Search squid archive

Re: Secure basic authentication on Squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

To reiterate Alex, "yes you can".

Squid supports "proxy over TLS" as well as the old/default "proxy over TCP" - you use the https_port option

...but getting browsers to support it is challenging. The best way would be to create a WPAD file that tells browsers to use "HTTPS" instead of "PROXY". Then you can just use Proxy-Authentication using Basic and you'd be all set. BTW, Basic has MAJOR performance benefits over any other form of authentication IMHO. Basic over TLS is the way to go...


eg something like this 

---------------- wpad.dat ----------

function FindProxyForURL(url, host)
{
  // see how I used 443? If you're going to run a TLS-encrypted proxy, make it totally appear as a HTTPS server and run it on port 443...
  //
  

if (isPlainHostName(host) ||  dnsDomainIs(host,"localhost.localdomain") ) {
return "DIRECT";
} else if (isInNet(host, "127.0.0.0", "255.0.0.0") || isInNet(host, "10.0.0.0", "255.0.0.0") || isInNet(host, "172.16.0.0", "255.240.0.0")  || isInNet(host, "192.168.0.0", "255.255.0.0") ) {
return "DIRECT";
} else {
// 
return "HTTPS secure-squid.com:443";
  }
}


On Tue, Dec 5, 2017 at 5:13 AM, Colle Christophe <christophe.colle@xxxxxxxxxxxxxxxx> wrote:
Hi Anthony,

Thank you for your answer.

That this only secures the traffic Squid<->LDAP Server, not browsers<->Squid.

Is there a solution to secure communication between the browser and the proxy?


Chris.

Le 04/12/17 16:49, Antony Stone <Antony.Stone@xxxxxxxxxx.source.it> a écrit :
On Monday 04 December 2017 at 16:42:30, Colle Christophe wrote:

> Is there a solution to secure the "basic" authentication of squid? (with an
> SSL certificate for example).

https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
"SSL/TLS_adjustments"?


Antony.

--
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users




--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux