Secure basic authentication on Squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Secure basic authentication on Squid

Colle Christophe
Hello!

I am currently using Squid for internet access. Currently, "basic" authentication on an LDAP directory is configured to identify users. The problem is that the password is sent in clear (base64) and I am looking for a solution to secure it.

I tested the "Digest" mode, but the result is inconclusive because you have to modify the LDAP directory with an attribute containing the hash of the password. The directory can not be modified in our case.

Is there a solution to secure the "basic" authentication of squid? (with an SSL certificate for example).

Thank you !

--
Chris.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure basic authentication on Squid

Antony Stone
On Monday 04 December 2017 at 16:42:30, Colle Christophe wrote:

> Is there a solution to secure the "basic" authentication of squid? (with an
> SSL certificate for example).

https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
"SSL/TLS_adjustments"?


Antony.

--
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure basic authentication on Squid

Amos Jeffries
Administrator
On 05/12/17 04:49, Antony Stone wrote:
> On Monday 04 December 2017 at 16:42:30, Colle Christophe wrote:
>
>> Is there a solution to secure the "basic" authentication of squid? (with an
>> SSL certificate for example).
>
> https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
> "SSL/TLS_adjustments"?
>

That is only for securing the connection between Squid and the LDAP
server. It does not affect the credentials themselves.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure basic authentication on Squid

Antony Stone
On Monday 04 December 2017 at 17:06:03, Amos Jeffries wrote:

> On 05/12/17 04:49, Antony Stone wrote:
> > On Monday 04 December 2017 at 16:42:30, Colle Christophe wrote:
> >> Is there a solution to secure the "basic" authentication of squid? (with
> >> an SSL certificate for example).
> >
> > https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
> > "SSL/TLS_adjustments"?
>
> That is only for securing the connection between Squid and the LDAP
> server. It does not affect the credentials themselves.

Right.

Since the original question stated that "the problem is that the password is
sent in clear (base64) and I am looking for a solution to secure it" I assumed
it was the transmission in the clear which needed to be secured.


Antony.

--
"It would appear we have reached the limits of what it is possible to achieve
with computer technology, although one should be careful with such statements;
they tend to sound pretty silly in five years."

 - John von Neumann (1949)

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure basic authentication on Squid

Colle Christophe
In reply to this post by Antony Stone
Hi Anthony,

Thank you for your answer.

That this only secures the traffic Squid<->LDAP Server, not browsers<->Squid.

Is there a solution to secure communication between the browser and the proxy?


Chris.

Le 04/12/17 16:49, Antony Stone <[hidden email]> a écrit :
On Monday 04 December 2017 at 16:42:30, Colle Christophe wrote:

> Is there a solution to secure the "basic" authentication of squid? (with an
> SSL certificate for example).

https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
"SSL/TLS_adjustments"?


Antony.

--
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure basic authentication on Squid

Amos Jeffries
Administrator
In reply to this post by Colle Christophe
On 05/12/17 04:42, Colle Christophe wrote:

> Hello!
>
> I am currently using Squid for internet access. Currently, "basic"
> authentication on an LDAP directory is configured to identify users. The
> problem is that the password is sent in clear (base64) and I am looking
> for a solution to secure it.
>
> I tested the "Digest" mode, but the result is inconclusive because you
> have to modify the LDAP directory with an attribute containing the hash
> of the password. The directory can not be modified in our case.

Should not have to. The helper should be able to treat the LDAP as
containing the username+password in clear text and do all the hashing
itself as needed.

(NP: I'm not sure why some of the documentation for digest_ldap_auth
says "(REQUIRED)" on the -e option. It is an option because you get to
choose whether it is done that way or not.)


>
> Is there a solution to secure the "basic" authentication of squid? (with
> an SSL certificate for example).

Plain text username+password is what "Basic" means. There are ways to
secure the credentials values by using one-time passwords but it is very
rare for client software to support that kind of thing. Normally they
only support the standard Basic credentials.


"Digest" is an entirely different authentication protocol which has
several modes of use from very weak to reasonably strong security.
Though in my experience Browsers screw up quite often with the strong
security mode.


