Re: [squid-users] Squid plugin sponsor

2022-02-11 Thread Eliezer Croitoru 
Hey David,

 

The general name of this concept is SSO service.

It can have single or multiple backends.

The main question is how to implement the solution in the optimal way possible.
(taking into account money, coding complexity and other humane parts)

 

You will need to authenticate the client against the main AUTH service.

There is a definitive way or statistical way to implement this solution.

With AD or Kerberos it’s possible to implement the solution in such a way that 
windows will
“transparently” authenticate to the proxy service.

However you must understand that all of this requires an infrastructure that 
will provide every piece of the setup.

If your setup doesn’t contains RDP like servers then it’s possible that you can 
authenticate a user with an IP compared
to pinning every connection to a specific user.

Also, the “cost” of non-transparent authentication is that the user will be 
required to enter (manually or automatically) 
the username and the password.

An HotSpot like setup is called “Captive Portal” and it’s a very simple setup 
to implement with active directory.

It’s also possible to implement a transparent authentication for such a setup 
based on session tokens.

 

You actually don’t need to create a “fake” helper for such a setup but you can 
create one that is based on Linux.

It’s an “Advanced” topic but if you do ask me it’s possible that you can take 
this in steps.

The first step would be to use a session helper that will authenticate the user 
and will identify the user
based on it’s IP address.

If it’s a wireless setup you can use a radius based authentication ( can also 
be implemented on a wired setup).

Once you will authenticate the client transparently or in another way you can 
limit the usage of the username to
a specific client and with that comes a guaranteed situation that a username 
will not be used from two sources.

I don’t know about your experience but the usage of a captive portal is very 
common In such situations.

The other option is to create an agent in the client side that will identify 
the user against the proxy/auth service
and it will create a situation which an authorization will be acquired based on 
some degree of authentication.

 

In most SSO environments it’s possible that per request/domain/other there is a 
transparent validation.

 

In all the above scenarios which requires authentication the right way to do it 
would be to use the proxy as
a configured proxy compared to transparent.

I believe that one thing to consider is that once you authenticate against a 
RADIUS service you would just
minimize the user interaction.

The main point from what I understand is to actually minimize the 
authentication steps of the client.

 

My suggestion for you is to first try and asses the complexity of a session 
helper, raidus and captive portal.

These are steps that you will need to do in order to asses the necessity of 
transparent SSO.

 

Also take your time to compare how a captive portal is configured in the next 
general products:

*   Palo Alto
*   FortiGate
*   Untangle
*   Others

 

>From the documentation you would see the different ways and “grades” that they 
>implement the solutions.

Once you know what the market offers and their equivalent costs you will 
probably understand what
you want and what you can afford to invest in the development process of each 
part of setup.

 

All The Bests,

Eliezer

 



Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

 

From: squid-users  On Behalf Of 
David Touzeau
Sent: Friday, February 11, 2022 17:03
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid plugin sponsor

 

Hello

Thank you but this is not the objective and this is the reason for needing the 
"fake".
Access to Kerberos or NTLM ports of the AD, is not possible. An LDAP server 
would be present with accounts replication.
The idea is to do a silent authentication without joining the AD 
We did not need the double user/password credential, only the user sent by the 
browser is required

If the user has an Active Directory session then his account is automatically 
sent without him having to take any action.
If the user is in a workgroup then the account sent will not be in the LDAP 
database and will be rejected.
I don't need to argue about the security value of this method. It saves us from 
setting up a gas factory to make a kind of HotSpot

Le 11/02/2022 à 05:55, Dieter Bloms a écrit :

Hello David,
 
for me it looks like you want to use kerberos authentication.
With kerberos authentication the user don't have to authenticate against
the proxy. The authentication is done in the background.
 
Mayb this link will help:
 
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
 
On Thu, Feb 10, David Touzeau wrote:
 

Hi
 
What we are looking for is to retrieve a "user" token without having to

Re: [squid-users] Squid plugin sponsor

2022-02-11 Thread David Touzeau 

Hello

Thank you but this is not the objective and this is the reason for 
needing the "fake".
Access to Kerberos or NTLM ports of the AD, is not possible. An LDAP 
server would be present with accounts replication.

The idea is to do a silent authentication without joining the AD
We did not need the double user/password credential, only the user sent 
by the browser is required


If the user has an Active Directory session then his account is 
automatically sent without him having to take any action.
If the user is in a workgroup then the account sent will not be in the 
LDAP database and will be rejected.
I don't need to argue about the security value of this method. It saves 
us from setting up a gas factory to make a kind of HotSpot


Le 11/02/2022 à 05:55, Dieter Bloms a écrit :

Hello David,

for me it looks like you want to use kerberos authentication.
With kerberos authentication the user don't have to authenticate against
the proxy. The authentication is done in the background.

Mayb this link will help:

https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

On Thu, Feb 10, David Touzeau wrote:


Hi

What we are looking for is to retrieve a "user" token without having to ask
anything from the user.
That's why we're looking at Active Directory credentials.
Once the user account is retrieved, a helper would be in charge of checking
if the user exists in the LDAP database.
This is to avoid any connection to an Active Directory
Maybe this is impossible


Le 10/02/2022 à 05:03, Amos Jeffries a écrit :

On 10/02/22 01:43, David Touzeau wrote:

Hi

I would like to sponsor the improvement of ntlm_fake_auth to support
new protocols

ntlm_* helpers are specific to NTLM authentication. All LanManager (LM)
protocols should already be supported as well as currently possible.
NTLM is formally discontinued by MS and *very* inefficient.

