[squid-users] Secure basic authentication on Squid

[Alex Rousskov]

On 12/04/2017 10:05 AM, Amos Jeffries wrote:
> On 05/12/17 04:42, Colle Christophe wrote:
>> I am currently using Squid for internet access. Currently, "basic"
>> authentication on an LDAP directory is configured to identify users.
>> The problem is that the password is sent in clear (base64) and I am
>> looking for a solution to secure it.

>> Is there a solution to secure the "basic" authentication of squid?
>> (with an SSL certificate for example).


> Plain text username+password is what "Basic" means.

One can have HTTP Basic authentication inside a TLS connection.

There are several mostly independent pieces here:

1. Basic authentication:

S1. Squid definitely supports HTTP Basic authentication. That code works
in production.

B1. Popular browsers definitely support HTTP Basic authentication.


2. HTTPS proxy:

S2. Squid definitely supports TLS connections between an HTTP browser
and Squid. That code works in production. It can be tested using modern
cURL command line tool versions:
https://daniel.haxx.se/blog/2016/11/26/https-proxy-with-curl/

B2. Popular browsers claim to support TLS connections to HTTP proxies,
but that support is difficult to enable in the browser. Please do not
confuse this support with CONNECT requests. HTTP CONNECT is about TLS
connections to origin servers, not proxies.


3. TLS client certificate authentication:

S3. Squid also supports authentication based on TLS client certificates.
AFAIK, that code works in production.

B3. I do not know whether popular browsers support sending TLS client
certificates, but I would expect that at least some of them do.


Combining the above pieces:

Squid probably supports the combination of S1 and S2. I would not be
surprised if the combination of S1, S2, and S3 also works.

Popular browsers should support the combination of B1 and B2. If they
do, then I would expect them to support the combination of B1, B2, and B3.


Alex.