Re: [squid-users] Secure basic authentication on Squid

Tue, 05 Dec 2017 22:02:50 -0800 

To reiterate Alex, "yes you can".

Squid supports "proxy over TLS" as well as the old/default "proxy over TCP"
- you use the https_port option

...but getting browsers to support it is challenging. The best way would be
to create a WPAD file that tells browsers to use "HTTPS" instead of
"PROXY". Then you can just use Proxy-Authentication using Basic and you'd
be all set. BTW, Basic has MAJOR performance benefits over any other form
of authentication IMHO. Basic over TLS is the way to go...


eg something like this

---------------- wpad.dat ----------

function FindProxyForURL(url, host)
{
  // see how I used 443? If you're going to run a TLS-encrypted proxy, make
it totally appear as a HTTPS server and run it on port 443...
  //


if (isPlainHostName(host) ||  dnsDomainIs(host,"localhost.localdomain") ) {
return "DIRECT";
} else if (isInNet(host, "127.0.0.0", "255.0.0.0") || isInNet(host,
"10.0.0.0", "255.0.0.0") || isInNet(host, "172.16.0.0", "255.240.0.0")  ||
isInNet(host, "192.168.0.0", "255.255.0.0") ) {
return "DIRECT";
} else {
//
return "HTTPS secure-squid.com:443";
  }
}


On Tue, Dec 5, 2017 at 5:13 AM, Colle Christophe <
christophe.co...@ac-nancy-metz.fr> wrote:

> Hi Anthony,
>
> Thank you for your answer.
>
> That this only secures the traffic Squid<->LDAP Server, not
> browsers<->Squid.
>
> Is there a solution to secure communication between the browser and the
> proxy?
>
>
> Chris.
>
> Le 04/12/17 16:49, *Antony Stone * <antony.st...@squid.open.source.it> a
> écrit :
>
> On Monday 04 December 2017 at 16:42:30, Colle Christophe wrote:
>
> > Is there a solution to secure the "basic" authentication of squid? (with
> an
> > SSL certificate for example).
>
> https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
> "SSL/TLS_adjustments"?
>
>
> Antony.
>
> --
> "Linux is going to be part of the future. It's going to be like Unix was."
>
>  - Peter Moore, Asia-Pacific general manager, Microsoft
>
>                                                    Please reply to the
> list;
>                                                          please *don't*
> CC me.
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to