Christoph Rabel wrote:
Hi!
I am rather new to squid and I hope my question is fine here.
We have a single sign on service in our company, which essentially sets
a custom header after authentication.
Now, we would like to use this header for squid authentication too.
So, a request which has a valid ssoheader should be considered
authenticated and allowed to access the internet. A user without such a
header(or an invalid one) should be redirected to the login page.
I understand from documentation, that I have to implement a custom auth
module, which checks the credentials, but it says
also (http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication) that the
/Authorization/ request header is given to this module. And if the
header is not present, 407 is sent.
To condense my question: Is it possible to specify which header
information is given to the auth module? And to specify that no 407 but
a redirect is sent?
Not for auth modules. They only use the regular Proxy-Authentication:
headers. Maybe WWW-Authentication: header in accelerators.
For checking custom headers you need to make your authenticator an
external_acl_type helper. And pass it the custom request header by name.
Another thing that bothers me are SSL requests. What happens when the
proxy encounters a request for a https site? Can it access the cookie
anyway?
Depends on how Squid receives the HTTPS request.
a) as a plain URL for squid to handle. Okay, squid has access to all the
headers etc.
b) as a CONNECT tunnel setup request. Squid has access to destination
hostname and port. very little else. The sslbump feature coming in 3.1
has been designed to get around those limits but has its own issues with
privacy doing a man-in-middle attack on your users.
Amos
--
Please use Squid 2.7.STABLE4 or 3.0.STABLE9
