Discussion:
[squid-users] Secure basic authentication on Squid
Colle Christophe
2017-12-04 15:42:30 UTC
Permalink
Hello!

I am currently using Squid for internet access. Currently, "basic" authentication on an LDAP directory is configured to identify users. The problem is that the password is sent in clear (base64) and I am looking for a solution to secure it.

I tested the "Digest" mode, but the result is inconclusive because you have to modify the LDAP directory with an attribute containing the hash of the password. The directory can not be modified in our case.

Is there a solution to secure the "basic" authentication of squid? (with an SSL certificate for example).

Thank you !

<signaturebeforequotedtext></signaturebeforequotedtext><signatureafterquotedtext>--



Chris.


</signatureafterquotedtext>
Antony Stone
2017-12-04 15:49:36 UTC
Permalink
Post by Colle Christophe
Is there a solution to secure the "basic" authentication of squid? (with an
SSL certificate for example).
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
"SSL/TLS_adjustments"?


Antony.
--
"Linux is going to be part of the future. It's going to be like Unix was."

- Peter Moore, Asia-Pacific general manager, Microsoft

Please reply to the list;
please *don't* CC me.
Amos Jeffries
2017-12-04 16:06:03 UTC
Permalink
Post by Antony Stone
Post by Colle Christophe
Is there a solution to secure the "basic" authentication of squid? (with an
SSL certificate for example).
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
"SSL/TLS_adjustments"?
That is only for securing the connection between Squid and the LDAP
server. It does not affect the credentials themselves.

Amos
Antony Stone
2017-12-04 16:11:12 UTC
Permalink
Post by Amos Jeffries
Post by Antony Stone
Post by Colle Christophe
Is there a solution to secure the "basic" authentication of squid? (with
an SSL certificate for example).
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
"SSL/TLS_adjustments"?
That is only for securing the connection between Squid and the LDAP
server. It does not affect the credentials themselves.
Right.

Since the original question stated that "the problem is that the password is
sent in clear (base64) and I am looking for a solution to secure it" I assumed
it was the transmission in the clear which needed to be secured.


Antony.
--
"It would appear we have reached the limits of what it is possible to achieve
with computer technology, although one should be careful with such statements;
they tend to sound pretty silly in five years."

- John von Neumann (1949)

Please reply to the list;
please *don't* CC me.
Colle Christophe
2017-12-04 16:13:00 UTC
Permalink
Hi Anthony,

Thank you for your answer.

That this only secures the traffic Squid<->LDAP Server, not browsers<->Squid.

Is there a solution to secure communication between the browser and the proxy?



Chris.
Post by Antony Stone
Post by Colle Christophe
Is there a solution to secure the "basic" authentication of squid? (with an
SSL certificate for example).
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
"SSL/TLS_adjustments"?
Antony.
--
"Linux is going to be part of the future. It's going to be like Unix was."
 - Peter Moore, Asia-Pacific general manager, Microsoft
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Jason Haar
2017-12-06 06:01:23 UTC
Permalink
To reiterate Alex, "yes you can".

Squid supports "proxy over TLS" as well as the old/default "proxy over TCP"
- you use the https_port option

...but getting browsers to support it is challenging. The best way would be
to create a WPAD file that tells browsers to use "HTTPS" instead of
"PROXY". Then you can just use Proxy-Authentication using Basic and you'd
be all set. BTW, Basic has MAJOR performance benefits over any other form
of authentication IMHO. Basic over TLS is the way to go...


eg something like this

---------------- wpad.dat ----------

function FindProxyForURL(url, host)
{
// see how I used 443? If you're going to run a TLS-encrypted proxy, make
it totally appear as a HTTPS server and run it on port 443...
//


if (isPlainHostName(host) || dnsDomainIs(host,"localhost.localdomain") ) {
return "DIRECT";
} else if (isInNet(host, "127.0.0.0", "255.0.0.0") || isInNet(host,
"10.0.0.0", "255.0.0.0") || isInNet(host, "172.16.0.0", "255.240.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0") ) {
return "DIRECT";
} else {
//
return "HTTPS secure-squid.com:443";
}
}


On Tue, Dec 5, 2017 at 5:13 AM, Colle Christophe <
Post by Colle Christophe
Hi Anthony,
Thank you for your answer.
That this only secures the traffic Squid<->LDAP Server, not
browsers<->Squid.
Is there a solution to secure communication between the browser and the proxy?
Chris.
Post by Colle Christophe
Is there a solution to secure the "basic" authentication of squid? (with
an
Post by Colle Christophe
SSL certificate for example).
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap section
"SSL/TLS_adjustments"?
Antony.
--
"Linux is going to be part of the future. It's going to be like Unix was."
- Peter Moore, Asia-Pacific general manager, Microsoft
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Mathieu Peltier
2017-12-06 08:32:42 UTC
Permalink
Post by Jason Haar
To reiterate Alex, "yes you can".
Squid supports "proxy over TLS" as well as the old/default "proxy over TCP"
- you use the https_port option
...but getting browsers to support it is challenging. The best way would be
to create a WPAD file that tells browsers to use "HTTPS" instead of "PROXY".
Then you can just use Proxy-Authentication using Basic and you'd be all set.
Hi,
Is this secure proxy well supported by other applications than
browsers in general (eg: wget, curl, yum, git, svn, php, ...)?
Thanks,
--
Mathieu Peltier
Amos Jeffries
2017-12-06 09:58:28 UTC
Permalink
Post by Mathieu Peltier
Post by Jason Haar
To reiterate Alex, "yes you can".
Squid supports "proxy over TLS" as well as the old/default "proxy over TCP"
- you use the https_port option
...but getting browsers to support it is challenging. The best way would be
to create a WPAD file that tells browsers to use "HTTPS" instead of "PROXY".
Then you can just use Proxy-Authentication using Basic and you'd be all set.
Hi,
Is this secure proxy well supported by other applications than
browsers in general (eg: wget, curl, yum, git, svn, php, ...)?
Thanks,
Most of the non-Browser tools have been supporting TLS explicit proxies
for decades already and have comparativly easy control over it. Browsers
are the latecomers here.

