What i was talking about is using both the auth helper and the external ack helper.
The password is static but the authorization itself is done via some push or another totp method that will authorize the login for a specific amount of time.
And indeed it will kind of degrade the connection to 1fa for a period of time, but, it will protect against couple specific attacks.
So, if the proxy connection is encrypted inside a tunnel then it's ok.
As for a directly accessible proxy over plain http, it will be vulnerable to many auth attacks..
Thanks,
Eliezer
בתאריך יום ב׳, 3 בפבר׳ 2025, 7:10, מאת Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 3/02/25 00:43, NgTech LTD wrote:
> What would make a 2fa in squid case?
>
When receiving a new login attempt the authentication (auth_param)
helper should initiate whatever side-channel token delivery is needed.
Then return "ERR" to Squid as usual.
Replace the login challenge error message with a login page to receive
that token and deliver it to a server that marks the client as logged
in. (Both ERR_ACCESS_DENIED and ERR_CACHE_ACCESS_DENIED. Either new
templates or a deny_info 401/407 - I'm not sure which will work best)
Somewhat like how the SQL_session helper works in "active mode" session,
but through the auth_param helpers instead of external ACL sessions.
HTH
Amos
> Thanks,
> Eliezer
>
> בתאריך יום א׳, 2 בפבר׳ 2025, 13:22, מאת Amos Jeffries
> <squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>>:
>
> On 2/02/25 07:43, ngtech1ltd wrote:
> > Hey,
> >
> > I was wondering if anyone have implemented any 2FA with squid.
> >
> > IE a simple forward proxy that implements an external ACL helper
> that
>
> Ah, that would not be "authentication".
>
>
> 2FA is done through Squid auth_param and authentication helpers same as
> "normal" (1FA) authentication. It is just a slightly different bunch of
> steps the auth system performs in the background outside of Squid.
>
>
> Cheers
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@lists.squid-
> cache.org>
> https://lists.squid-cache.org/listinfo/squid-users <https://
> lists.squid-cache.org/listinfo/squid-users>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
