[squid-users] Secure basic authentication on Squid

Jason Haar jason_haar at trimble.com
Wed Dec 6 06:01:23 UTC 2017


To reiterate Alex, "yes you can".

Squid supports "proxy over TLS" as well as the old/default "proxy over TCP"
- you use the https_port option

...but getting browsers to support it is challenging. The best way would be
to create a WPAD file that tells browsers to use "HTTPS" instead of
"PROXY". Then you can just use Proxy-Authentication using Basic and you'd
be all set. BTW, Basic has MAJOR performance benefits over any other form
of authentication IMHO. Basic over TLS is the way to go...


eg something like this

---------------- wpad.dat ----------

function FindProxyForURL(url, host)
{
  // see how I used 443? If you're going to run a TLS-encrypted proxy, make
it totally appear as a HTTPS server and run it on port 443...
  //


if (isPlainHostName(host) ||  dnsDomainIs(host,"localhost.localdomain") ) {
return "DIRECT";
} else if (isInNet(host, "127.0.0.0", "255.0.0.0") || isInNet(host,
"10.0.0.0", "255.0.0.0") || isInNet(host, "172.16.0.0", "255.240.0.0")  ||
isInNet(host, "192.168.0.0", "255.255.0.0") ) {
return "DIRECT";
} else {
//
return "HTTPS secure-squid.com:443";
  }
}


On Tue, Dec 5, 2017 at 5:13 AM, Colle Christophe <
christophe.colle at ac-nancy-metz.fr> wrote:

> Hi Anthony,
>
> Thank you for your answer.
>
> That this only secures the traffic Squid<->LDAP Server, not
> browsers<->Squid.
>
> Is there a solution to secure communication between the browser and the
> proxy?
>
>
> Chris.
>
> Le 04/12/17 16:49, *Antony Stone * <Antony.Stone at squid.open.source.it> a
> écrit :
>
> On Monday 04 December 2017 at 16:42:30, Colle Christophe wrote:
>
> > Is there a solution to secure the "basic" authentication of squid? (with
> an
> > SSL certificate for example).
>
> https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
> "SSL/TLS_adjustments"?
>
>
> Antony.
>
> --
> "Linux is going to be part of the future. It's going to be like Unix was."
>
>  - Peter Moore, Asia-Pacific general manager, Microsoft
>
>                                                    Please reply to the
> list;
>                                                          please *don't*
> CC me.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171206/4eb1b805/attachment.html>


More information about the squid-users mailing list