[squid-users] Secure user authentication on a web proxy

From: Nikolaos Milas <nmilas_at_noa.gr>
Date: Tue, 20 Sep 2011 09:56:44 +0300

Hello,

I am setting up Squid to enable users to use it as a web proxy server.

My problem is how to enable encrypted user authentication.

On the back-end we are using an LDAP Server (openldap) for user account
management and authentication. Squid works fine with LDAP, but
browser-level encryption is not supported (so the password is sent in
clear text) unless using DIGEST auth, which is not possible in our case,
because passwords are stored encrypted in LDAP (DIGEST authentication
requires that passwords are stored in clear-text).

I was thinking of a scenario using client certificates: Client browsers
(to be authenticated) would have their own certificates (with their own
private key) and the proxy server (Squid) would authenticate them
against LDAP where the public keys of the user certs are stored.

So: Is this solution feasible and does it really offer a safe
authentication (at the browser level), without using TLS/SSL (which I
know is not available during proxy authentication since browsers do not
support it)? I understand that when using this kind of auth (with
certificates), no password exchange is needed: Authentication is done
using the certs only.

If the answer is yes, can you please direct me to some web page or other
manual detailing how to configure Squid to operate with this kind of
authentication?

Finally, any other ideas for secure authentication at the browser level?
(I have also evaluated NTLM - in which case we would use Samba to create
a DC - but my understanding is that NTLM is bound to particular LANs
where clients are expected to be on, whereas we want to be able to
authenticate clients - without using a VPN - on any network they might be.)

Thanks in advance,
Nick

Received on Tue Sep 20 2011 - 06:57:11 MDT

This archive was generated by hypermail 2.2.0 : Sat Sep 24 2011 - 12:00:03 MDT