Search squid archive

Re: Tutorial for better authentication than basic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is in response to:

"There is another option if you don't have any issue to allow a certain public IP address access to your network you can use some kind of portal which will allow based on a SSL(even with self signed certificate) the "session" access to the service."

I didn't receive the email so couldn't reply directly.  

I'm pretty happy with digest auth as I think that is likely secure enough.  The proxy is working, mostly  However I'm having trouble with two things:

1. I'm not able to figure out what goes into squid.conf to allow SSH through proxy.  My SSH server is on a non-standard port above 1024, and as I understand, squid.conf has to account for this.  I have references to (ssh_port) and have the CONNECT method enabled (I believe) but I'm not sure if this is correct.  I'm certainly not able to SSH thru it:


auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd
auth_param digest realm the_zone
auth_param digest children 2
acl auth_users proxy_auth REQUIRED
acl SSL_ports port (ssh_port)
acl Safe_ports port (ssh_port)
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow auth_users
http_access allow all
http_port (proxy_port)
cache deny all
access_log none



2. I am no longer able to start squid in Ubuntu by using "service squid start".  This used to work, but it gives no error; it appears to immediately execute, but it's not running as a process.    However, if I run "squid -N -d 1 -D", it runs with no complaints.





From: Eliezer Croitoru <eliezer@xxxxxxxxxxxx>
To: 'j m' <acctforjunk@xxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx
Sent: Monday, May 1, 2017 3:30 PM
Subject: RE: Tutorial for better authentication than basic

And what about digest authentication?

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx


From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of j m
Sent: Monday, May 1, 2017 4:18 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Tutorial for better authentication than basic

I'm using Ubuntu 16.04 Server in the home and would like to set up a proxy server for use from over the Internet.  The main purpose for this is to easily access a few web-devices on my LAN without using VPN, and at times to route web traffic from a remote location through my home ISP.  I do not need nor want any caching or filtering.

I previously used Tinyproxy and that did the job, but it had no authentication whatsoever.  I have basic authentication working on squid 3.5, where it asks for the username and password, but I believe this login is sent in clear text.  I've did some research and found squid supports various better methods, such as kerberos, ntlm, smb, etc.  However, while I'm able to install Linux and set up various things, I'm struggling with this authentication aspect.  I have a suspicion some of these methods will not work well because they rely on other services (such as SMB) and may require opening more ports on my router, something I'm not crazy about.

Amos previously suggested client cert auth, but I'm not sure how to set this up.  Are there any other secure auth methods that would work well over the Internet and are fairly simple to configure?

In any case, can anyone point me to an online tutorial somewhere (for a authentication newbie) that outlines how this is done?


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux