Re: [squid-users] Authentication Question

[Amos Jeffries]

michael_gra...@cadc.uscourts.gov wrote:

I setup two reverse proxy sites with LDAP authentication. Authentication
works fine when I access
either site. The problem I'm having is after I authenticate to either site,
I try and access a url on the other site and I'm prompted to authenticate
again. How can I tell squid to check the authenticated user and stop
prompting me
for another login?


I guess that depends on your auth_param settings or LDAP configuration, 
which you omitted.

It's not part of the domain routing config you show below.



Below is my squid.conf setup of both sites. Thanks

acl ldap-auth proxy auth REQUIRED
http_access allow ldap-auth

http_port x.x.x.x:80 accel defaultsite=intranet.cadc.circdc.dcn
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet1
round-robin
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet2
round-robin
acl sites_intranet dstdomain intranet.cadc.circdc.dcn
http_access allow sites=intranet
cache_peer_access intranet1 allow sites_intranet
cache_peer_access intranet2 allow sites_intranet

http_port x.x.x.x:80 accel defaultsite=www.cadc.circdc.dcn
cach_peer x.x.x.x parent 80 0 no-query originserver name=iis
acl sites=iis dstdomain www.cadc.circdc.dcn
http_access allow sites=iis
cache_peer_access iis allow sites=iis

http_access deny all



Just a note, personally I'd add the ldap-auth ACL to the end of each of 
the http_access allow sitesX lines instead of globally at the top.
That would prevent wasting auth resources on people requesting 
unacceptable domains.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
  Current Beta Squid 3.1.0.15

[squid-users] Authentication Question

[Michael_Grasso]

I setup two reverse proxy sites with LDAP authentication. Authentication
works fine when I access
either site. The problem I'm having is after I authenticate to either site,
I try and access a url on the other site and I'm prompted to authenticate
again. How can I tell squid to check the authenticated user and stop
prompting me
for another login?

Below is my squid.conf setup of both sites. Thanks

acl ldap-auth proxy auth REQUIRED
http_access allow ldap-auth

http_port x.x.x.x:80 accel defaultsite=intranet.cadc.circdc.dcn
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet1
round-robin
cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet2
round-robin
acl sites_intranet dstdomain intranet.cadc.circdc.dcn
http_access allow sites=intranet
cache_peer_access intranet1 allow sites_intranet
cache_peer_access intranet2 allow sites_intranet

http_port x.x.x.x:80 accel defaultsite=www.cadc.circdc.dcn
cach_peer x.x.x.x parent 80 0 no-query originserver name=iis
acl sites=iis dstdomain www.cadc.circdc.dcn
http_access allow sites=iis
cache_peer_access iis allow sites=iis

http_access deny all


Mike Grasso
DC Circuit Court of Appeals

Re: [squid-users] Authentication question

[Amos Jeffries]

Monah Baki wrote:

Hi All,

If users require authentication in squid before browsing, is there a way 
for example to tell squid since user has authenticated in IE, if the 
user plans on using firefox while IE is still running, do not authenticate.




Most web-things are possible.
Try automatic NTLM auth, see if you can get it authenticating in the 
background without either IE or Firefox needing to show the login box.


There are other ways, but, they open MAJOR security holes you REALLY do 
not want to open.


FWIW: if you have Firefox installed why do you even let the users see IE 
as present on the PC? It's only needed for WindowsUpdate and then 
marginally. Removing IE from under temptations fingers closes a lot of 
security holes in windows (94% of the current SANS list) with one action.


Amos

[squid-users] Authentication question

[Monah Baki]

Hi All,

If users require authentication in squid before browsing, is there a  
way for example to tell squid since user has authenticated in IE, if  
the user plans on using firefox while IE is still running, do not  
authenticate.



Thanks


BSD Networking, Microsoft Notworking

Re: [squid-users] Authentication Question

[Henrik Nordstrom]

On Thu, 12 Jan 2006, Gendel, David wrote:


What authentication schemes are available to use for web applications
running on the IIS?

- Basic


Yes.


- Forms Based


Yes.


- Digest


Yes, but needs to be enabled both in IIS and the ADS domain/account 
policy if you want integration with the domain.



- Advanced Digest


Not sure what this refers to.


- NTLM (I already know this will not work based on protocol design)
- Windows Integrated (I already know this will not work based on
protocol design)


No additional comment.

Regards
Henrik

[squid-users] Authentication Question

[Gendel, David]

This is a question of how to properly implement or use web server
authentication through squid 2.X. This is not a question about
authentication to the Squid server itself.

The scenario is:

Users --  Squid 2.5 -- IIS6

This is all internal and there is no authentication to the Squid server
itself.

What authentication schemes are available to use for web applications
running on the IIS?

- Basic
- Forms Based
- Digest
- Advanced Digest
- NTLM (I already know this will not work based on protocol design)
- Windows Integrated (I already know this will not work based on
protocol design)

Any suggestions, examples, or documentation would be greatly
appreciated


-- David

[squid-users] authentication question

[Costas Zacharopoulos]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Is it possible to have any password encrypted authentication scheme with 
squid, without having a passwd file on disk?

Can I mix digest authentication with an external helper program? 
How could I combine a helper program with digest?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBXAp1m87SXUGUjPsRAgF/AKC3WG7Jyl1B1zscMb9Vt8Fwu9m/qwCgzZAX
6rwi1YwCy6I5MyzrN0KyKvQ=
=ZHhC
-END PGP SIGNATURE-

Re: [squid-users] authentication question

[Henrik Nordstrom]

On Thu, 30 Sep 2004, Costas Zacharopoulos wrote:
Is it possible to have any password encrypted authentication scheme with
squid, without having a passwd file on disk?
ntlm
Can I mix digest authentication with an external helper program?
Please elaborate on what kind of external helper.. there is many different 
kinds of external helpers to Squid.

but generally yes.
Regards
Henrik

[squid-users] authentication question

[Costas Zacharopoulos]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Can I have an external authorization scheme based on ip addresses and 
hostnames?

Which authentication mechanism shall I use? 

Is it possible to use digest authentication?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBWp4rm87SXUGUjPsRAm7zAJ41NIg1Ebt+2kLocfDmI/H2d2jwHQCgrox4
5QW3Yd/y0GxQV9WXKP4/DTA=
=P9Bm
-END PGP SIGNATURE-

Re: [squid-users] authentication question

[Henrik Nordstrom]

On Wed, 29 Sep 2004, Costas Zacharopoulos wrote:
Can I have an external authorization scheme based on ip addresses and
hostnames?
Provided you have a method to find the hostname from the IP address yes.
How to find the hostname depends on your type of network and how the 
stations registers their hostnames with your network.

Which authentication mechanism shall I use?
The above is not authentication, only authorization of stations.
Regards
Henrik

[squid-users] authentication question

[Costas Zacharopoulos]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Does the external authentication mechanisms based on already working 
authentication schemes?

I meen are they indepentant or they are based on NTLM authentication for 
example or any other authentication method?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBWVz/m87SXUGUjPsRAjHgAJ0dUaGlBl1cNH0dCHqLFITg4TtzQACg0x90
L6xngdYbG11fVMJpbEKL5LU=
=4hv8
-END PGP SIGNATURE-

Re: [squid-users] authentication question

[tech]

CHeck out this link and devel.squid-cache.org faq.

http://www.geekbunker.org/rodrigo/ip_user.html



 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Does the external authentication mechanisms based on already working
 authentication schemes?

 I meen are they indepentant or they are based on NTLM authentication for
 example or any other authentication method?
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.2.3 (GNU/Linux)

 iD8DBQFBWVz/m87SXUGUjPsRAjHgAJ0dUaGlBl1cNH0dCHqLFITg4TtzQACg0x90
 L6xngdYbG11fVMJpbEKL5LU=4hv8
 -END PGP SIGNATURE-

[squid-users] Authentication Question

[OTR Comm]

Hello,

I have my squid configuration set to require authentication.

Does anyone know how squid physically puts the box up resquesting the
username and password?  I know squid passes the information put inot
this box to the selected authentication program (like ncsa_auth), but
how does squid make the box display in the first place?

I would like to know this down at code level if possible.  That is, what
routine displays the login box and sends the information to the
authentication program.

I am using ncsa_auth, and when I run the binary that compiled with squid
from the command line with my passwordfile as an argument, i.e.,

./ncsa_auth /usr/local/squid/etc/passwd

it waits for me to enter a username/password pair separated by a space. 
If the username authenticates, ncsa_auth comes bake with OK.

Now I assume that squid slurps in the username/password pair and calls
ncsa_auth with the passwordfile and then passes the usrname/password
pair and waits for the response.  I just need to know where squid is
doing all of this.

Thank you,
Murrah Boswell

-- 
*Before I criticize a man, I walk a mile in his shoes.
 That way, if he gets angry, he's a mile away and barefoot.