[squid-users] Captive Portal authentication in Intercept mode

Amos Jeffries squid3 at treenet.co.nz
Fri Mar 13 09:24:55 UTC 2015

On 13/03/2015 10:10 p.m., James Harper wrote:
>> Hey,
>> I have written a basic idea with a php "login portal" that can be seen at:
>> http://wiki.squid-cache.org/EliezerCroitoru/SessionHelper/
>> http://wiki.squid-cache.org/EliezerCroitoru/SessionHelper/Conf
>> http://wiki.squid-cache.org/EliezerCroitoru/SessionHelper/PhpLoginExample
>> http://wiki.squid-cache.org/EliezerCroitoru/SessionHelper/Python
>> http://wiki.squid-
>> cache.org/EliezerCroitoru/SessionHelper/SplashPageTemplate
>> The idea is an IP session based login.
>> The user actively needs to login and it will login the user IP address.
>> The helper(s) logic is based on time since the last user login.
>> This idea can be used as a sketch for a more advanced options with a portal.
>> There are other better ways to implement this idea and one of them is
>> using a radius server.
>> As you noticed there is no way to directly authenticate a proxy in
>> intercept mode.
>> Maybe someone out-there have been thinking about a way to do such a
>> thing but it is yet to be possible with squid.
> If you could do ntlm auth at your portal page then the user might never even notice that authentication took place...
> You'd need to do some sort of browser detection though - browsers could handle such authentication, but programs phoning home or otherwise using web services would hate it.

That auth trick is usable for any kind of HTTP auth the client software
supports. eg. Basic auth for the automated tools usually. It's just
authenticating to the portal web server. As long as the portals not
trying to do auth with the intercepted traffic its fine.

FYI: NTLM is probably amongst the worst ways to do it given all the
nastiness that has to take place for NTLM to "work".


More information about the squid-users mailing list