Re: [squid-users] Solutions for transparent + proxy_auth?

From: Kinkie <[email protected]>
Date: Tue, 21 Feb 2006 10:01:27 +0100

On Mon, 2006-02-20 at 21:28 -0600, Steve Brown wrote:
> > http://squidwiki.kinkie.it/SquidFaq/InterceptionProxy
>
> I'm confused by this link. You tell me to "drop it" and point me to a
> page that has two paragraphs about why it *shouldn't* be done, then
> spends the next three pages describing all the ways it can be done?

It _can_ be done, and in some cases it's the best available solution.
HOWEVER if I remember correctly you want to authenticate users in a
transparent environment, and it won't work. It's not a squid bug, or
misfeature, it's actually a *browser feature*.

Quoting from that page (I've added the chapter yesterday as it's an
all-time FAQ, it could use some proofreading ;)

====================
Interception Proxying works by having an active agent (the proxy) where
there should be none. The browser is not expecting it to be there, and
it's for all effects and purposes being cheated. If I were an user of
that browser, I would require it not to give away any credentials to an
unexpected party, wouldn't you? Especially so when it can do so without
notifying the user, like Microsoft browsers can do when the proxy offers
any of the Microsoft-designed authentication schemes
(see ../ProxyAuthentication and NegotiateAuthentication).

In other words, it's not a bug, but a security feature.
====================

        Kinkie
Received on Tue Feb 21 2006 - 02:01:33 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST