<div dir="auto">What i was talking about is using both the auth helper and the external ack helper.<div dir="auto">The password is static but the authorization itself is done via some push or another totp method that will authorize the login for a specific amount of time.</div><div dir="auto">And indeed it will kind of degrade the connection to 1fa for a period of time, but, it will protect against couple specific attacks.</div><div dir="auto">So, if the proxy connection is encrypted inside a tunnel then it's ok.</div><div dir="auto"><br></div><div dir="auto">As for a directly accessible proxy over plain http, it will be vulnerable to many auth attacks..</div><div dir="auto"><br></div><div dir="auto">Thanks,</div><div dir="auto">Eliezer </div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">בתאריך יום ב׳, 3 בפבר׳ 2025, 7:10, מאת Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 3/02/25 00:43, NgTech LTD wrote:<br>
> What would make a 2fa in squid case?<br>
> <br>
<br>
<br>
When receiving a new login attempt the authentication (auth_param) <br>
helper should initiate whatever side-channel token delivery is needed. <br>
Then return "ERR" to Squid as usual.<br>
<br>
<br>
Replace the login challenge error message with a login page to receive <br>
that token and deliver it to a server that marks the client as logged <br>
in. (Both ERR_ACCESS_DENIED and ERR_CACHE_ACCESS_DENIED. Either new <br>
templates or a deny_info 401/407 - I'm not sure which will work best)<br>
<br>
<br>
Somewhat like how the SQL_session helper works in "active mode" session, <br>
but through the auth_param helpers instead of external ACL sessions.<br>
<br>
<br>
HTH<br>
Amos<br>
<br>
<br>
> Thanks,<br>
> Eliezer<br>
> <br>
> בתאריך יום א׳, 2 בפבר׳ 2025, 13:22, מאת Amos Jeffries <br>
> <<a href="mailto:squid3@treenet.co.nz" target="_blank" rel="noreferrer">squid3@treenet.co.nz</a> <mailto:<a href="mailto:squid3@treenet.co.nz" target="_blank" rel="noreferrer">squid3@treenet.co.nz</a>>>:<br>
> <br>
> On 2/02/25 07:43, ngtech1ltd wrote:<br>
> > Hey,<br>
> ><br>
> > I was wondering if anyone have implemented any 2FA with squid.<br>
> ><br>
> > IE a simple forward proxy that implements an external ACL helper<br>
> that<br>
> <br>
> Ah, that would not be "authentication".<br>
> <br>
> <br>
> 2FA is done through Squid auth_param and authentication helpers same as<br>
> "normal" (1FA) authentication. It is just a slightly different bunch of<br>
> steps the auth system performs in the background outside of Squid.<br>
> <br>
> <br>
> Cheers<br>
> Amos<br>
> <br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a> <mailto:<a href="mailto:squid-users@lists.squid-" target="_blank" rel="noreferrer">squid-users@lists.squid-</a><br>
> <a href="http://cache.org" rel="noreferrer noreferrer" target="_blank">cache.org</a>><br>
> <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a> <https://<br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">lists.squid-cache.org/listinfo/squid-users</a>><br>
> <br>
> <br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a><br>
> <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>