Amos
Matus UHLAR - fantomas
2017-12-06 10:57:30 UTC
Permalink
Post by Amos Jeffries
Post by Mathieu Peltier
Post by Jason Haar
To reiterate Alex, "yes you can".
Squid supports "proxy over TLS" as well as the old/default "proxy over TCP"
- you use the https_port option
...but getting browsers to support it is challenging. The best way would be
to create a WPAD file that tells browsers to use "HTTPS" instead of "PROXY".
Then you can just use Proxy-Authentication using Basic and you'd be all set.
Is this secure proxy well supported by other applications than
browsers in general (eg: wget, curl, yum, git, svn, php, ...)?
Thanks,
Most of the non-Browser tools have been supporting TLS explicit
proxies for decades already and have comparativly easy control over
it. Browsers are the latecomers here.
but they mostly do not support WPAD, because they do not support javascript.

there is sw called libproxy that supports at least the part needed for WPAD
but I'm not sure how many of those tools support it.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
Yuri
2017-12-06 12:10:44 UTC
Permalink
Post by Matus UHLAR - fantomas
Post by Amos Jeffries
Post by Mathieu Peltier
Post by Jason Haar
To reiterate Alex, "yes you can".
Squid supports "proxy over TLS" as well as the old/default "proxy over TCP"
- you use the https_port option
...but getting browsers to support it is challenging. The best way would be
to create a WPAD file that tells browsers to use "HTTPS" instead of "PROXY".
Then you can just use Proxy-Authentication using Basic and you'd be all set.
Is this secure proxy well supported by other applications than
browsers in general (eg: wget, curl, yum, git, svn, php, ...)?
Thanks,
Most of the non-Browser tools have been supporting TLS explicit
proxies for decades already and have comparativly easy control over
it. Browsers are the latecomers here.
but they mostly do not support WPAD, because they do not support javascript.
there is sw called libproxy that supports at least the part needed for WPAD
but I'm not sure how many of those tools support it.
.... however CLI tools often understand http_proxy/https_proxy
environment variables.....
--
"Some people, when confronted with a problem, think «I know, I'll use regular expressions.» Now they have two problems."
--Jamie Zawinsk

**************************
* C++: Bug to the future *
**************************
Amos Jeffries
2017-12-04 17:05:45 UTC
Permalink
Post by Colle Christophe
Hello!
I am currently using Squid for internet access. Currently, "basic"
authentication on an LDAP directory is configured to identify users. The
problem is that the password is sent in clear (base64) and I am looking
for a solution to secure it.
I tested the "Digest" mode, but the result is inconclusive because you
have to modify the LDAP directory with an attribute containing the hash
of the password. The directory can not be modified in our case.
Should not have to. The helper should be able to treat the LDAP as
containing the username+password in clear text and do all the hashing
itself as needed.

(NP: I'm not sure why some of the documentation for digest_ldap_auth
says "(REQUIRED)" on the -e option. It is an option because you get to
choose whether it is done that way or not.)
Post by Colle Christophe
Is there a solution to secure the "basic" authentication of squid? (with
an SSL certificate for example).
Plain text username+password is what "Basic" means. There are ways to
secure the credentials values by using one-time passwords but it is very
rare for client software to support that kind of thing. Normally they
only support the standard Basic credentials.


"Digest" is an entirely different authentication protocol which has
several modes of use from very weak to reasonably strong security.
Though in my experience Browsers screw up quite often with the strong
security mode.


"SSL certificate" - if by that you mean TLS client certificates, is part
of TLS and has nothing to do with HTTP. Squid does support those for
securing TLS connections to the proxy, but I'm not sure how well using
them as user credentials is.

Amos
Alex Rousskov
2017-12-04 17:57:24 UTC
Permalink
Post by Amos Jeffries
Post by Colle Christophe
I am currently using Squid for internet access. Currently, "basic"
authentication on an LDAP directory is configured to identify users.
The problem is that the password is sent in clear (base64) and I am
looking for a solution to secure it.
Is there a solution to secure the "basic" authentication of squid?
(with an SSL certificate for example).
Plain text username+password is what "Basic" means.
One can have HTTP Basic authentication inside a TLS connection.

There are several mostly independent pieces here:

1. Basic authentication:

S1. Squid definitely supports HTTP Basic authentication. That code works
in production.

B1. Popular browsers definitely support HTTP Basic authentication.


2. HTTPS proxy:

S2. Squid definitely supports TLS connections between an HTTP browser
and Squid. That code works in production. It can be tested using modern
cURL command line tool versions:
https://daniel.haxx.se/blog/2016/11/26/https-proxy-with-curl/

B2. Popular browsers claim to support TLS connections to HTTP proxies,
but that support is difficult to enable in the browser. Please do not
confuse this support with CONNECT requests. HTTP CONNECT is about TLS
connections to origin servers, not proxies.


3. TLS client certificate authentication:

S3. Squid also supports authentication based on TLS client certificates.
AFAIK, that code works in production.

B3. I do not know whether popular browsers support sending TLS client
certificates, but I would expect that at least some of them do.


Combining the above pieces:

Squid probably supports the combination of S1 and S2. I would not be
surprised if the combination of S1, S2, and S3 also works.

Popular browsers should support the combination of B1 and B2. If they
do, then I would expect them to support the combination of B1, B2, and B3.


Alex.
Continue reading on narkive:
Loading...