Re: [squid-users] Squid as Kerberos client?

2018-03-28 Thread Eliezer Croitoru 
I yet to fully understand the scenario but I might have some ready to use 
services for some of these options.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Saturday, March 17, 2018 15:48
To: Patrick Nick 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid as Kerberos client?

On 17/03/18 06:41, Patrick Nick wrote:
> Thank you. It doesn't seem that the "originserver" makes a difference to
> may case though.
> 
> I was able to resolve my issue after I understood that I forgot to pay
> attention to cookies. The API expects the client to use cookies, which I
> didn't do until now, which resulted in a continuous "401 Unauthorized" loop.
> 

Ah, Cookies. The bane of the Internet. They can be dealt with, but you
are not going to like the difficulty level.

Your choices AFAIK (in order of easiest to seriously tricky) are to
write an eCAP module, ICAP service, or custom external ACL helper(s)
with fairly complex squid.conf settings to use the latter.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Kerberos client?

2018-03-17 Thread Amos Jeffries 
On 17/03/18 06:41, Patrick Nick wrote:
> Thank you. It doesn't seem that the "originserver" makes a difference to
> may case though.
> 
> I was able to resolve my issue after I understood that I forgot to pay
> attention to cookies. The API expects the client to use cookies, which I
> didn't do until now, which resulted in a continuous "401 Unauthorized" loop.
> 

Ah, Cookies. The bane of the Internet. They can be dealt with, but you
are not going to like the difficulty level.

Your choices AFAIK (in order of easiest to seriously tricky) are to
write an eCAP module, ICAP service, or custom external ACL helper(s)
with fairly complex squid.conf settings to use the latter.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Kerberos client?

2018-03-16 Thread Patrick Nick 
Thank you. It doesn't seem that the "originserver" makes a difference to
may case though.

I was able to resolve my issue after I understood that I forgot to pay
attention to cookies. The API expects the client to use cookies, which I
didn't do until now, which resulted in a continuous "401 Unauthorized" loop.

I have more problems but will start a separate question for that.

On Thu, Mar 15, 2018 at 12:53 PM, Amos Jeffries 
wrote:

> On 15/03/18 23:52, Patrick Nick wrote:
> > Thanks Amos, this sounded promising. Unfortunately the behavior I
> > observe is not what I expect.
> > So I added the following config:
> >
> > cache_peer my.company.webserver.net 
> > parent 8081 0 no-query login=NEGOTIATE:myPrincipal
> >
>
> Since this is an origin server and not a proxy it requires the
> "originserver" option as well.
>
>
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Kerberos client?

2018-03-15 Thread Amos Jeffries 
On 15/03/18 23:52, Patrick Nick wrote:
> Thanks Amos, this sounded promising. Unfortunately the behavior I
> observe is not what I expect.
> So I added the following config:
> 
> cache_peer my.company.webserver.net 
> parent 8081 0 no-query login=NEGOTIATE:myPrincipal
> 

Since this is an origin server and not a proxy it requires the
"originserver" option as well.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Kerberos client?

2018-03-15 Thread Patrick Nick 
Thanks Amos, this sounded promising. Unfortunately the behavior I observe
is not what I expect.
So I added the following config:

cache_peer my.company.webserver.net parent 8081 0 no-query
login=NEGOTIATE:myPrincipal

But now squid still does not do the SPNEGO negotiation. I can see in the
logs that it connects to the specified "parent" cache_peer, which returns
"401 Unauthorized" as expected. But then squid just returns that to the
client instead of sending another request with the Kerberos ticket to
complete the negotiation.
Am I misunderstanding what's supposed to happen?
Or am I not configuring it right? (The keytab is readable by the squid user)

On Thu, Mar 15, 2018 at 9:44 AM, Amos Jeffries  wrote:

> On 15/03/18 11:01, Patrick Nick wrote:
> > It consumes the data for its graphs from a REST API via HTTP, on ports
> > in the 8000-9000 range.
> >
>
> Then you can use cache_peer from the proxy to the origin server. See the
> "AUTHENTICATION OPTIONS" section for how to send various types of
> credentials to that peer.
> 
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Kerberos client?

