* sascha.uhl@gmx.net wrote on Fri, Aug 30, 2002 at 16:18 +0200:
I am just working on Squid and SquidGuard and want to know if anybody has some experience with the user authentication.
Yes, I think I did something in this area. I made some work for *secure* authentication with encrypted password transmission, called squid-IP_AUTH. I do not know about SquidGuard.
I do not want that standard pop-up window for user authentication, but a website in a friendly style, which asks for username and password.
I had another issue: I hate plain text auth (as used in std. ProxyAuth, it's Authtype Basic near all way along, still...). I used a small squid patch (ten lines or such) to change the behavior: instead of sending ProxyAuthNeeded, the proxy sends a HTTP forbidden - of course together with an HTML page. This page contains a login HTML "form". The original URL is supplied in a HIDDEN field. Well, the login form sends the FORM data via SSL - and by this, encrypted - to a login.cgi. This Script queries some external source (I used a samba or WinNT PDC) for checking the password. If it matches, the login.cgi redirects the browser to the original URL. In the meantime, login.cgi also notificated a small helper ("miniauth" - AuthenticationServer) about the logged in Source IP address. When the browser again requests the URL, squid again asks the AuthenticationServer, but now the client's IP address is allowed to surf. BTW, this solution (or framework) can do logging and whatever. You find information at http://sws.dett.de/squid-IP_AUTH.shtml. Of course it's free. I think it's easy to customize all of the parts, and today there is some documentation available (even in english :)). Please note, that squid-IP_AUTH-2.4.STABLE6-9.src.rpm was tested recently but quickly only so far, and an update is pending (adding some features and documentation). However, the idea, the patch and so on have been massivly tested on an older version, so I wouldn't expect problems in production. If you decide to use this work, please let me now. I know a lot of people downloaded this work and played with it, but I do not know how many use it in production. Thanks to Timo Proescholdt for suggesting me to make the patch available for squid-2.4, since the old versions were outdated. It seems, his contributions will be integreated soon (he implemented a LDAP query mode). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.