[squid-users] Is this doable?

From: Jaime Nebrera <jnebrera_at_eneotecnologia.com>
Date: Thu, 17 Mar 2011 13:08:10 +0100

   Hi again,

   After some nice discussion with Amos we have been able to clarify
what we are seeking for. Now, I dont know if this is already available
or not. If not, I would like to get in contact (in private) with
companies or professionals interested in doing this development. BTW, if
I should have used the dev list for this, please tell me so and I will
move the discussion to that one.

   Our goal is to be able to auth a user based on a digital certificate
as do some proprietary tools like BlueCoat. (See previous post) Thanks
to Amos, we were able to separate the initial problem in two, and this
is the one that we want to focus first.

   The process would be:

   1) Let users configure their browser to use a squid proxy (thus no
transparent need)

   2) The user will ask for any website they desire

   3) If the user has not been authenticated yet it will be redirected
instead to a "auth" site running in a specific webserver within the
proxy machine or even if possible do this directly in squid

   4) This special site would be SSL secured. A server certificate will
be sent from the proxy to the user

   5) The user will verify the certificate and be prompted to select a
digital certificate of its own to auth to the site

   6) This digital certificate would be verified by the web app (again,
either a real webserver or a squid helper itself) and if valid, it will
extract some user information from the certificate using standard fields

   7) This information would allow squid to check if the user exists in
a LDAP directory and the group it belongs (as if the info was provided
by other means) Actually could be other backend too, but I guess this is
irrelevant

   8) If ok, user will be considered member of a particular group and
specific ACL or whatever would be applied (again, as if other standard
auth means was used)

   9) The website would redirect the user to the original requested webpage

   10) As the user is already authenticated, it would go on (if not
forbiden by an ACL or whtever of course)

   In essence, a captive portal system within squid itself and using a
digital certificate as the way to auth the user

   Again, if this is already done (no matter specific squid version), I
would really appreciate any info, if not, please those interested in
coding this please contact me privately

   If afterwards making this code available to the community helps
getting better pricing we would for sure do so

   Very thankful in advance. Regards

-- 
Jaime Nebrera - jnebrera_at_eneotecnologia.com
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18
Received on Thu Mar 17 2011 - 12:08:18 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 17 2011 - 12:00:03 MDT