2018-03-15 Thread Amos Jeffries 
On 15/03/18 11:01, Patrick Nick wrote:
> It consumes the data for its graphs from a REST API via HTTP, on ports
> in the 8000-9000 range.
> 

Then you can use cache_peer from the proxy to the origin server. See the
"AUTHENTICATION OPTIONS" section for how to send various types of
credentials to that peer.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Kerberos client?

2018-03-14 Thread Patrick Nick 
It consumes the data for its graphs from a REST API via HTTP, on ports in
the 8000-9000 range.

On Wed, Mar 14, 2018 at 8:43 PM, Enrico Heine 
wrote:

> Which protocols and ports is that GUI tool using for what it's doing with
> it's remote endpoint that requires kerberos authentication?
>
> Am 14. März 2018 19:27:48 MEZ schrieb Patrick Nick  >:
>>
>> Hi Enrico,
>>
>> You write
>>
>>> But squid cannot authenticate those requests on the destination server
>>> if it needs authentication as well.
>>
>>
>> So how do I make it NOT need authentication?
>> I want it to authenticate the request on behalf of the client, so that my
>> client app does not need to authenticate.
>> Squid can use the keytab that I give it for that.
>>
>>
>> On Wed, Mar 14, 2018 at 7:22 PM, Enrico Heine 
>> wrote:
>>
>>> Hi,
>>>
>>> Easy going, you can allow traffic from a specific source or traffic to a
>>> specific destination before you require authentication on the proxy. You
>>> can also restrict it to both, src and destination and additionaly specific
>>> ports. But squid cannot authenticate those requests on the destination
>>> server if it needs authentication as well.
>>>
>>> Best regards,
>>> Enrico
>>>
>>>
>>> Am 14. März 2018 18:58:54 MEZ schrieb Patrick Nick <
>>> peedee.n...@gmail.com>:

 Hello list,

 We are in the process of Kerberizing our Big Data operation, but we
 have a GUI tool in use that is not capable of Kerberos authentication. I'm
 looking for a way to keep using it, which means that it needs to read data
 from a Kerberos-protected service.

 To be clear, I'm looking for a proxy that will take care of the
 authentication so that our GUI tool does not need to know. It should
 "enrich" the client's "dumb" request to an authenticated request. This
 lowers security of course, but I will use other means to make sure that
 only that app can talk to the proxy on the network.

 I looked into nginx but didn't find a way to do what I want.

 Can squid do this?
 I've been trying some configs according to
 https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos, but
 it seems that it always wants to pass the "negotiate" request to the
 client, which I'm trying to avoid.

>>>
>>> --
>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>>>
>>
>>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Kerberos client?

2018-03-14 Thread Enrico Heine 
Which protocols and ports is that GUI tool  using for what it's doing with it's 
remote endpoint that requires kerberos authentication? 

Am 14. März 2018 19:27:48 MEZ schrieb Patrick Nick :
>Hi Enrico,
>
>You write
>
>> But squid cannot authenticate those requests on the destination
>server if
>> it needs authentication as well.
>
>
>So how do I make it NOT need authentication?
>I want it to authenticate the request on behalf of the client, so that
>my
>client app does not need to authenticate.
>Squid can use the keytab that I give it for that.
>
>
>On Wed, Mar 14, 2018 at 7:22 PM, Enrico Heine 
>wrote:
>
>> Hi,
>>
>> Easy going, you can allow traffic from a specific source or traffic
>to a
>> specific destination before you require authentication on the proxy.
>You
>> can also restrict it to both, src and destination and additionaly
>specific
>> ports. But squid cannot authenticate those requests on the
>destination
>> server if it needs authentication as well.
>>
>> Best regards,
>> Enrico
>>
>>
>> Am 14. März 2018 18:58:54 MEZ schrieb Patrick Nick
>> >:
>>>
>>> Hello list,
>>>
>>> We are in the process of Kerberizing our Big Data operation, but we
>have
>>> a GUI tool in use that is not capable of Kerberos authentication.
>I'm
>>> looking for a way to keep using it, which means that it needs to
>read data
>>> from a Kerberos-protected service.
>>>
>>> To be clear, I'm looking for a proxy that will take care of the
>>> authentication so that our GUI tool does not need to know. It should
>>> "enrich" the client's "dumb" request to an authenticated request.
>This
>>> lowers security of course, but I will use other means to make sure
>that
>>> only that app can talk to the proxy on the network.
>>>
>>> I looked into nginx but didn't find a way to do what I want.
>>>
>>> Can squid do this?
>>> I've been trying some configs according to
>https://wiki.squid-cache.org/
>>> ConfigExamples/Authenticate/Kerberos, but it seems that it always
>wants
>>> to pass the "negotiate" request to the client, which I'm trying to
>avoid.
>>>
>>
>> --
>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>>

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Kerberos client?

