Re: [squid-users] handling Proxy-Authorization field

From: Attila Gömbös <attila.gombos_at_gmail.com>
Date: Mon, 19 Aug 2013 21:01:06 +0200

Thanks Amos!
Since the firewall in the middle uses an agent for SSO, the firewall
itself is not even aware of the user's password. That's why it doesn't
send it.

I found the basic_fake_auth in 3.3:

auth_param basic program /usr/lib/squid3/basic_fake_auth

This way the username submitted by the firewall gets authenticated,
and i can see the username in the logs. (unfortunately it's not
totally secure, although users are not able communicate directly with
the squid).

Hopefully the Symantec Messagelabs edition of Squid will also be able
to process the authenticated user, i will need it at a customer.

Best regards,
Attila

On Mon, Aug 19, 2013 at 2:20 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 19/08/2013 10:20 p.m., Attila Gömbös wrote:
>>
>> Hi guys!
>>
>> I have the following setup:
>>
>> LAN -> UTM firewall with transparent proxy -> Squid -> WAN
>>
>> The UTM is taking care of user authentication (SSO).
>
>
> Meaning it is not transparent. Transparent proxies *cannot* do
> authentication.
> The reason is very simple:
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F
>
> At most a transparent proxy can do two things:
> 1) IP-based *authorization*. Which may also be based on request fingerprint
> details other than IP address, such as custom headers, Cookies, User-Agent,
> etc.
> But notice that none of this involves user credentials being validated by
> the proxy.
>
> 2) spying on credentials delivered to other software.
> But notice that it prohibits being able to challenge for one when they are
> absent, and requires the proxy to be *able* to decrypt any credentials token
> delivered. Schemes such as Digest, NTLM or Kerberos (and some forms of
> OAuth) are designed to protect credentials against such interception.
>
>
>> I need to pass
>> the user ID to Squid. We need to have AD-group based rules on Squid as
>> well.
>>
>> But the UTM is able to add only this field to the HTTP request:
>>
>> Proxy-Authorization: Basic YmlnYm9zczptYW5hZ2VtZW50
>>
>> So there is only username and group membership in the header.
>
>
> There should be no group membership in there. It is supposed to be
> username:password with a simple easily decrypted encoding.
> The purpose of that is to have the Squid validate that user "bigboss" knows
> their password is "management" and probably who they claim to be. Once that
> is confirmed the group check is a simple lookup in your local account
> database for extra data about "bigboss".
>
>
>> How can i make the squid to trust and handle this properly?
>
>
> Since your Squid is not the proxy doing interception you can use any of the
> proxy authentication features of Squid. auth_param helpers can validate the
> credentials delivered by UTM, and the external ACL helpers doing group
> checks should all work for finding the groups associated with those
> credentials.
>
> Amos
Received on Mon Aug 19 2013 - 19:01:53 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 20 2013 - 12:00:05 MDT