Re: [squid-users] handing off usernames to parent proxies

From: E.S. Rosenberg <esr_at_g.jct.ac.il>
Date: Thu, 20 Oct 2011 19:11:28 +0200

2011/10/19 Amos Jeffries <squid3_at_treenet.co.nz>:
> On Tue, 18 Oct 2011 13:53:18 +0200, E.S. Rosenberg wrote:
>>
>> Hi all,
>> We currently have a setup with proxies that use NTLM authentication
>> (we hope to upgrade to kerberos in the future) and based on the
>> username send the user to one of several parent proxies, to improve
>> caching we would like to instead route all traffic through one proxy
>> that is heavily optimized for caching (has it's own large storage
>> etc.).
>>
>> I saw in the documentation that it is possible to pass the
>> authentication to the parent, as far as I can tell I can 'tell' the
>> parent in several ways how to route the client:
>> - I can pass the username to the parent
>
> Yes via the login= parameter. It is sent as Basic auth (and a dummy or fake
> password is best there). So you can use it safely for logging purposes, but
> not reliable security.
login= would be set in squid.conf and not pass the username sent by
the client, or am I misunderstanding that?
>
>> - I can 'NAT' the users connection as it leaves the child proxy (src
>> ip rewrite rules) and have source IP based rules on the parent.
>
> Hmm? never heard of this one before. Any details you can point me at for my
> education?
I may be wrong but I was thinking of something like this on the client:
tcp_outgoing_address x.x.x.x proxy_auth_acl_of_X_users !not_us
tcp_outgoing_address y.y.y.y proxy_auth_acl_of_Y_users !not_us

And then on the parent you just have ACLs based on src (where for the
specialized ISP they again have to be 'NAT'-ed)

>
>> - I could setup multiple instances of the same parent with different
>> login details and 'route' based on username to each of said 'parents'
>>
>> It seems to me that the second option would result in better
>> performance on the one hand but on the other hand it would add more
>> obfuscation, however performance is more important to me.
>>
>> Am I correct in my analysis? Is passing the username to parent a lot
>> slower, would it require another ntlm-auth binary running on the
>> parent or can the username just pass cleartext between  the proxies
>> and therefor the whole 'authentication' is a lot faster....
>
> Username as such is okay as clear-text. NTLM does not let squid know the
> password, so there is no security leak by adding a fake one of your own.
>
> NTLM on the parent has a major flaw that will bite you if you try to do NTLM
> there. Namely that NTLM (and Kerberos) do not authenticate the HTTP request
> particularly, they authenticate the TCP connection. So all they can
> guarantee is that the connection came from the child proxy. Squid 2.7 and
> 3.1+ add a bit more surety in that they "pinn" the connections, preventing
> multiple clients using the TCP connection to the parent. This is nasty for
> performance and resource usage, but the only way to get NTLM and Kerberos to
> work without regular popups.
>
>
> On the whole, I think reconsider carefully your need for auth credentials to
> get to the backend. Whether you need full auth, or just the username for
> example. You can add in SSL, IP, and/or MAC checks to harden the surety that
> parent proxy traffic is coming from the child proxy.

On the whole I just need the backend to know the username, or what
'browsing plan' the session is using, sometimes plans are also
determined based on src IP (ie. certain stations aren't allowed to
browse no matter who's logged in, or are supposed to only have access
to a whitelist even when staff are using them), so I think a
'NAT'-like method is most likely what i need.

As far as reachability the parent will not be accessible directly by
the clients, the firewall/router should see to that.

Thanks,
Eli
>
> Amos
>
Received on Thu Oct 20 2011 - 17:11:35 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 21 2011 - 12:00:03 MDT