[squid-users] 2FA with Google Authenticator and squid login

Mon Feb 3 05:25:35 UTC 2025

What i was talking about is using both the auth helper and the external ack
helper.
The password is static but the authorization itself is done via some push
or another totp method that will authorize the login for a specific amount
of time.
And indeed it will kind of degrade the connection to 1fa for a period of
time, but, it will protect against couple specific attacks.
So, if the proxy connection is encrypted inside a tunnel then it's ok.

As for a directly accessible proxy over plain http, it will be vulnerable
to many auth attacks..

Thanks,
Eliezer

בתאריך יום ב׳, 3 בפבר׳ 2025, 7:10, מאת Amos Jeffries ‏<squid3 at treenet.co.nz
>:

> On 3/02/25 00:43, NgTech LTD wrote:
> > What would make  a 2fa in squid case?
> >
>
>
> When receiving a new login attempt the authentication (auth_param)
> helper should initiate whatever side-channel token delivery is needed.
> Then return "ERR" to Squid as usual.
>
>
> Replace the login challenge error message with a login page to receive
> that token and deliver it to a server that marks the client as logged
> in. (Both ERR_ACCESS_DENIED and ERR_CACHE_ACCESS_DENIED. Either new
> templates or a deny_info 401/407 - I'm not sure which will work best)
>
>
> Somewhat like how the SQL_session helper works in "active mode" session,
> but through the auth_param helpers instead of external ACL sessions.
>
>
> HTH
> Amos
>
>
> > Thanks,
> > Eliezer
> >
> > בתאריך יום א׳, 2 בפבר׳ 2025, 13:22, מאת Amos Jeffries
> > ‏<squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz>>:
> >
> >     On 2/02/25 07:43, ngtech1ltd wrote:
> >      > Hey,
> >      >
> >      > I was wondering if anyone have implemented any 2FA with squid.
> >      >
> >      > IE a simple forward proxy that implements an external ACL helper
> >     that
> >
> >     Ah, that would not be "authentication".
> >
> >
> >     2FA is done through Squid auth_param and authentication helpers same
> as
> >     "normal" (1FA) authentication. It is just a slightly different bunch
> of
> >     steps the auth system performs in the background outside of Squid.
> >
> >
> >     Cheers
> >     Amos
> >
> >     _______________________________________________
> >     squid-users mailing list
> >     squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-
> >     cache.org>
> >     https://lists.squid-cache.org/listinfo/squid-users <https://
> >     lists.squid-cache.org/listinfo/squid-users>
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > https://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250203/a4095808/attachment.htm>