Re: [squid-users] Squid and Apache Authentication

From: adrian.wells <adrian.wells@dont-contact.us>
Date: Thu, 23 Sep 2004 16:01:18 +0100

Just an idea,

Would it be possible to do this by creating a random name for the login/PW
form controls using say PHP? therefore (as I understand it) IE et al would
not be able to offer an entry to an unknown form control. I assume it sees
"login", recognises the typed name and looks up the PW from it's database.
Of course I may be way wrong! :-) Maybe a random page title would work in
just the same way?

Kind regards
Adrian Wells

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Martyn Bright" <brightm@trml.co.uk>
Cc: <squid-users@squid-cache.org>
Sent: Thursday, September 23, 2004 11:56 AM
Subject: RE: [squid-users] Squid and Apache Authentication

> On Thu, 23 Sep 2004, Martyn Bright wrote:
>
> > A specific external site (that I do not control) the users need is https
and
> > not available via the remote proxy - squid goes to it directly.
> >
> > I need the users to authorize before they connect to this specific site.
> > Unfortunately with basic auth, IE helps(!!!) by offering to remember the
> > users password details. I cannot allow this as the clients are
accessible
> > by the public and must not be able to get to the secure site without
having
> > to type in a password. I know I can disable this IE helper
functionality in
> > windows, but that will stop it for all sites which is not what I want.
> >
> > I figured that if I pass authentication control to a web page of my own,
I
> > should be able to stop IE from interfering.
>
> Not really. If IE understands this page contains a password form it still
> allows you to save the password...
>
> And since the site is using https the proxy has no means of modifying the
> requests or add/delete any information while forwarding the request. All
> the proxy sees is that the browser wants to connect and do something at
> the requested side, nothing more.
>
> If the site was using http then Squid would be able to use other means of
> providing the authentication credentials, but with https sites the
> encryption considerably limits the man-in-the-middle capabilities.
>
> Regards
> Henrik
>
Received on Thu Sep 23 2004 - 09:01:12 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:03 MDT