Search squid archive

Re: Client to proxy encryption for Internet Explorer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>LDAP is a database type, it is not specifically tied to the type of
>credentials used either. For example; have you looked into using
>Kerberos authentication? this over clear-text is similar or sometimes
>more secure than TLS.

Unfortunately administrators of LDAP can only provide basic authentication scheme, so I am stuck with TLS proxy , plus there are 16 squid boxes that a layer 7 load balancer routes the traffic depending on the hash of the url , so I think even if the administrators of openldap could provide me with kerberos or ntlm authentication I could not load balance the traffic based on url .

On Sat, Apr 21, 2018 at 12:19 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 21/04/18 06:55, Panagiotis Bariamis wrote:
>>"credentials" does not necessarily mean passwords.
>
>>TLS also sends credentials in clear. It just happens those credentials
>>are called certificates. Likewise all auth schemes in HTTP (except
>>Basic) send security tokens of various types - not passwords.
>
> When referring to credentials I mean basic ldap authentication for squid
> servers.
> Those are sent in plain text (well base64) in every request. So my
> concern is the client to proxy encryption so as to protect those
> credentials.
>

LDAP is a database type, it is not specifically tied to the type of
credentials used either. For example; have you looked into using
Kerberos authentication? this over clear-text is similar or sometimes
more secure than TLS.

 <http://www.squid-cache.org/Versions/v3/3.5/manuals/negotiate_kerberos_auth.html>
 <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html>

That is the recommended Best Practice form of authentication with MSIE
and avoids the need for TLS solely to secure the credentials. Other
reasons for TLS remain, but are less important.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux