[squid-users] Multiple auth schemes in a single Squid instance
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 5 14:05:59 UTC 2016
On 6/10/2016 12:09 a.m., john jacob wrote:
> Hi All,
>
> We have a requirement to use the same Squid instance for Basic and NTLM
> authentication to serve various customer groups (may not be on different
> network sections). The customer groups which are using Basic authentication
> (for legacy reasons) should not receive NTLM scheme and the customer groups
> which use NTLM should not receive Basic scheme.
You seem to be implying that Basic auth is somehow worse than NTLM. In
fact NTLM is the least secure of the two by a thin line. Both are almost
equally bad to use anytime in the past decade.
You should really be considering both those to be nasty legacy and
moving on to Negotiate/Kerberos as much as possible.
> I couldn't find a way to
> implement this using the existing Squid 4.x config options. So I am
> thinking of introducing a new config parameter called "endpoints" like
> below.
>
> auth_param basic endpoints ipofBasic portofBasic # Default is "endpoints
> all"
>
> auth_param ntlm endpoints ipofNTLM portofNTLM # Default is "endpoints all"
>
> acl ipofBasic localip 192.168.4.2
> acl portofBasic localport 3129 3139
>
> acl ipofNTLM ipofNTLM 192.168.4.2
> acl portofNTLMlocalport 3149 3159
>
>
> The idea is ,if Squid recieves a request on an endpoint on which only basic
> authentication is needed (ie 192.168.4.2:3129 and192.168.4.2:3139), NTLM
> will not be presented to the client/browser. Vice versa for NTLM. If no
> endpoints is configured , then the existing behavior will be applied.
>
> Do you think this is reasonable and is there are any obvious problems with
> this?. If you find this useful, I am happy to contribute back when I finish
> implementing this module (I haven't yet started developing).
The HTTP framework is negotiated thusly:
the proxy offers what it supports,
the client tries the most secure credential type it has access to,
the proxy says whether that is acceptible or to try again.
.. repeat as necessary until either a success or no more credentials
are known - in which case ask the user with popup(s).
When that framework is used properly the clients with NTLM will try that
and the ones without will try Basic.
Squid-3.5 and later have the "auth_param ... key_extras ..." option that
can take extra parameters for the auth helper to use when it decides if
the credentials are valid.
I suggest you try making your self a script that takes the client IP as
one of those extra parameters; returning ERR if the IP is not allowed to
use the type of auth or relays the lookup on to your real auth helper if
it is allowed.
Amos
More information about the squid-users
mailing list