Re: [squid-users] username and password in TRANSPARENT mode
Hi, Adrian Chadd wrote: On Thu, Aug 09, 2007, Henrik Nordstrom wrote: On m??n, 2007-08-06 at 18:26 +0800, Adrian Chadd wrote: Look at how a browser talks directly to an origin server when presenting (HTTP Basic) authentication credentials, and what a proxy ends up doing with those. What about it? It doesn't work reliably? :) Doesn't it? You'll have to cite specific examples. I can't think of one problem I've had that's related to basic auth not working as it should (as long as you don't count configuration faux pas!) Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
Re: [squid-users] username and password in TRANSPARENT mode
Hi, Adrian Chadd wrote: On Fri, Aug 10, 2007, Neil A. Hillard wrote: Hi, Adrian Chadd wrote: On Fri, Aug 10, 2007, Neil A. Hillard wrote: It doesn't work reliably? :) Doesn't it? You'll have to cite specific examples. I can't think of one problem I've had that's related to basic auth not working as it should (as long as you don't count configuration faux pas!) Transparent interception with proxy basic authentication? Not valid - it was never designed to do that. We repeat the question - if the browser doesn't know a proxy is there then why should it authenticate to it? And I'm saying it shouldn't, thats not how stuff was intended, and the fact that stuff kind of sometimes mostly maybe works is busted. People keep -wanting- to try it though. We're in agreement! OK, matter settled! I pity the next person to ask this question! :-) Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
Re: [squid-users] username and password in TRANSPARENT mode
Hi, Adrian Chadd wrote: On Fri, Aug 10, 2007, Neil A. Hillard wrote: It doesn't work reliably? :) Doesn't it? You'll have to cite specific examples. I can't think of one problem I've had that's related to basic auth not working as it should (as long as you don't count configuration faux pas!) Transparent interception with proxy basic authentication? Not valid - it was never designed to do that. We repeat the question - if the browser doesn't know a proxy is there then why should it authenticate to it? Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
Re: [squid-users] username and password in TRANSPARENT mode
On Fri, Aug 10, 2007, Neil A. Hillard wrote: It doesn't work reliably? :) Doesn't it? You'll have to cite specific examples. I can't think of one problem I've had that's related to basic auth not working as it should (as long as you don't count configuration faux pas!) Transparent interception with proxy basic authentication? Adrian
Re: [squid-users] username and password in TRANSPARENT mode
On Fri, Aug 10, 2007, Neil A. Hillard wrote: Hi, Adrian Chadd wrote: On Fri, Aug 10, 2007, Neil A. Hillard wrote: It doesn't work reliably? :) Doesn't it? You'll have to cite specific examples. I can't think of one problem I've had that's related to basic auth not working as it should (as long as you don't count configuration faux pas!) Transparent interception with proxy basic authentication? Not valid - it was never designed to do that. We repeat the question - if the browser doesn't know a proxy is there then why should it authenticate to it? And I'm saying it shouldn't, thats not how stuff was intended, and the fact that stuff kind of sometimes mostly maybe works is busted. People keep -wanting- to try it though. We're in agreement! Adrian
Re: [squid-users] username and password in TRANSPARENT mode
On fre, 2007-08-10 at 09:18 +0800, Adrian Chadd wrote: On Thu, Aug 09, 2007, Henrik Nordstrom wrote: On m??n, 2007-08-06 at 18:26 +0800, Adrian Chadd wrote: Look at how a browser talks directly to an origin server when presenting (HTTP Basic) authentication credentials, and what a proxy ends up doing with those. What about it? It doesn't work reliably? :) Doesn't it? When? Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] username and password in TRANSPARENT mode
On fre, 2007-08-10 at 16:54 +0800, Adrian Chadd wrote: And I'm saying it shouldn't, thats not how stuff was intended, and the fact that stuff kind of sometimes mostly maybe works is busted. It doesn't. Squid never accepts to do authentication in interception mode. Any attempt to do so will result in the following getting logged in access.log: aclAuthenticated: authentication not applicable on transparently intercepted requests. and the http_access line ignored. People keep -wanting- to try it though. Indeed. We're in agreement! Good. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] username and password in TRANSPARENT mode
On mån, 2007-08-06 at 16:57 +0800, Adrian Chadd wrote: I don't know why this isn't better documented Not sure how it can be better documented. It's both in squid.conf and the FAQ, and additionally Squid emits a quite clear warning in cache.log if you try to use it. But yes, it probably could be placed better in the squid.conf comments. Currently in the proxy_auth acl, should be in auth_params. alas. No, transparent interception doesn't function with proxy authentication. Its a shortcoming of the HTTP RFC spec. I wouldn't say it's a shortcoming. It's a very reasonable security restriction to not allow random web servers to fish for proxy authentication credentials, and only allow proxy authentication to known proxies. I hear rumours about commercial products supporting cookie-type hacks to do authentication but I've never seen it live. Done it for Squid earlier. Requires a web server which maintains logins tracks the cookie sessions (any cookie based server will do fine) and an external_acl helper which can query the same server to check if a cookie is valid. No modifications to Squid itself required. But it's worth noting that cookie based authentication can never work very well. There will always be cases where the proxy either has to allow access, or break communication. (non-GET methods without a valid cookie). Another possibility is to abuse NTLM authentication. As NTLM is connection oriented it kind of works to authenticate to multiple hops. Never done this with Squid, and it will require a bit of modifications to make it work. Use WPAD+proxy.pac to autodiscover proxy services for a LAN. Yes. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] username and password in TRANSPARENT mode
