[squid-users] Squid as Kerberos client?

Patrick Nick peedee.nick at gmail.com
Wed Mar 14 22:01:57 UTC 2018 

It consumes the data for its graphs from a REST API via HTTP, on ports in
the 8000-9000 range.

On Wed, Mar 14, 2018 at 8:43 PM, Enrico Heine <flashdown at data-core.org>
wrote:

> Which protocols and ports is that GUI tool using for what it's doing with
> it's remote endpoint that requires kerberos authentication?
>
> Am 14. März 2018 19:27:48 MEZ schrieb Patrick Nick <peedee.nick at gmail.com
> >:
>>
>> Hi Enrico,
>>
>> You write
>>
>>> But squid cannot authenticate those requests on the destination server
>>> if it needs authentication as well.
>>
>>
>> So how do I make it NOT need authentication?
>> I want it to authenticate the request on behalf of the client, so that my
>> client app does not need to authenticate.
>> Squid can use the keytab that I give it for that.
>>
>>
>> On Wed, Mar 14, 2018 at 7:22 PM, Enrico Heine <flashdown at data-core.org>
>> wrote:
>>
>>> Hi,
>>>
>>> Easy going, you can allow traffic from a specific source or traffic to a
>>> specific destination before you require authentication on the proxy. You
>>> can also restrict it to both, src and destination and additionaly specific
>>> ports. But squid cannot authenticate those requests on the destination
>>> server if it needs authentication as well.
>>>
>>> Best regards,
>>> Enrico
>>>
>>>
>>> Am 14. März 2018 18:58:54 MEZ schrieb Patrick Nick <
>>> peedee.nick at gmail.com>:
>>>>
>>>> Hello list,
>>>>
>>>> We are in the process of Kerberizing our Big Data operation, but we
>>>> have a GUI tool in use that is not capable of Kerberos authentication. I'm
>>>> looking for a way to keep using it, which means that it needs to read data
>>>> from a Kerberos-protected service.
>>>>
>>>> To be clear, I'm looking for a proxy that will take care of the
>>>> authentication so that our GUI tool does not need to know. It should
>>>> "enrich" the client's "dumb" request to an authenticated request. This
>>>> lowers security of course, but I will use other means to make sure that
>>>> only that app can talk to the proxy on the network.
>>>>
>>>> I looked into nginx but didn't find a way to do what I want.
>>>>
>>>> Can squid do this?
>>>> I've been trying some configs according to
>>>> https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos, but
>>>> it seems that it always wants to pass the "negotiate" request to the
>>>> client, which I'm trying to avoid.
>>>>
>>>
>>> --
>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>>>
>>
>>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180314/4b1cd48c/attachment-0001.html>

More information about the squid-users mailing list