"SSL certificate" - if by that you mean TLS client certificates, is part
of TLS and has nothing to do with HTTP. Squid does support those for
securing TLS connections to the proxy, but I'm not sure how well using
them as user credentials is.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure basic authentication on Squid

Alex Rousskov
On 12/04/2017 10:05 AM, Amos Jeffries wrote:
> On 05/12/17 04:42, Colle Christophe wrote:
>> I am currently using Squid for internet access. Currently, "basic"
>> authentication on an LDAP directory is configured to identify users.
>> The problem is that the password is sent in clear (base64) and I am
>> looking for a solution to secure it.

>> Is there a solution to secure the "basic" authentication of squid?
>> (with an SSL certificate for example).


> Plain text username+password is what "Basic" means.

One can have HTTP Basic authentication inside a TLS connection.

There are several mostly independent pieces here:

1. Basic authentication:

S1. Squid definitely supports HTTP Basic authentication. That code works
in production.

B1. Popular browsers definitely support HTTP Basic authentication.


2. HTTPS proxy:

S2. Squid definitely supports TLS connections between an HTTP browser
and Squid. That code works in production. It can be tested using modern
cURL command line tool versions:
https://daniel.haxx.se/blog/2016/11/26/https-proxy-with-curl/

B2. Popular browsers claim to support TLS connections to HTTP proxies,
but that support is difficult to enable in the browser. Please do not
confuse this support with CONNECT requests. HTTP CONNECT is about TLS
connections to origin servers, not proxies.


3. TLS client certificate authentication:

S3. Squid also supports authentication based on TLS client certificates.
AFAIK, that code works in production.

B3. I do not know whether popular browsers support sending TLS client
certificates, but I would expect that at least some of them do.


Combining the above pieces:

Squid probably supports the combination of S1 and S2. I would not be
surprised if the combination of S1, S2, and S3 also works.

Popular browsers should support the combination of B1 and B2. If they
do, then I would expect them to support the combination of B1, B2, and B3.


Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure basic authentication on Squid

Jason Haar-2
In reply to this post by Colle Christophe
To reiterate Alex, "yes you can".

Squid supports "proxy over TLS" as well as the old/default "proxy over TCP" - you use the https_port option

...but getting browsers to support it is challenging. The best way would be to create a WPAD file that tells browsers to use "HTTPS" instead of "PROXY". Then you can just use Proxy-Authentication using Basic and you'd be all set. BTW, Basic has MAJOR performance benefits over any other form of authentication IMHO. Basic over TLS is the way to go...


eg something like this 

---------------- wpad.dat ----------

function FindProxyForURL(url, host)
{
  // see how I used 443? If you're going to run a TLS-encrypted proxy, make it totally appear as a HTTPS server and run it on port 443...
  //
  

if (isPlainHostName(host) ||  dnsDomainIs(host,"localhost.localdomain") ) {
return "DIRECT";
} else if (isInNet(host, "127.0.0.0", "255.0.0.0") || isInNet(host, "10.0.0.0", "255.0.0.0") || isInNet(host, "172.16.0.0", "255.240.0.0")  || isInNet(host, "192.168.0.0", "255.255.0.0") ) {
return "DIRECT";
} else {
// 
return "HTTPS secure-squid.com:443";
  }
}


On Tue, Dec 5, 2017 at 5:13 AM, Colle Christophe <[hidden email]> wrote:
Hi Anthony,

Thank you for your answer.

That this only secures the traffic Squid<->LDAP Server, not browsers<->Squid.

Is there a solution to secure communication between the browser and the proxy?


Chris.

Le 04/12/17 16:49, Antony Stone <[hidden email]> a écrit :
On Monday 04 December 2017 at 16:42:30, Colle Christophe wrote:

> Is there a solution to secure the "basic" authentication of squid? (with an
> SSL certificate for example).

https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
"SSL/TLS_adjustments"?


Antony.

--
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users




--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure basic authentication on Squid

Mathieu Peltier
On Wed, Dec 6, 2017 at 7:01 AM, Jason Haar <[hidden email]> wrote:
> To reiterate Alex, "yes you can".
>
> Squid supports "proxy over TLS" as well as the old/default "proxy over TCP"
> - you use the https_port option
>
> ...but getting browsers to support it is challenging. The best way would be
> to create a WPAD file that tells browsers to use "HTTPS" instead of "PROXY".
> Then you can just use Proxy-Authentication using Basic and you'd be all set.

Hi,
Is this secure proxy well supported by other applications than
browsers in general (eg: wget, curl, yum, git, svn, php, ...)?
Thanks,
--
Mathieu Peltier
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure basic authentication on Squid

Amos Jeffries
Administrator
On 06/12/17 21:32, Mathieu Peltier wrote:

> On Wed, Dec 6, 2017 at 7:01 AM, Jason Haar wrote:
>> To reiterate Alex, "yes you can".
>>
>> Squid supports "proxy over TLS" as well as the old/default "proxy over TCP"
>> - you use the https_port option
>>
>> ...but getting browsers to support it is challenging. The best way would be
>> to create a WPAD file that tells browsers to use "HTTPS" instead of "PROXY".
>> Then you can just use Proxy-Authentication using Basic and you'd be all set.
>
> Hi,
> Is this secure proxy well supported by other applications than
> browsers in general (eg: wget, curl, yum, git, svn, php, ...)?
> Thanks,
>

Most of the non-Browser tools have been supporting TLS explicit proxies
for decades already and have comparativly easy control over it. Browsers
are the latecomers here.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure basic authentication on Squid

Matus UHLAR - fantomas
>>On Wed, Dec 6, 2017 at 7:01 AM, Jason Haar wrote:
>>>To reiterate Alex, "yes you can".
>>>
>>>Squid supports "proxy over TLS" as well as the old/default "proxy over TCP"
>>>- you use the https_port option
>>>
>>>...but getting browsers to support it is challenging. The best way would be
>>>to create a WPAD file that tells browsers to use "HTTPS" instead of "PROXY".
>>>Then you can just use Proxy-Authentication using Basic and you'd be all set.

>On 06/12/17 21:32, Mathieu Peltier wrote:
>>Is this secure proxy well supported by other applications than
>>browsers in general (eg: wget, curl, yum, git, svn, php, ...)?
>>Thanks,

On 06.12.17 22:58, Amos Jeffries wrote:
>Most of the non-Browser tools have been supporting TLS explicit
>proxies for decades already and have comparativly easy control over
>it. Browsers are the latecomers here.

but they mostly do not support WPAD, because they do not support javascript.

there is sw called libproxy that supports at least the part needed for WPAD
but I'm not sure how many of those tools support it.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Secure basic authentication on Squid

Yuri Voinov


06.12.2017 16:57, Matus UHLAR - fantomas пишет:

>>> On Wed, Dec 6, 2017 at 7:01 AM, Jason Haar wrote:
>>>> To reiterate Alex, "yes you can".
>>>>
>>>> Squid supports "proxy over TLS" as well as the old/default "proxy
>>>> over TCP"
>>>> - you use the https_port option
>>>>
>>>> ...but getting browsers to support it is challenging. The best way
>>>> would be
>>>> to create a WPAD file that tells browsers to use "HTTPS" instead of
>>>> "PROXY".
>>>> Then you can just use Proxy-Authentication using Basic and you'd be
>>>> all set.
>
>> On 06/12/17 21:32, Mathieu Peltier wrote:
>>> Is this secure proxy well supported by other applications than
>>> browsers in general (eg: wget, curl, yum, git, svn, php, ...)?
>>> Thanks,
>
> On 06.12.17 22:58, Amos Jeffries wrote:
>> Most of the non-Browser tools have been supporting TLS explicit
>> proxies for decades already and have comparativly easy control over
>> it. Browsers are the latecomers here.
>
> but they mostly do not support WPAD, because they do not support
> javascript.
>
> there is sw called libproxy that supports at least the part needed for
> WPAD
> but I'm not sure how many of those tools support it.
>
.... however CLI tools often understand http_proxy/https_proxy
environment variables.....

--
"Some people, when confronted with a problem, think «I know, I'll use regular expressions.» Now they have two problems."
--Jamie Zawinsk

**************************
* C++: Bug to the future *
**************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (523 bytes) Download Attachment