Jul 232012

I’ve had a bunch of questions on my Squid LDAP transparent proxy authentication script script about whether or not it was possible to use cookies in Squid proxy authentication with a transparent proxy. The answer to this question that I’ve found by doing research and by my own deductive reasoning, is no.

Before we go into more detail about why, let’s first remind ourselves why you can’t use authentication when using a transparent/interception proxy in Squid. Or to reiterate the article, since the user’s browser is not expecting there to be an authentication and it would be a huge security issue for the browser decided to just start sending authentication information to any intercepting programs when the user has not told it to do so. I do not think that this will ever become possible.

So, to get around this we invented the IP based authentication solution. What the script I have written (with parts borrowed from other people and for this please consult the references) is display a custom web page that is served by apache that handles the authentication using HTML forms and POST variables. Squid does not handle any authentication and the browser is not bothered by stuff it does not need to be concerned with.

On the Squid side, another custom script comes into play. That script is passed the IP of the user trying to access and that IP is then referenced in the MySQL database that stores the authenticated IP addresses. If there is a hit it returns success. Otherwise, the user is denied.

This is a rather simplified solution. However, there is one flaw: this is an IP based solution. This means that if you have a bunch of users logging in to just one machine with just one IP once one user authenticates, every user using the machine now has the same access. This could be a problem.

I looked in the external_acl_type in the squid.conf file to see if there were any other useful variables that could be passed to a custom script to allow us to get around this issue. What I did find is that it allows you to look up headers using %<{Hdr:member} and %<{Hdr:;member}. This means that, yes, Squid can get cookies that are saved on the user’s browser.

However, the fatal drawback, or rather wonderful security goodness about cookies is that they all have a domain variable set. This means that the browser can only send that cookie to a specific domain (consult RFC2109 for more info). Since in most cases it’s not feasible to set a cookie for every single possible domain a user will access, the cookie method is not going to work for transparent authentication.

Another drawback is that other programs such as Windows Update or any other software will not have knowledge of the cookie you have in your browser. Thus even having a cookie that grants access to all web pages that may work for your Mozilla Firefox browser, it would not then work for your software that updates Windows or your IM software that can’t connect to its IM server.

In conclusion, I think IP based authentication is the best way to go for transparent authentication. Your mileage may vary. If it does I’d love to hear about it.

  One Response to “Is Squid transparent proxy auth with cookies possible?”

  1. well stated. I’ve finally gone to explicit proxy. Not as bad as I thought, there is even a GPO that auto configures firefox.

I love it when you comment!

%d bloggers like this: