On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:
Dear Developpers and Community,
I would like to set up the following configuration using squid:
When a user asks for a web page he is transparently redirected to
squid, where an authentication must be done before serving the user
with content.
Please read
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F
However, users IP are being NATed before going to the proxy. So the
solution would be to use an application-layer verification: cookies or
http headers
So, I come across the following solutions:
1. Use an ICAP server which checks if a cookie is set, otherwise set
it for an authenticated user
the problem is: cookies are bound to domains + each http request must
be validated
2. Use a php splash page which sets the cookie then redirect to destination
same problem as ICAP
3. using squid authentication and checking if Proxy-Authorization
header is set before serving the client
problem: sessions are associated to the IP by squid
I'm using squid 3.1
Thank you for any idea
The whole point of transparent interception is that the browser is
*completely unaware it is talking to a proxy*. It contacted some web
server, and *all* of its communications are with that server. If you can
find a way to trick it into storing security credentials of any kind set
by your proxy it will consider those credentials safe to use when
contacting the same server via other non-HTTP methods as well, causing
great deal of problems. The good thing to do at that point is to report
the zero-day security vulnerability you just found.
You might be able to use details gleaned from the browsers request to
*guess* what user it is and have a external_acl_type script inform Squid
of the guessed username. Or the authorize (*not* authenticate) the
request to happen.
Amos
