[squid-users] Is there a way to allow connection according to user certificate?

Amos Jeffries squid3 at treenet.co.nz
Fri May 6 05:02:41 UTC 2016


On 6/05/2016 4:07 a.m., Ser de Bronce wrote:
> Yuri,
> 
>> But this is the default behaviour for proxy with auth
> 
> I didn't know that.
> Initially I tested on iPhone using wi-fi connection and as I said earlier
> there are wi-fi proxy settings on iPhone so user should type them only once
> and then each browser and app works without asking login/pass.

Well, Yuri is only half-right there. It is and it isn't.

The browser initial request may or not have credentials (secure clients
do not send any up front, insecure clients do). If it doesn't the proxy
responds with a 407 requesting them.

The browser then is expected to find some. How is left up to the browser
- but the expectation is that it will try the APN assigned credentials
and/or its own credentials store *before* bothering the user with a popup.



> 
>> I still do not understand the purpose for which authentication is
> required?
> 
> This proxy will be available from anywhere, but I need to prevent usage of
> this proxy by anyone, except my clients. This is the main purpose.
> I had a plan to give login and password to each client, but as I said
> earlier this is not possible because of user experience reasons.


That is a device/browser bug. The above described sequence should be
happening, but apparently isn't. Since it is the browser part of the
auth which is falling down there is very little Squid can do.
 The few things Squid can do require all this happening over a LAN
environment and do not work across WAN / Internet connections.

Sounds like you are stuck between a rock and a hard place. I'm a bit
puzzled about how you expect APN settings to be pushed to devices
connected via another service provider across the Internet.


> Also I can't rely on MAC, IP or other indirect attributes.
> 
> So I try to find other ways to check if user who is connecting to proxy is
> my client or not.
> Right now I see only two ways here:
> 1) authentication by proxy server using certificates
> 2) authentication by some other server which accept certificates and then
> redirecting connections to proxy.
> 
> As I said I'm novice and didn't use proxy earlier. Maybe you know better
> solution.

No, those are your choices.

Amos



More information about the squid-users mailing list