help with helper

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

help with helper

Juan Manuel Perrote-2

Hello we have a helper to validate users on squid reverse proxy, and have a problem on the first validation time !!

On a normal day the first validation, when a user open the client browser squid invoque the pop/up and users insert user/password correct to validate, and later squid

apparently run the helper requesting again the user and password.


I need help to know it is possible to identify when a users run on first time.


regards.




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: help with helper

Amos Jeffries
Administrator
On 3/09/19 10:35 pm, jmperrote wrote:

> Hello we have a helper to validate users on squid reverse proxy, and
> have a problem on the first validation time !!
>
> On a normal day the first validation, when a user open the client
> browser squid invoque the pop/up and users insert user/password correct
> to validate, and later squid
>
> apparently run the helper requesting again the user and password.
>
> I need help to know it is possible to identify when a users run on first
> time.

Users cannot be identified until they provide credentials.

This being a reverse-proxy means to the Browser it is no different than
any web server. No sane software will ever blindly assume that the users
LAN account credentials are going to be valid when connecting to a
random web server.

Thus the Browser needs to have stored credentials in its password
manager for that 'website' being hosted by your proxy, or use the popup
to discover them when it starts to do traffic there.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: help with helper

Juan Manuel Perrote-2
Hello Amos, yes but how can I identified that is on the first request ??

Else squid request to autentificate and later when invoque the helper
again request to autentificate.

I handle recover the user from squid cache (cachmanager) on the helper,
for asking if the user previous exist, but squid refresh cache and users
disapearing time to time.

The exact question is: how to know is the user is previous logued, so
the helper just validate user/password and later ALLOW to continue.

Regards.


El 3/9/19 a las 09:41, Amos Jeffries escribió:

> On 3/09/19 10:35 pm, jmperrote wrote:
>> Hello we have a helper to validate users on squid reverse proxy, and
>> have a problem on the first validation time !!
>>
>> On a normal day the first validation, when a user open the client
>> browser squid invoque the pop/up and users insert user/password correct
>> to validate, and later squid
>>
>> apparently run the helper requesting again the user and password.
>>
>> I need help to know it is possible to identify when a users run on first
>> time.
> Users cannot be identified until they provide credentials.
>
> This being a reverse-proxy means to the Browser it is no different than
> any web server. No sane software will ever blindly assume that the users
> LAN account credentials are going to be valid when connecting to a
> random web server.
>
> Thus the Browser needs to have stored credentials in its password
> manager for that 'website' being hosted by your proxy, or use the popup
> to discover them when it starts to do traffic there.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: help with helper

Amos Jeffries
Administrator
On 4/09/19 1:13 am, jmperrote wrote:
> Hello Amos, yes but how can I identified that is on the first request ??
>

It will be first? but what does first actually mean?
  first this year? first today? first this second?

HTTP is stateless. There is no concept of "second request" etc. outside
of feature which are *not* related to users or useful to you here.

_Every_ request that your config requires credentials to accept, needs
credentials provided or will get a 401/407 response. That is just how
auth works in HTTP. There are likely many of those which are handled by
the Browser without any popup at all.
 To Squid there is no difference between request 1 without credentials
and request 2 without credentials.


> Else squid request to autentificate and later when invoque the helper
> again request to autentificate.

Every time Squid is handed never-before-seen credentials the helper will
be asked to check them.

Every time Squid is handed credentials that are apparently expired, the
helper will be asked to check them.


>
> I handle recover the user from squid cache (cachmanager) on the helper,
> for asking if the user previous exist, but squid refresh cache and users
> disapearing time to time.

Yes. Computers do not have infinite memory. Things that are clearly
obsolete are thrown away after a reasonable time.


To make credentials stick around longer you can do two things;

 1) increase their TTL. The longer they are considered valid the longer
they are retained as possibly useful.

 Pros: they stick around. Less CPU load on the auth system.

 Cons: they stick around. Increased memory usage. Reduced ability to
change passwords. Reduced ability to kick malicious users off the proxy
by disabling hacked credentials.


 2) increase the garbage collection interval Squid uses. This keeps
obsolete logins around longer.

 Pros: more known logins.

 Cons: more memory used storing logins.


Both have the possibility/risk that users "login session" goes longer
than you might be expecting.

For example; if set to 10hrs (one working day). A user may "logout" late
one night, then re-login early the next day (9hrs of sleep later) and be
seen by Squid as having continued the same login started yesterday.
 Even 2hrs is too long to cover lunch breaks etc.
 Up to you of course, just consider what type of activities may be
problematic for your system for any given time range.

>
> The exact question is: how to know is the user is previous logued, so
> the helper just validate user/password

Yes.

> and later ALLOW to continue.
>

No.

Authentication vs Authorization. There is a thin difference, but it is
very important to understanding these things going on.

The auth helper only does Authentication - checking that credentials are
*correct*.

Squid ACLs do the Authorization - allow/deny actions. Which may (or not)
be based on whether credentials are correct / authenticated.



HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users