy - and then there are Squid bugs. So tuning those is not as
easy as it should be.
NTLM does not work over the Internet. Kerberos might, but not very well.
They are connection-oriented authentication schemes designed for use in
LAN environments. So for your described situation they are not useful
even if you were willing to open the ports.
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
> Wow, I didn't find that one. Not super secure, but better than clear
> text and I'm not too worried about someone sniffing my packets.
>
The security level with Digest depends on the nonce lifetime and reuse
counter, both of which you can tune to your liking. The shorter those
are the more secure, up to the point where it is a purely one-time
token. That said, some clients (most often browsers) have big trouble
managing nonces in correct order and with dozens of connections open to
the proxy - and then there are Squid bugs. So tuning those is not as
easy as it should be.
NTLM does not work over the Internet. Kerberos might, but not very well.
They are connection-oriented authentication schemes designed for use in
LAN environments. So for your described situation they are not useful
even if you were willing to open the ports.
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
