Re: [squid-users] Transparent Proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 09 Aug 2013 01:45:47 +1200

On 8/08/2013 11:38 p.m., Alfredo Rezinovsky wrote:
> El 07/08/13 16:02, Roman Gelfand escribió:
>> Is there a way I could control access to various sites based on user
>> irregardless of workstation they are on? All in transparent proxy.
>>
>> Thanks in advance
>>
> I did this a long time ago.
>
> I had a terminal server, so all the users came from the same IP.
> I did an ident authentication.

Rant warning...

Sigh. "IDENT" is an abbreviation of "Identification Protocol". That is
what it does and all it does.

There is no such thing as "ident authentication". In fact "ident" and
"authentication" in the same sentence is almost a contradiction.
Username with AND without verification.

\rant over

>
> ident is a simple (and very old) protocol.
> 1. A client with clientIP/ connects from sourcePort to ProxyIP/ProxyPort
> 2. Ident helper in squid asks clientIP who was the user connecting
> from SourcePort to ProxyPort
> 3. ident daemon (or service in windows) replies with the username in
> plain text.
>
> Problems:
> * Some antivirus in the clients can see the ident service as a
> security threat
> * Because ident is a very old and insecure protocol, you need to be
> the only admin in the clients so you can trust the ident answer.
> * There are a lot of fake ident services for windows. They answers
> allways with the same username. You need a real ident.
> * When using transparent proxy there's some NAT involved so the client
> doesn't really connect to proxyIP/ProxyPort. You need and ident NAT
> handler in your server.
> * Because of the nat handling, the nat and the proxy should be in the
> same server (usually the default gateway for the clients)
> * I did this a long time ago, so I don't remember how to workaround
> the NAT problem. All I remember is that is possible.

AFAIK the IDENT does not care who is querying the username. So it should
not matter that Squid is asking instead of the real origin server. It is
designed for things like firewalls and proxies in the middle to easily
access the users name without complex authentication or security being
needed.
  BUT, the NAT must be done on the Squid box for the accurate TCP level
details to be available to Squid. For this and may other reasons, most
of which are security related - this is a *MUST* requirement for 3.2 and
later.

>
> If the clients are windows logged in a domain I think you can also try
> ntlm

No. Any form of HTTP *authentication* requires that the user has
credentials specific to the website or service they are requesting
access to. Browsers (and such) *will not* send proxy-auth credentials to
an origin server. This is browser security, nothing to do with Squid.
Otherwise any old attacker could simply send the user a proxy-auth
challenge and get told what credentials to use for accessing their ISP
or corporate proxy.

Amos
Received on Thu Aug 08 2013 - 13:45:54 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 09 2013 - 12:00:06 MDT