Squid Package Authentication - $500 {RETRACTED}
-
This bounty is for adding complete authentication to the squid package. When finished, the complete bounty will allow for the following methods of authentication to work with squid:
- Internal
- RADIUS
- LDAP
- Active Directory
- Novell eDirectory
All authentication settings should be completely synch-able with CARP.
In the existing user interface, a pull-down menu allows for the selection of the authentication method. By selecting a particular method, the rest of the page should re-draw with configuration items that are relevant only to that particular authentication method. It should be noted that authentication can be used in conjunction with transparent-mode, although authentication should be accomplished on a separate port, and this should also be configurable in the user interface.
With the internal authentication page, there should be an interface for adding users and passwords, as well as an interface for doing an upload of a properly formated text file already containing usernames and passwords.
With the ldap, active directory and edirectory configuration sections there should be an interface for entering all the relevant information for having the pfSense box(es) query the directory server in question with authentication credentials of the end proxy-user.
Appropriate error reporting must be included to help diagnose when the pfSense box(es) are not configured properly in some respect (ie: error when trying to join an Active Directory domain)
Let me know if you have additional questions on this project.
-
Accepted.
I will start working on this in the next week or so. Take note that in the last week of january (26th jan starting) I will not be available for comments or questions during that time.
I will update this thread whenever I manage to implement a feature.
- I consider a statistics tool like sarg or to be a optional component and not included in the bounty.
- Content filtering in the form of squidguard or dansguardian is considered a seperate package.
-
Both of your assertions are correct. This bounty does not include any reporting tools like SARG or any content filtering tools. I am purely interested in adding working authentication to squid by itself. If someone else wants to build on top of that and do a SARG package or what have you, that's fine, but I'm not paying for it. ;D
I would also ask that people not post to this thread with feature requests unless you are willing to contribute to the bounty. Suggestions on how to improve the existing specification are, however, welcome.
-
I'm interesting in contributing to this with a couple of hundred bucks or so, but I need some more info:
Will this 'feature' work with multiple LAN NIC interfaces simultaneously?
Also I need to know if this will restrict any access to any internet service w/o authentification (not just only ports 80 and 443) or it is just for caching and authenticating http content.
If the latter is the case, I have two additional questions:
What is the difference between this and the Captive Portal feature?
If this squid auth is enabled and an unauthenticated user tries to access, say torrent ports, will he be allowed or not?
Thanks for short comments on these issues and if it suits my needs I will contribute…
regards Hank
-
This will work with multiple nics and multiple servers on different interfaces. I don't see why not.
Restrict internet access without authentication. That's the point of authentication really.
But a whitelist that may be accessed without authentication is pretty common.
Squid is inherently only for http and https access. Although you can tunnel just about anything through it, it's not done that often.The captive portal authentication is for authenticating a user and permitting internet access to any port anywhere if your rule permits this. Look at this like ethernet authentication. There is no content filtering whatsoever, bar what the firewall rule on the CP interface permits.
Squid auth should probably used in the following scenario. Which I deem to be "proper for business networks".
Deny all outbound traffic on the lan interface except for some bare essentials like av windows updates and some critical things like DNS etc. This also applies to almost any interface, especially LAN and DMZ.
Set up a wpad.domain.com host on your network, setup a webserver for that name, create a proxy autoconfiguration script called wpad.dat in the root of that webhost and for good measure also make one called proxy.pac.
Setup squid to authenticate to your favorite choice of authentication servers, one of the best is using ntlm authentication against a AD controller(s).
Check the "autodetect proxy settings" in IE or Firefox and all the browsers wille seamlessly connect to the internet whilst all content can be filtered and all traffic is logged by username. And because all authentication is tranpsarent and invisible to the user it is also a bit harder to fraud one of the other employees by stealing the internet with their account. Or even worse, do lewd things. :-)This is what I suggest for any business as this also supresses the fallout from viruses, botnets and other trojans mail programs etc. Without being cutoff the internet by your provider.
And something like sarg can make you pretty statistics for the management.
-
As the developer who was going to take on this bounty is not going to be available to work on it in the time frame I wanted, and no other developers are currently interested in doing this bounty, I'm redacting it. Thanks.