Re: [squid-users] Re: authenticate_ip_shortcircuit_ttl

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 26 Jan 2012 23:55:45 +1300

On 26/01/2012 9:31 p.m., botner_at_univention.de wrote:
>>> Does anybody know if its possible to setup something similar to
>>> authenticate_ip_shortcircuit in squid 3?
>> Thinking... yes it should be possible to implement
>> authenticate_ip_shortcircuit as an external acl for most purposes,
>> working similar to squid_session but remembering the user name.
> Are there plans to port the "authenticate_ip_shortcircuit" feature to
> squid3?

Not at this point. It risks opening a huge security hole on the
assumption that all requests from an IP are the same client.
In the age of NAT, cloud services and IP address randomisation (for
"privacy") the risk is getting far too high to be reasonable. Basic auth
itself (the only one where this works) is also loosing popularity behind
more secure authentication systems which can't be cached easily like
that option does.
Modern browsers password manager integration and e-wallet systems can
handle the login requirements of SSO and automated sign-in a lot better
than this option can hope to achieve at its best. We felt it time was
ripe to deprecate.

I will accept patch submissions for 3.HEAD/trunk if anyone feels a
strong need to port it. But dont plan to do the portage myself.

> Is this http://devel.squid-cache.org/projects.html#ntlm_ip_cache still
> useful?
As a basis for understanding how that option works only. The squid-3
overall auth logic is similar but function names and locations are very
different.

> How would a equivalent configuration with external acl's look like?

external_acl_type authBypassT negative_ttl=1 ttl=300 %SRC
%{Proxy-Authenticate}<h /some/path
acl authBypass external authBypassT
http_access allow authBypass
http_access deny !auth

With the helper checking the headers login details validate if given.
If the login does validate is needs to store the IP+login and return OK
If just the IP is given and it is already known with any login, just
return OK
return ERR if any problems or no known cached result is found.

>
> I have experienced some stability issues with winbind in a samba domain
> and a ntlm squid authentication. The "authenticate_ip_shortcircuit" feature
> was a kind of workaround for that.

Squid-3 has better persistent connection and HTTP/1.1 abilities than
squid-2 did. You may find that the instability is gone now when these
features are used.

Negotiate/Kerberos is also the better way forward. It halves the
overhead load that NTLM imposes on setting up connections.

Amos
Received on Thu Jan 26 2012 - 10:55:54 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 26 2012 - 12:00:03 MST