<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1493768930460_4204"><span>This is in response to:</span></div><div id="yui_3_16_0_ym19_1_1493768930460_4204"><span><br></span></div><div id="yui_3_16_0_ym19_1_1493768930460_4204"><span>"</span><span style="font-family: "Courier New"; white-space: pre-wrap;" id="yui_3_16_0_ym19_1_1493768930460_4332">There is another option if you don't have any issue to allow a certain public IP address access to your network you can use some kind of portal which will allow based on a SSL(even with self signed certificate) the "session" access to the service."</span></div><div id="yui_3_16_0_ym19_1_1493768930460_4204"><span style="font-family: "Courier New"; white-space: pre-wrap;"><br></span></div><div id="yui_3_16_0_ym19_1_1493768930460_4204" dir="ltr">I didn't receive the email so couldn't reply directly. </div><div id="yui_3_16_0_ym19_1_1493768930460_4204" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1493768930460_4204" dir="ltr">I'm pretty happy with digest auth as I think that is likely secure enough. The proxy is working, mostly However I'm having trouble with two things:</div><div id="yui_3_16_0_ym19_1_1493768930460_4204" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1493768930460_4204" dir="ltr">1. I'm not able to figure out what goes into squid.conf to allow SSH through proxy. My SSH server is on a non-standard port above 1024, and as I understand, squid.conf has to account for this. I have references to (ssh_port) and have the CONNECT method enabled (I believe) but I'm not sure if this is correct. I'm certainly not able to SSH thru it:</div><div id="yui_3_16_0_ym19_1_1493768930460_4204" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1493768930460_4204" dir="ltr"><br id="yui_3_16_0_ym19_1_1493768930460_5292"></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4706">auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4706">auth_param digest realm the_zone<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4707">auth_param digest children 2<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4708">acl auth_users proxy_auth REQUIRED<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4711">acl SSL_ports port (ssh_port)<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4714">acl Safe_ports port (ssh_port)<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4714">acl SSL_ports port 443<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_5009">acl Safe_ports port 80 # http</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_5010">acl Safe_ports port 21 # ftp</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_5011">acl Safe_ports port 443 # https</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_5012">acl Safe_ports port 70 # gopher</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_5013">acl Safe_ports port 210 # wais</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_5014">acl Safe_ports port 1025-65535 # unregistered ports</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_5015">acl Safe_ports port 280 # http-mgmt</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_5016">acl Safe_ports port 488 # gss-http</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_5017">acl Safe_ports port 591 # filemaker</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_5018">acl Safe_ports port 777 # multiling http</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4714">acl CONNECT method CONNECT<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4714">http_access deny !Safe_ports<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_5171">http_access deny CONNECT !SSL_ports</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4714">http_access allow auth_users<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4723">http_access allow all<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4724">http_port (proxy_port)<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4727">cache deny all<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4730">access_log none<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4731"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4732"><br id="yui_3_16_0_ym19_1_1493768930460_4733"></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4732"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4732">2. I am no longer able to start squid in Ubuntu by using "service squid start". This used to work, but it gives no error; it appears to immediately execute, but it's not running as a process. However, if I run "squid -N -d 1 -D", it runs with no complaints.</div><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4732"><br></div><div id="yui_3_16_0_ym19_1_1493768930460_4204" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1493768930460_4204" dir="ltr"><br></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1493768930460_4225"><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1493768930460_4578" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;" id="yui_3_16_0_ym19_1_1493768930460_4577"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1493768930460_4576"> <div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4667"> <font size="2" face="Arial" id="yui_3_16_0_ym19_1_1493768930460_4668"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Eliezer Croitoru <eliezer@ngtech.co.il><br> <b><span style="font-weight: bold;">To:</span></b> 'j m' <acctforjunk@yahoo.com>; squid-users@lists.squid-cache.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, May 1, 2017 3:30 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> RE: [squid-users] Tutorial for better authentication than basic<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1493768930460_4575"><br><div dir="ltr" id="yui_3_16_0_ym19_1_1493768930460_4574">And what about digest authentication?<br clear="none"><br clear="none">----<br clear="none"><a shape="rect" href="http://ngtech.co.il/lmgtfy/" target="_blank">http://ngtech.co.il/lmgtfy/</a><br clear="none">Linux System Administrator<br clear="none">Mobile: +972-5-28704261<br clear="none">Email: <a shape="rect" ymailto="mailto:eliezer@ngtech.co.il" href="mailto:eliezer@ngtech.co.il" id="yui_3_16_0_ym19_1_1493768930460_4666">eliezer@ngtech.co.il</a><br clear="none"><br clear="none"><div class="yqt6648522558" id="yqtfd34939"><br clear="none">From: squid-users [mailto:<a shape="rect" ymailto="mailto:squid-users-bounces@lists.squid-cache.org" href="mailto:squid-users-bounces@lists.squid-cache.org" id="yui_3_16_0_ym19_1_1493768930460_5186">squid-users-bounces@lists.squid-cache.org</a>] On Behalf Of j m<br clear="none">Sent: Monday, May 1, 2017 4:18 PM<br clear="none">To: <a shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org" id="yui_3_16_0_ym19_1_1493768930460_4665">squid-users@lists.squid-cache.org</a><br clear="none">Subject: [squid-users] Tutorial for better authentication than basic<br clear="none"><br clear="none">I'm using Ubuntu 16.04 Server in the home and would like to set up a proxy server for use from over the Internet. The main purpose for this is to easily access a few web-devices on my LAN without using VPN, and at times to route web traffic from a remote location through my home ISP. I do not need nor want any caching or filtering.<br clear="none"><br clear="none">I previously used Tinyproxy and that did the job, but it had no authentication whatsoever. I have basic authentication working on squid 3.5, where it asks for the username and password, but I believe this login is sent in clear text. I've did some research and found squid supports various better methods, such as kerberos, ntlm, smb, etc. However, while I'm able to install Linux and set up various things, I'm struggling with this authentication aspect. I have a suspicion some of these methods will not work well because they rely on other services (such as SMB) and may require opening more ports on my router, something I'm not crazy about.<br clear="none"><br clear="none">Amos previously suggested client cert auth, but I'm not sure how to set this up. Are there any other secure auth methods that would work well over the Internet and are fairly simple to configure?<br clear="none"><br clear="none">In any case, can anyone point me to an online tutorial somewhere (for a authentication newbie) that outlines how this is done?<br clear="none"></div></div><br><br></div> </div> </div> </div></div></body></html>