[squid-users] Secure basic authentication on Squid

Amos Jeffries squid3 at treenet.co.nz
Mon Dec 4 17:05:45 UTC 2017


On 05/12/17 04:42, Colle Christophe wrote:
> Hello!
> 
> I am currently using Squid for internet access. Currently, "basic" 
> authentication on an LDAP directory is configured to identify users. The 
> problem is that the password is sent in clear (base64) and I am looking 
> for a solution to secure it.
> 
> I tested the "Digest" mode, but the result is inconclusive because you 
> have to modify the LDAP directory with an attribute containing the hash 
> of the password. The directory can not be modified in our case.

Should not have to. The helper should be able to treat the LDAP as 
containing the username+password in clear text and do all the hashing 
itself as needed.

(NP: I'm not sure why some of the documentation for digest_ldap_auth 
says "(REQUIRED)" on the -e option. It is an option because you get to 
choose whether it is done that way or not.)


> 
> Is there a solution to secure the "basic" authentication of squid? (with 
> an SSL certificate for example).

Plain text username+password is what "Basic" means. There are ways to 
secure the credentials values by using one-time passwords but it is very 
rare for client software to support that kind of thing. Normally they 
only support the standard Basic credentials.


"Digest" is an entirely different authentication protocol which has 
several modes of use from very weak to reasonably strong security. 
Though in my experience Browsers screw up quite often with the strong 
security mode.


"SSL certificate" - if by that you mean TLS client certificates, is part 
of TLS and has nothing to do with HTTP. Squid does support those for 
securing TLS connections to the proxy, but I'm not sure how well using 
them as user credentials is.

Amos


More information about the squid-users mailing list