Re: [squid-users] Solutions for transparent + proxy_auth?

From: Steve Brown <[email protected]>
Date: Tue, 21 Feb 2006 10:03:15 -0600

OK, I talked to the boss about this and he doesn't like my
explanations. I need to better understand the reasons why not.

> You wouldn't stand for your browser to submit
> credentials to any old server that asks for it, ESPECIALLY when you, the
> user, are not expecting it to hand out any information. Attempts to enforce
> transparent proxying plus authentication will just fill your log files with
> squid saying things like "authentication not required for accelerated
> requests".

In the specific scenario I mentioned, the browser isn't submitting any
credentials. The traffic is being intercepted and routed through a
local proxy which in turns forwards requests to a remote proxy w/
authentication. It seems to me that the browser is completely unaware
that there is any interception taking place. Isn't that the point?

> If you want authentication the best you will be able to do is allow requests
> to the proxy (when they put the proxy information in their browser) and then
> deny any port 80 traffic (unproxied traffic). If they remove the proxy
> information, their web browsing will be met with a squid (or iptables)
> access denied message until they replace the proxy information to how it
> was.

So what is the purpose of the login parameter for the peer_cache config option?

Thanks for explanations.
Received on Tue Feb 21 2006 - 09:03:21 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST