[squid-users] Custom header based authentication module
Hi! I am rather new to squid and I hope my question is fine here. We have a single sign on service in our company, which essentially sets a custom header after authentication. Now, we would like to use this header for squid authentication too. So, a request which has a valid ssoheader should be considered authenticated and allowed to access the internet. A user without such a header(or an invalid one) should be redirected to the login page. I understand from documentation, that I have to implement a custom auth module, which checks the credentials, but it says also (http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication) that the /Authorization/ request header is given to this module. And if the header is not present, 407 is sent. To condense my question: Is it possible to specify which header information is given to the auth module? And to specify that no 407 but a redirect is sent? Another thing that bothers me are SSL requests. What happens when the proxy encounters a request for a https site? Can it access the cookie anyway? Thanks, Christoph
Re: [squid-users] Custom header based authentication module
Christoph Rabel wrote: Hi! I am rather new to squid and I hope my question is fine here. We have a single sign on service in our company, which essentially sets a custom header after authentication. Now, we would like to use this header for squid authentication too. So, a request which has a valid ssoheader should be considered authenticated and allowed to access the internet. A user without such a header(or an invalid one) should be redirected to the login page. I understand from documentation, that I have to implement a custom auth module, which checks the credentials, but it says also (http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication) that the /Authorization/ request header is given to this module. And if the header is not present, 407 is sent. To condense my question: Is it possible to specify which header information is given to the auth module? And to specify that no 407 but a redirect is sent? Not for auth modules. They only use the regular Proxy-Authentication: headers. Maybe WWW-Authentication: header in accelerators. For checking custom headers you need to make your authenticator an external_acl_type helper. And pass it the custom request header by name. Another thing that bothers me are SSL requests. What happens when the proxy encounters a request for a https site? Can it access the cookie anyway? Depends on how Squid receives the HTTPS request. a) as a plain URL for squid to handle. Okay, squid has access to all the headers etc. b) as a CONNECT tunnel setup request. Squid has access to destination hostname and port. very little else. The sslbump feature coming in 3.1 has been designed to get around those limits but has its own issues with privacy doing a man-in-middle attack on your users. Amos -- Please use Squid 2.7.STABLE4 or 3.0.STABLE9
Re: [squid-users] Custom header based authentication module
Amos Jeffries wrote: Christoph Rabel wrote: To condense my question: Is it possible to specify which header information is given to the auth module? And to specify that no 407 but a redirect is sent? Not for auth modules. They only use the regular Proxy-Authentication: headers. Maybe WWW-Authentication: header in accelerators. For checking custom headers you need to make your authenticator an external_acl_type helper. And pass it the custom request header by name. Ok, just looked that up in the manual, looks doable ;-) Another thing that bothers me are SSL requests. What happens when the proxy encounters a request for a https site? Can it access the cookie anyway? Depends on how Squid receives the HTTPS request. a) as a plain URL for squid to handle. Okay, squid has access to all the headers etc. b) as a CONNECT tunnel setup request. Squid has access to destination hostname and port. very little else. The sslbump feature coming in 3.1 has been designed to get around those limits but has its own issues with privacy doing a man-in-middle attack on your users. Hmm, hmm... Because authentication by the proxy is done plain text, security department requests that we find another solution. It should not be possible to simply sniff out all passwords. So we thought that we could use the sso cookie we already have, but I fear that it is not possible to do this. Let me rephrase my question: How do other people handle the need for secure proxy authentication? Is there some kind of trick or browser extension or whatever? We have to support IE 7. Thanks, Christoph
Re: [squid-users] Custom header based authentication module
Christoph Rabel wrote: Amos Jeffries wrote: Christoph Rabel wrote: To condense my question: Is it possible to specify which header information is given to the auth module? And to specify that no 407 but a redirect is sent? Not for auth modules. They only use the regular Proxy-Authentication: headers. Maybe WWW-Authentication: header in accelerators. For checking custom headers you need to make your authenticator an external_acl_type helper. And pass it the custom request header by name. Ok, just looked that up in the manual, looks doable ;-) Another thing that bothers me are SSL requests. What happens when the proxy encounters a request for a https site? Can it access the cookie anyway? Depends on how Squid receives the HTTPS request. a) as a plain URL for squid to handle. Okay, squid has access to all the headers etc. b) as a CONNECT tunnel setup request. Squid has access to destination hostname and port. very little else. The sslbump feature coming in 3.1 has been designed to get around those limits but has its own issues with privacy doing a man-in-middle attack on your users. Hmm, hmm... Because authentication by the proxy is done plain text, security department requests that we find another solution. It should not be possible to simply sniff out all passwords. So we thought that we could use the sso cookie we already have, but I fear that it is not possible to do this. Squid can handle digest authentication for proxy auth. However the proxy-auth is not being done when you use your custom headers. They should not include the password plain-text anyway in case they leak. Let me rephrase my question: How do other people handle the need for secure proxy authentication? Is there some kind of trick or browser extension or whatever? We have to support IE 7. Most don't care and use basic auth. It only occurs between squid and the client anyway (usually internal network stuff). Those who do care use digest auth (encrypted hash of the passwords), or HTTPS (TLS) between client and squid. Or both for the very paranoid. Amos -- Please use Squid 2.7.STABLE4 or 3.0.STABLE9