Encrypted IP-Based authentication Idea (README.IP_AUTH $Revision: 1.1 $) The newest version of this and other documentation can be found in the internet: http://sws.dett.de/squid-IP_AUTH Introduction The standard authentication uses HTTP Proxy Auth as described in RFC2617. The Authtype "Digest" would encrypt passwords, but isn't supported by Netscape 4 or IE 4, so it cannot be widely used. If the Proxypasswords should be the same passwords as for working (i.e. validation via SMB, NIS or PAM), it's easy to sniff and steal those important passwords. Idea The password validation could be done by a CGI Script running on a SSL-enable Website. This Script could communicate in a secure way with the Browser, and the login informations would be encrypted. This Script allowes the access from a specific IP address, which is then allowed to receive data from the cache. The Cache needs to verify only, if this IP address is allowed, otherwise an authentication HTML form will be presented. Implementation The IP_AUTH hack changes the behavoir, if a client connects without an authentication header. In this case, the authenticate_program gets the IP-Address for validation. If that fails, squid would send a HTTP_PROXY_AUTHENTICATION_NEEDED, and the browser would ask for a proxy-authentication (which would be send in clear-text). The Patch sends a HTTP_CACHE_ACCESS_DENIED instead, a document that should include the authentcation HTML form. This form links to a SSL CGI script, which takes that authentication data, and validates that. The requested URL should be included in a HIDDEN field, and so the CGI script can set a "refresh to URL"-Header. If the authentication is correct, the CGI script sends the IP address of the client to the authenticate_program. Due to the refresh header the Browser tries again to fetch the original URL. But in this time, the IP address is known by the authenticate_program, and the access it allowed. The onliest data send in clear-text is the IP address, but not the passwords. The patch for squid itself is very short and simple. First, if there was no Proxy-Auth header, then the IP address of the client is used as username (as dotted-quad string). Second, the HTTP response code is changed from HTTP_PROXY_AUTHENTICATION_REQUIRED to HTTP_FORBIDDEN to aviod the browser to ask for a plain text password. So far the patch consists of a very few lines only. But additionally, the autoconf is extended with a --enable-ip_auth option. A simple demo is included (login.cgi/logout.cgi and mini_auth). A FIFO is needed, and only a single instance of mini_auth may exists, that means "authenticate_children 1" must be set in squid.conf for playing around with mini_auth, but it demonstrates the idea I hope. The FIFO must be writeable for the CGI scripts and readable by mini_auth.