Re: [squid-users] Is there a way to allow connection according to user certificate?
On 6/05/2016 4:07 a.m., Ser de Bronce wrote: > Yuri, > >> But this is the default behaviour for proxy with auth > > I didn't know that. > Initially I tested on iPhone using wi-fi connection and as I said earlier > there are wi-fi proxy settings on iPhone so user should type them only once > and then each browser and app works without asking login/pass. Well, Yuri is only half-right there. It is and it isn't. The browser initial request may or not have credentials (secure clients do not send any up front, insecure clients do). If it doesn't the proxy responds with a 407 requesting them. The browser then is expected to find some. How is left up to the browser - but the expectation is that it will try the APN assigned credentials and/or its own credentials store *before* bothering the user with a popup. > >> I still do not understand the purpose for which authentication is > required? > > This proxy will be available from anywhere, but I need to prevent usage of > this proxy by anyone, except my clients. This is the main purpose. > I had a plan to give login and password to each client, but as I said > earlier this is not possible because of user experience reasons. That is a device/browser bug. The above described sequence should be happening, but apparently isn't. Since it is the browser part of the auth which is falling down there is very little Squid can do. The few things Squid can do require all this happening over a LAN environment and do not work across WAN / Internet connections. Sounds like you are stuck between a rock and a hard place. I'm a bit puzzled about how you expect APN settings to be pushed to devices connected via another service provider across the Internet. > Also I can't rely on MAC, IP or other indirect attributes. > > So I try to find other ways to check if user who is connecting to proxy is > my client or not. > Right now I see only two ways here: > 1) authentication by proxy server using certificates > 2) authentication by some other server which accept certificates and then > redirecting connections to proxy. > > As I said I'm novice and didn't use proxy earlier. Maybe you know better > solution. No, those are your choices. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 05.05.16 22:07, Ser de Bronce пишет: > Yuri, > > > But this is the default behaviour for proxy with auth > > I didn't know that. > Initially I tested on iPhone using wi-fi connection and as I said earlier there are wi-fi proxy settings on iPhone so user should type them only once and then each browser and app works without asking login/pass. > > > I still do not understand the purpose for which authentication is required? > > This proxy will be available from anywhere, but I need to prevent usage of this proxy by anyone, except my clients. This is the main purpose. > I had a plan to give login and password to each client, but as I said earlier this is not possible because of user experience reasons. > Also I can't rely on MAC, IP or other indirect attributes. Now understand. I see no better solution except external auth helper. The only thing: there is not exists now in Squid with ready-to-use. It contains only template. > > So I try to find other ways to check if user who is connecting to proxy is my client or not. > Right now I see only two ways here: > 1) authentication by proxy server using certificates > 2) authentication by some other server which accept certificates and then redirecting connections to proxy. Yep, something like OpenLDAP, OpenVPN or combination. > > As I said I'm novice and didn't use proxy earlier. Maybe you know better solution. Hm. Consider this: http://wiki.squid-cache.org/ConfigExamples#Captive_Portal_features > > Best regards, > Sergey -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXK3IJAAoJENNXIZxhPexGKmwH/1JGpw1jD/GYGbuRHlOwuAP7 QU69ZZh0qd2T188Vs2gFgd9tc0dvVbxhkYljQPjdK2stDyQ5Ahzu/x8ke/Wp8Hhr vHa7xVx1l4IP1tD9oEzfST7CovldVXjsHJ9/VLyIap2Cfszjhg4JRXwTblJjfOAM r7qUSgUlHDDGcTxhEjXFp0pnVbJzN3NZXjLhyiuSUFESabxcyGXQUOHQMatjrLBu XuZ9zwUu+1tUW3o72nYUytdB1gYMwgQePezDIYm+TX51fGu96SBN3qLyO96iQtzl Iz8gNrqvJ1gWHgXLiMWznEckbHEBI3VTck38/VFyIs2P2Fzv+5hBOTp9s15APCI= =R0my -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
Yuri, > But this is the default behaviour for proxy with auth I didn't know that. Initially I tested on iPhone using wi-fi connection and as I said earlier there are wi-fi proxy settings on iPhone so user should type them only once and then each browser and app works without asking login/pass. > I still do not understand the purpose for which authentication is required? This proxy will be available from anywhere, but I need to prevent usage of this proxy by anyone, except my clients. This is the main purpose. I had a plan to give login and password to each client, but as I said earlier this is not possible because of user experience reasons. Also I can't rely on MAC, IP or other indirect attributes. So I try to find other ways to check if user who is connecting to proxy is my client or not. Right now I see only two ways here: 1) authentication by proxy server using certificates 2) authentication by some other server which accept certificates and then redirecting connections to proxy. As I said I'm novice and didn't use proxy earlier. Maybe you know better solution. Best regards, Sergey ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 05.05.16 19:19, Amos Jeffries пишет: > On 6/05/2016 1:06 a.m., Ser de Bronce wrote: >> Dear Amos and Yuri, thanks a lot for your answers. >> >> Sorry for the mess, I'm novice here. >> As it turned out my proxy is not transparent... >> >> By "some reasons" I meant clients' experience reasons, let me explain. >> >> I