[squid-users] Authentication\Authorization using a PAC file?
Jason Haar
Jason_Haar at trimble.com
Mon Nov 24 20:06:02 UTC 2014
On 24/11/14 23:25, Eliezer Croitoru wrote:
> I do know that pac files contains some form of JS and in the past I
> have seen couple complex PAC files but unsure about the options.
> I want to know if a PAC file can be used for
> Authentication\Authorization, maybe even working against another
> external system to get a token?
I think you are confusing proxy authentication with WPAD/PAC files. WPAD
knows nothing about proxy authentication: browsers do
ie you use WPAD to tell browsers where/if they need to use a proxy and
under what circumstances, and when they then attempt to do so, the
BROWSER will have to respond to authentication issues surrounding
authentication proxies.
BTW, I'm sorry I didn't keep the link, but just a few days ago I was
reading a Microsoft technet article about requiring authentication to
access the actual WPAD/PAC file, and Microsoft said it was "sort of"
supported for some versions of MSIE, but that they recommend WPAD never
be placed behind an authenticating web server because it causes
problems... ie don't protect the WPAD data, protect the proxies the WPAD
points at
BTW, over the weekend I was playing with using WPAD to enable users to
access our squid proxy *over the Internet*. Firefox and Chrome now
support proxy-over-SSL, so I was looking at creating WPAD DNS records on
the Internet to point to an Internet-based proxy server so that our
people could interact with the Internet "safely" (ie with content
filtering including AV). Obviously an open proxy on the Internet isn't a
sane option, so it had authentication enabled, but then I discovered
Chrome doesn't allow you to "save password" for proxy authentication (at
least over SSL, didn't try over "raw"). That sort of put an end to that
experiment, as I was anticipating a standalone account database with
randomly generated 20char passwords :-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list