2018-03-14 Thread Patrick Nick 
Hi Enrico,

You write

> But squid cannot authenticate those requests on the destination server if
> it needs authentication as well.


So how do I make it NOT need authentication?
I want it to authenticate the request on behalf of the client, so that my
client app does not need to authenticate.
Squid can use the keytab that I give it for that.


On Wed, Mar 14, 2018 at 7:22 PM, Enrico Heine 
wrote:

> Hi,
>
> Easy going, you can allow traffic from a specific source or traffic to a
> specific destination before you require authentication on the proxy. You
> can also restrict it to both, src and destination and additionaly specific
> ports. But squid cannot authenticate those requests on the destination
> server if it needs authentication as well.
>
> Best regards,
> Enrico
>
>
> Am 14. März 2018 18:58:54 MEZ schrieb Patrick Nick  >:
>>
>> Hello list,
>>
>> We are in the process of Kerberizing our Big Data operation, but we have
>> a GUI tool in use that is not capable of Kerberos authentication. I'm
>> looking for a way to keep using it, which means that it needs to read data
>> from a Kerberos-protected service.
>>
>> To be clear, I'm looking for a proxy that will take care of the
>> authentication so that our GUI tool does not need to know. It should
>> "enrich" the client's "dumb" request to an authenticated request. This
>> lowers security of course, but I will use other means to make sure that
>> only that app can talk to the proxy on the network.
>>
>> I looked into nginx but didn't find a way to do what I want.
>>
>> Can squid do this?
>> I've been trying some configs according to https://wiki.squid-cache.org/
>> ConfigExamples/Authenticate/Kerberos, but it seems that it always wants
>> to pass the "negotiate" request to the client, which I'm trying to avoid.
>>
>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Kerberos client?

2018-03-14 Thread Enrico Heine 
Hi,

Easy going, you can allow traffic from a specific source or traffic to a 
specific destination before you require authentication on the proxy. You can 
also restrict it to both, src and destination and additionaly specific ports. 
But squid cannot authenticate those requests on the destination server if it 
needs authentication as well.

Best regards,
Enrico

Am 14. März 2018 18:58:54 MEZ schrieb Patrick Nick :
>Hello list,
>
>We are in the process of Kerberizing our Big Data operation, but we
>have a
>GUI tool in use that is not capable of Kerberos authentication. I'm
>looking
>for a way to keep using it, which means that it needs to read data from
>a
>Kerberos-protected service.
>
>To be clear, I'm looking for a proxy that will take care of the
>authentication so that our GUI tool does not need to know. It should
>"enrich" the client's "dumb" request to an authenticated request. This
>lowers security of course, but I will use other means to make sure that
>only that app can talk to the proxy on the network.
>
>I looked into nginx but didn't find a way to do what I want.
>
>Can squid do this?
>I've been trying some configs according to
>https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos, but
>it
>seems that it always wants to pass the "negotiate" request to the
>client,
>which I'm trying to avoid.

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid as Kerberos client?

2018-03-14 Thread Patrick Nick 
Hello list,

We are in the process of Kerberizing our Big Data operation, but we have a
GUI tool in use that is not capable of Kerberos authentication. I'm looking
for a way to keep using it, which means that it needs to read data from a
Kerberos-protected service.

To be clear, I'm looking for a proxy that will take care of the
authentication so that our GUI tool does not need to know. It should
"enrich" the client's "dumb" request to an authenticated request. This
lowers security of course, but I will use other means to make sure that
only that app can talk to the proxy on the network.

I looked into nginx but didn't find a way to do what I want.

Can squid do this?
I've been trying some configs according to
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos, but it
seems that it always wants to pass the "negotiate" request to the client,
which I'm trying to avoid.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users