use explicit proxy and my clients connect to proxy using iPhone only. >> I installed self-signed certificate on every iPhone and made login/pass >> authentication. >> It works perfect for wi-fi connection, because in this case iPhone gives a >> possibility to specify proxy domain, port, login and password. >> However to make them connect to proxy using mobile internet I had to >> install APN profile on each iPhone. Inside APN profile I can specify domain >> and port, but not login and pass (APN doesn't have such settings). So when >> client opens browser using mobile internet he is asked for login/pass every >> time. This situation is not appropriate for me so I can't use login/pass. >> >> I'm thinking that maybe it's possible to replace login/pass authentication >> with certificate authentication. >> I want to authenticate users using a digital certificate they already have >> on their iPhone. >> >> I found some articles about certificate authentication for reverse proxy, >> but can't find anything about explicit one. >> Is it possible? > > Squid can listen on an https_port for connections. The TLS settings to > challenge for client cert are the same for explicit proxy as you would > find for reverse-proxy. > > What you will also find however is that browsers do not do TLS to > proxies, or if they do not without jumping through some other hoops > which are browser dependent. > > IIRC; > * Chrome requires that it is started with certain command line options, > AND that a PAC file is used with https:// URI for the proxy detail. > > * Firefox requires that PAC file are used with https:// URI for the > proxy detail AND limits the protocol spoken to those proxy to HTTP/2. In my personal opinion, that everywhere for the crazy idea to push HTTPS - and where it is necessary and where it is not necessary. If a hammer - everything looks like a nail. > > > * Safari and IE - seem not to support TLS proxy at all yet AFAIK. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXK1JLAAoJENNXIZxhPexGW/MIAM0aKjIOY4/3o8iYisQIQQjX e10w0d7ygLbX4cHabzURwcR5J1qaoPE1VnK5tugybsEBUYLdj4EMRQ/FEqUIhC/+ aWodGOWneZ8QEFh7U+56g+fZLzUolbtJidjl/9JwmB8iWKSNgffLEgrTG3GIh4Jt o7AfkqNejKqyaSio0iY1QygqI+LKBUVTpPdQIQ4950Ulql+rN55k7mktia04ZC35 bxM3p060aE5SG6YmEqjxOi1mAceMW1SmAESMKAN/GzuRc3CK4TUzqlXcxfScLEwQ Il6HH0r+ovh19cj5dBZIVAS3cVgK1zvdsVREoZ4HUJIS/0n3dDUgbnP3hpXvGtI= =2GpD -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
On 6/05/2016 1:06 a.m., Ser de Bronce wrote: > Dear Amos and Yuri, thanks a lot for your answers. > > Sorry for the mess, I'm novice here. > As it turned out my proxy is not transparent... > > By "some reasons" I meant clients' experience reasons, let me explain. > > I use explicit proxy and my clients connect to proxy using iPhone only. > I installed self-signed certificate on every iPhone and made login/pass > authentication. > It works perfect for wi-fi connection, because in this case iPhone gives a > possibility to specify proxy domain, port, login and password. > However to make them connect to proxy using mobile internet I had to > install APN profile on each iPhone. Inside APN profile I can specify domain > and port, but not login and pass (APN doesn't have such settings). So when > client opens browser using mobile internet he is asked for login/pass every > time. This situation is not appropriate for me so I can't use login/pass. > > I'm thinking that maybe it's possible to replace login/pass authentication > with certificate authentication. > I want to authenticate users using a digital certificate they already have > on their iPhone. > > I found some articles about certificate authentication for reverse proxy, > but can't find anything about explicit one. > Is it possible? Squid can listen on an https_port for connections. The TLS settings to challenge for client cert are the same for explicit proxy as you would find for reverse-proxy. What you will also find however is that browsers do not do TLS to proxies, or if they do not without jumping through some other hoops which are browser dependent. IIRC; * Chrome requires that it is started with certain command line options, AND that a PAC file is used with https:// URI for the proxy detail. * Firefox requires that PAC file are used with https:// URI for the proxy detail AND limits the protocol spoken to those proxy to HTTP/2. * Safari and IE - seem not to support TLS proxy at all yet AFAIK. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 05.05.16 19:06, Ser de Bronce пишет: > Dear Amos and Yuri, thanks a lot for your answers. > > Sorry for the mess, I'm novice here. > As it turned out my proxy is not transparent... > > By "some reasons" I meant clients' experience reasons, let me explain. > > I use explicit proxy and my clients connect to proxy using iPhone only. > I installed self-signed certificate on every iPhone and made login/pass authentication. > It works perfect for wi-fi connection, because in this case iPhone gives a possibility to specify proxy domain, port, login and password. > However to make them connect to proxy using mobile internet I had to install APN profile on each iPhone. Inside APN profile I can specify domain and port, but not login and pass (APN doesn't have such settings). So when client opens browser using mobile internet he is asked for login/pass every time. This situation is not appropriate for me so I can't use login/pass. But this is the default behaviour for proxy with auth. I still do not understand the purpose for which authentication is required? > > I'm thinking that maybe it's possible to replace login/pass authentication with certificate authentication. > I want to authenticate users using a digital certificate they already have on their iPhone. > > I found some articles about certificate authentication for reverse proxy, but can't find anything about explicit one. Reverse proxy is different thing against forwarding/transparent proxy. AFAIK there is no solution you asked. But you can be first. I see this: 1. You can write external auth helper, with Perl/Pyton/etc. for authentification. 