NP: NTLMv2 with encryption does not *work* because that encryption step
requires secret keys the proxy is not able to know.


or go further produce a new negotiate_kerberos_auth_fake


With current Squid this helper only needs to produce an "OK" response
regardless of the input. The basic_auth_fake does that.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Vulnerabilities with squid 4.15

2022-02-11 Thread robert k Wild 
ok so build my squid 4.17 with this option

--disable-wccpv2

as i have no lines in my squid.conf referencing wccp

is that what i should do, tbh i dont even know if i do or dont need wccp

On Fri, 11 Feb 2022 at 02:27, Amos Jeffries  wrote:

> On 11/02/22 07:55, robert k Wild wrote:
> > Hi all,
> >
> > Is there any security vulnerabilities with squid 4.15, should I update
> > to 4.17 or is it OK to still use as my squid proxy server
> >
> > Sorry for silly question
> >
>
> Not silly.
>
> There is this one for WCCP:
> <
> https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82
> >
>
> However, be aware that the patch has been found to prevent all traffic
> from some routers. We are working on the fix for that.
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Vulnerabilities with squid 4.15

2022-02-11 Thread robert k Wild 
thanks Amos and Eliezer!

tbh i dont know if im using WCCP with my squid version, sorry, how do i
find that out?

i am using SSL Bump ie SSL interception and a few websites im doing No ssl
intercept with splice/peek/bump

hope that helps

On Fri, 11 Feb 2022 at 05:24, Eliezer Croitoru  wrote:

> Hey Robert,
>
>
>
> Don’t rush with the move from CentOS 7 to Ubuntu yet, CentOS 7 has good
> support for at-least a year from now.
>
> I can try to help you by providing RPMs that has support for ecap which I
> understand you need.
>
> Alternatively I can try to build an upgrade process for your self compiled
> version.
>
>
>
> I can recommend on both:
>
>- Amazon Linux 2
>- Oracle Enterprise Linux 8\7
>- Open Suse
>
>
>
> As a general alternative which I can support the RPM builds for.
>
> I have also built binaries for Ubuntu and Debian but in a non deb package
> file but will be signed by me.
>
>
>
> As Amos mentioned the current issue is with WCCP based setups.
>
> Can you please elaborate more if you are using WCCP in your setup?
>
> Also, Are you using SSL-BUMP by any chance? (I really don’t know about a
> setup that doesn’t require this these days)
>
>
>
> If you would be able to share more information on your setup so I might be
> able to clone such a setup it will help a lot.
>
>
>
> Thanks,
>
> Eliezer
>
>
>
> 
>
> Eliezer Croitoru
>
> NgTech, Tech Support
>
> Mobile: +972-5-28704261
>
> Email: ngtech1...@gmail.com
>
>
>
> *From:* robert k Wild 
> *Sent:* Thursday, February 10, 2022 21:28
> *To:* NgTech LTD 
> *Cc:* Squid Users 
> *Subject:* Re: [squid-users] Vulnerabilities with squid 4.15
>
>
>
> I have squid running on centos 7.9, I will move to ubuntu 20 04 03 as
> centos is officially dead to me
>
>
>
> I have compiled from source ie make make install as I'm running squid with
> squidclamav cicap cicap modules
>
>
>
> All instances I have compiled from source ie make make install
>
>
>
> I did a yum install clamav
>
>
>
> On Thu, 10 Feb 2022, 19:20 NgTech LTD,  wrote:
>
> Hey Robert,
>
>
>
> First: your question is not silly.
>
> The answer will defer based on the complexity of the upgrade process.
>
> What Os are you using and also, did you compiled squid from sources or
> installed from a specific package?
>
> Also, what is your squid setup purpose?
>
>
>
> Eliezer
>
>
>
> בתאריך יום ה׳, 10 בפבר׳ 2022, 20:56, מאת robert k Wild ‏<
> robertkw...@gmail.com>:
>
> Hi all,
>
>
>
> Is there any security vulnerabilities with squid 4.15, should I update to
> 4.17 or is it OK to still use as my squid proxy server
>
>
>
> Sorry for silly question
>
>
>
> Thanks,
>
> Rob
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>

-- 
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [squid-announce] Squid 5.4 is available

2022-02-11 Thread FredB 

Hi,


What is this image general purpose?

Have a containerized Squid, easy to install and upgrade, and In my case 
use multi proxies on same machine


Enabled options, here: 
https://gitlab.com/fredbcode-images/squid/-/blob/master/Dockerfile#L8


Squid is automatically compiled, tested (I will add more tests soon) and 
finally released as image every weeks


When a test fail, there is no new release.

I'm already using this process for e2guardian, a pipeline runs every 
time a commit is merged:


You can click on each state to see the process:
https://gitlab.com/fredbcode/e2guardian/-/pipelines/463682244
Example Debian compilation: 
https://gitlab.com/fredbcode/e2guardian/-/jobs/2055075483


Packages, docker images, are generated when nothing is wrong -> In this 
situation I'm testing the web filtering with e2guardian and SSL MITM 
mode enabled



In what environment can it be used?

Any 64 bits with docker (I think it could works also on windows, not 
sure), but only for x86 and ARM v8 architectures



I have seen that the docker-compose contains three containers:

  * Squid
  * e2guardian
  * other

It's just a basic example for a simple web filtering machine in icap 
mode, works in progress ...
When I have more time, hum, I will add a load balancer (traefik, ha 
proxy, ?) for an out of box little platform with squid multi instances
I also added some options to my image like supgethosts: - squid stop 
when it can't reach Internet, useful for multi machines and load 
balancer (or proxy pac) - autoreload: - If a file is 
changed/deleted/created squid reloads automatically -/

/

Personally I'm using many squid on each machine for better performance, 
especially with ssl bump


But of course scalability, dead and live of process are using a more 
complex mechanism that my simple example


In _my case_ with same hardware the performance has increased 
significantly, I used a single squid by machine before.

Also better than some proprietary products that I had tried.

Fred
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users