Re: [squid-users] handling Proxy-Authorization field

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 20 Aug 2013 00:20:19 +1200

On 19/08/2013 10:20 p.m., Attila Gömbös wrote:
> Hi guys!
>
> I have the following setup:
>
> LAN -> UTM firewall with transparent proxy -> Squid -> WAN
>
> The UTM is taking care of user authentication (SSO).

Meaning it is not transparent. Transparent proxies *cannot* do
authentication.
The reason is very simple:
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F

At most a transparent proxy can do two things:
1) IP-based *authorization*. Which may also be based on request
fingerprint details other than IP address, such as custom headers,
Cookies, User-Agent, etc.
  But notice that none of this involves user credentials being validated
by the proxy.

2) spying on credentials delivered to other software.
  But notice that it prohibits being able to challenge for one when they
are absent, and requires the proxy to be *able* to decrypt any
credentials token delivered. Schemes such as Digest, NTLM or Kerberos
(and some forms of OAuth) are designed to protect credentials against
such interception.

> I need to pass
> the user ID to Squid. We need to have AD-group based rules on Squid as
> well.
>
> But the UTM is able to add only this field to the HTTP request:
>
> Proxy-Authorization: Basic YmlnYm9zczptYW5hZ2VtZW50
>
> So there is only username and group membership in the header.

There should be no group membership in there. It is supposed to be
username:password with a simple easily decrypted encoding.
The purpose of that is to have the Squid validate that user "bigboss"
knows their password is "management" and probably who they claim to be.
Once that is confirmed the group check is a simple lookup in your local
account database for extra data about "bigboss".

> How can i make the squid to trust and handle this properly?

Since your Squid is not the proxy doing interception you can use any of
the proxy authentication features of Squid. auth_param helpers can
validate the credentials delivered by UTM, and the external ACL helpers
doing group checks should all work for finding the groups associated
with those credentials.

Amos
Received on Mon Aug 19 2013 - 12:20:24 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 20 2013 - 12:00:05 MDT