2. You can setup DHCP with 252 option for push proxy.pac to your clients. 3. You can tell us about success ;) > Is it possible? In theory, everything is possible, which does not contradict the laws of physics. :) > > Best Regards, > Sergey > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXK0cOAAoJENNXIZxhPexGUG4H/3uMpUgrRnO1kILD+jGr96+4 7JVAm6NUrmnzseYLz2BkXtWPCb2fWxsOoQOWXdwHZR9YtpsM6aSFG+zG0nRzGWFs /nicGIThegKRfD6ONhumRPKzDKdIhEx+XSKcoaxB0q157ncTsgrazvoyLYetza+5 iTNSR30WNdqoslR5GlJDW4etTO88xfCu+trrhFI3yKFevzbq9xkrfBC06K0+RX2U twaAHJToGRoiAhEsrhD9MwxxGj4E8NUYGvhaAfINyqSjXNJhQ0d4eTwTp18Dok13 ae/ake0f0aSnrCN7riBMS5iIINvwKMf/bTCibMGSJ1TVnr7B5K6RNVR3eqtQ0lU= =pQ4f -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
Dear Amos and Yuri, thanks a lot for your answers. Sorry for the mess, I'm novice here. As it turned out my proxy is not transparent... By "some reasons" I meant clients' experience reasons, let me explain. I use explicit proxy and my clients connect to proxy using iPhone only. I installed self-signed certificate on every iPhone and made login/pass authentication. It works perfect for wi-fi connection, because in this case iPhone gives a possibility to specify proxy domain, port, login and password. However to make them connect to proxy using mobile internet I had to install APN profile on each iPhone. Inside APN profile I can specify domain and port, but not login and pass (APN doesn't have such settings). So when client opens browser using mobile internet he is asked for login/pass every time. This situation is not appropriate for me so I can't use login/pass. I'm thinking that maybe it's possible to replace login/pass authentication with certificate authentication. I want to authenticate users using a digital certificate they already have on their iPhone. I found some articles about certificate authentication for reverse proxy, but can't find anything about explicit one. Is it possible? Best Regards, Sergey ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
04.05.16 18:05, Amos Jeffries пишет: On 4/05/2016 11:20 p.m., Ser de Bronce wrote: Hi there, Maybe someone already knows any solution: I have transparent proxy and according to some reasons I can’t use login/password authentication. However I still need to control who can access my proxy. I can install certificates to my users. Is it possible to allow connection only if a user has the certificate issued by my CA? You seem not to quite understand what the "some reasons" actually are. If you did you would not have to ask. Firstly, there is only one reason behind it all. The reason is that the client thinks it's talking to some service that is *not your proxy*. That is very important. Secondly, there is one criteria that determines what works and what fails. That criteria is "authentication". Specifically in-band authentication. Any type of in-band authentication WILL fail. Any type. Not just passwords. TLS client certificate is just another type of in-band authentication. * Which answers your question: No. It wont work the way you want. If you can install certificates that easily. Then surely you can just as easily assign explicit proxy settings. Doing that would avoid all the issues with interception. Also, Think about all the passive details / metadata you get from the client traffic and how you can use it to authorize access without actively engaging the client across the intercepted connection. There are quite a lot of things you can do. Methods like RADIUS or DHCP assigned IP addresses. Static IPs, or MAC address registrations a proxy external ACL helper can lookup to identify the client account. Just in addition. DHCP with infinite lease, or static binding, or IDENT ;) Or, yes, RADIUS Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
On 4/05/2016 11:20 p.m., Ser de Bronce wrote: > Hi there, > > > Maybe someone already knows any solution: > > > I have transparent proxy and according to some reasons I can’t use > login/password authentication. However I still need to control who can > access my proxy. > > > I can install certificates to my users. Is it possible to allow connection > only if a user has the certificate issued by my CA? You seem not to quite understand what the "some reasons" actually are. If you did you would not have to ask. Firstly, there is only one reason behind it all. The reason is that the client thinks it's talking to some service that is *not your proxy*. That is very important. Secondly, there is one criteria that determines what works and what fails. That criteria is "authentication". Specifically in-band authentication. Any type of in-band authentication WILL fail. Any type. Not just passwords. TLS client certificate is just another type of in-band authentication. * Which answers your question: No. It wont work the way you want. If you can install certificates that easily. Then surely you can just as easily assign explicit proxy settings. Doing that would avoid all the issues with interception. Also, Think about all the passive details / metadata you get from the client traffic and how you can use it to authorize access without actively engaging the client across the intercepted connection. There are quite a lot of things you can do. Methods like RADIUS or DHCP assigned IP addresses. Static IPs, or MAC address registrations a proxy external ACL helper can lookup to identify the client account. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