On mån, 2007-08-06 at 18:26 +0800, Adrian Chadd wrote: Look at how a browser talks directly to an origin server when presenting (HTTP Basic) authentication credentials, and what a proxy ends up doing with those. What about it? Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] username and password in TRANSPARENT mode
On Thu, Aug 09, 2007, Henrik Nordstrom wrote: On m??n, 2007-08-06 at 18:26 +0800, Adrian Chadd wrote: Look at how a browser talks directly to an origin server when presenting (HTTP Basic) authentication credentials, and what a proxy ends up doing with those. What about it? It doesn't work reliably? :) Adrian
Re: [squid-users] username and password in TRANSPARENT mode
Hi, Indunil Jayasooriya wrote: I am runing squid with nsca_ath feature. I have configured client browser to use squid proxy server with ip address and port 3128. All work fine. Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This happened in SQUID 2.5. Please see: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-7cfff26a112769fccff8f4d507961cd27ebe5eac Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
Re: [squid-users] username and password in TRANSPARENT mode
On Mon, Aug 06, 2007, Indunil Jayasooriya wrote: Hi, I am runing squid with nsca_ath feature. I have configured client browser to use squid proxy server with ip address and port 3128. All work fine. Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This happened in SQUID 2.5. I don't know why this isn't better documented, alas. No, transparent interception doesn't function with proxy authentication. Its a shortcoming of the HTTP RFC spec. I hear rumours about commercial products supporting cookie-type hacks to do authentication but I've never seen it live. Use WPAD+proxy.pac to autodiscover proxy services for a LAN. Adrian
Re: [squid-users] username and password in TRANSPARENT mode
Dear Indunil, nsca_auth is not compatible with Transproxy, If transproxy works authentication wont and vice versa. I did try this thing on my box but failed.. Sussane Andrews http://healthtreatments.blogspot.com Indunil Jayasooriya wrote: Hi, I am runing squid with nsca_ath feature. I have configured client browser to use squid proxy server with ip address and port 3128. All work fine. Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This happened in SQUID 2.5.
Re: [squid-users] username and password in TRANSPARENT mode
Hi, Adrian Chadd wrote: On Mon, Aug 06, 2007, Indunil Jayasooriya wrote: I am runing squid with nsca_ath feature. I have configured client browser to use squid proxy server with ip address and port 3128. All work fine. Then, I configured SQUID in TRANSPARENT mode. Then, I lost the user name and password feature. Is it NORMAL in TRANSPARENT mode? This happened in SQUID 2.5. I don't know why this isn't better documented, alas. No, transparent interception doesn't function with proxy authentication. Its a shortcoming of the HTTP RFC spec. I hear rumours about commercial products supporting cookie-type hacks to do authentication but I've never seen it live. Use WPAD+proxy.pac to autodiscover proxy services for a LAN. It's documented in the FAQ (hence my previous reply)! I can't see how it's a shortcoming of the protocol. If the browser isn't aware that there is a proxy then why would it (why should it) try to authenticate to one? Tell it that a proxy exists and it's more than happy to authenticate. Interception is less than ideal. Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
Re: [squid-users] username and password in TRANSPARENT mode
On Mon, Aug 06, 2007, Neil A. Hillard wrote: I can't see how it's a shortcoming of the protocol. If the browser isn't aware that there is a proxy then why would it (why should it) try to authenticate to one? Tell it that a proxy exists and it's more than happy to authenticate. Interception is less than ideal. Look at how a browser talks directly to an origin server when presenting (HTTP Basic) authentication credentials, and what a proxy ends up doing with those. Adrian
Re: [squid-users] username and password in TRANSPARENT mode
Adrian, Adrian Chadd wrote: On Mon, Aug 06, 2007, Neil A. Hillard wrote: I can't see how it's a shortcoming of the protocol. If the browser isn't aware that there is a proxy then why would it (why should it) try to authenticate to one? Tell it that a proxy exists and it's more than happy to authenticate. Interception is less than ideal. Look at how a browser talks directly to an origin server when presenting (HTTP Basic) authentication credentials, and what a proxy ends up doing with those. The browser knows it is talking to the origin server so will support basic auth. If you stick an intercepting proxy in the way and then use basic auth then how do you authenticate to the origin server? You have to have two headers and then tell the browser to use the proxy (and therefore the proxy auth header). Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
Re: [squid-users] username and password in TRANSPARENT mode
On Mon, Aug 06, 2007, Neil A. Hillard wrote: The browser knows it is talking to the origin server so will support basic auth. If you stick an intercepting proxy in the way and then use basic auth then how do you authenticate to the origin server? You have to have two headers and then tell the browser to use the proxy (and therefore the proxy auth header). yes, but the browser doesn't know that it has to authenticate to an intermediate until its asked via a 407. The specification doesn't cover transparently intercepted connections in this instance. (or did it via a proxy required status? Henrik knows the HTTP nuances better than I.) In any case, the specification wasn't clear, UA's don't handle Proxy-Authentication required right when they don't have an explicit proxy set, and thus you can't pull off that potentially useful (and potentially security hazardous!) trick. Adrian
