[squid-users] Client to proxy encryption for Internet Explorer
Panagiotis Bariamis
akismpa at gmail.com
Sun Apr 22 10:52:07 UTC 2018
>LDAP is a database type, it is not specifically tied to the type of
>credentials used either. For example; have you looked into using
>Kerberos authentication? this over clear-text is similar or sometimes
>more secure than TLS.
Unfortunately administrators of LDAP can only provide basic authentication
scheme, so I am stuck with TLS proxy , plus there are 16 squid boxes that a
layer 7 load balancer routes the traffic depending on the hash of the url ,
so I think even if the administrators of openldap could provide me with
kerberos or ntlm authentication I could not load balance the traffic based
on url .
On Sat, Apr 21, 2018 at 12:19 AM, Amos Jeffries <squid3 at treenet.co.nz>
wrote:
> On 21/04/18 06:55, Panagiotis Bariamis wrote:
> >>"credentials" does not necessarily mean passwords.
> >
> >>TLS also sends credentials in clear. It just happens those credentials
> >>are called certificates. Likewise all auth schemes in HTTP (except
> >>Basic) send security tokens of various types - not passwords.
> >
> > When referring to credentials I mean basic ldap authentication for squid
> > servers.
> > Those are sent in plain text (well base64) in every request. So my
> > concern is the client to proxy encryption so as to protect those
> > credentials.
> >
>
> LDAP is a database type, it is not specifically tied to the type of
> credentials used either. For example; have you looked into using
> Kerberos authentication? this over clear-text is similar or sometimes
> more secure than TLS.
>
> <http://www.squid-cache.org/Versions/v3/3.5/manuals/
> negotiate_kerberos_auth.html>
> <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_
> kerberos_ldap_group_acl.html>
>
> That is the recommended Best Practice form of authentication with MSIE
> and avoids the need for TLS solely to secure the credentials. Other
> reasons for TLS remain, but are less important.
>
> Amos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180422/0d4d0924/attachment.html>
More information about the squid-users
mailing list