Re: Proxy Auth

[Bennett Todd <bet () rahul net>]

2003-03-21T10:14:53 pablo gietz:
> Do you know how to encrypt the proces of authentication betwen the 
> browser and squid proxy?

As far as I can see, no. This would be a good question for a
squid-specific list, though.

What _ought_ to work is to enable https in squid (I don't see any
support for that) or equally run a stunnel (preferably in transproxy
mode, so squid can still see the real originating IPs) as a front
end; then configure the browser to use https://url.of.squid:3128/ as
the proxy. Problem is, I don't think this is actually supported.

> We like to use the same login name and password for NT and squid,
> but doing so we expose the password of the NT users based in the
> fact that the browser code the password in base64.

Exactly right. You've got two choices that I know of; either force
people to use separate passwords for your squid, so their exposure
doesn't do as much damage, or else craft the net between your
users and your squid so you aren't so worried about sniffing.
Well-monitored switches can be a help. Give everyone a separate
switch port, and span every switch to an IDS set up to report
attempts to whap its cam table.

-Bennett

Attachment: _bin
Description: