On 3/04/2012 3:40 a.m., Mohamed Amine Kadimi wrote:
> Dear Developpers and Community,
>
> I would like to set up the following configuration using squid:
>
> When a user asks for a web page he is transparently redirected to
> squid, where an authentication must be done before serving the user
> with content.
>
> However, users IP are being NATed before going to the proxy. So the
> solution would be to use an application-layer verification: cookies or
> http headers
>
> So, I come across the following solutions:
>
> 1. Use an ICAP server which checks if a cookie is set, otherwise set
> it for an authenticated user
> the problem is: cookies are bound to domains + each http request must
> be validated
>
> 2. Use a php splash page which sets the cookie then redirect to destination
> same problem as ICAP
>
> 3. using squid authentication and checking if Proxy-Authorization
> header is set before serving the client
> problem: sessions are associated to the IP by squid
>
> I'm using squid 3.1
>
> Thank you for any idea
The whole point of transparent interception is that the browser is
*completely unaware it is talking to a proxy*. It contacted some web
server, and *all* of its communications are with that server. If you can
find a way to trick it into storing security credentials of any kind set
by your proxy it will consider those credentials safe to use when
contacting the same server via other non-HTTP methods as well, causing
great deal of problems. The good thing to do at that point is to report
the zero-day security vulnerability you just found.
You might be able to use details gleaned from the browsers request to
*guess* what user it is and have a external_acl_type script inform Squid
of the guessed username. Or the authorize (*not* authenticate) the
request to happen.
Amos
Received on Tue Apr 03 2012 - 06:33:55 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 03 2012 - 12:00:02 MDT