|
| 1 | +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
| 2 | +<HTML> |
| 3 | + <HEAD> |
| 4 | + <TITLE> [squid-users] MFA with squid, is it possible? |
| 5 | + </TITLE> |
| 6 | + <LINK REL="Index" HREF="index.html" > |
| 7 | + <LINK REL="made" HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20MFA%20with%20squid%2C%20is%20it%20possible%3F&In-Reply-To=%3C80c14c0b-28c5-4135-91a5-cb1fd561f708%40treenet.co.nz%3E"> |
| 8 | + <META NAME="robots" CONTENT="index,nofollow"> |
| 9 | + <style type="text/css"> |
| 10 | + pre { |
| 11 | + white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */ |
| 12 | + } |
| 13 | + </style> |
| 14 | + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> |
| 15 | + <LINK REL="Previous" HREF="027717.html"> |
| 16 | + |
| 17 | + </HEAD> |
| 18 | + <BODY BGCOLOR="#ffffff"> |
| 19 | + <H1>[squid-users] MFA with squid, is it possible?</H1> |
| 20 | + <B>Amos Jeffries</B> |
| 21 | + <A HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20MFA%20with%20squid%2C%20is%20it%20possible%3F&In-Reply-To=%3C80c14c0b-28c5-4135-91a5-cb1fd561f708%40treenet.co.nz%3E" |
| 22 | + TITLE="[squid-users] MFA with squid, is it possible?">squid3 at treenet.co.nz |
| 23 | + </A><BR> |
| 24 | + <I>Fri Dec 5 07:52:21 UTC 2025</I> |
| 25 | + <P><UL> |
| 26 | + <LI>Previous message (by thread): <A HREF="027717.html">[squid-users] MFA with squid, is it possible? |
| 27 | +</A></li> |
| 28 | + |
| 29 | + <LI> <B>Messages sorted by:</B> |
| 30 | + <a href="date.html#27718">[ date ]</a> |
| 31 | + <a href="thread.html#27718">[ thread ]</a> |
| 32 | + <a href="subject.html#27718">[ subject ]</a> |
| 33 | + <a href="author.html#27718">[ author ]</a> |
| 34 | + </LI> |
| 35 | + </UL> |
| 36 | + <HR> |
| 37 | +<!--beginarticle--> |
| 38 | +<PRE>On 04/12/2025 02:31, NgTech LTD wrote: |
| 39 | +><i> I was wondering if it's possible to use 2fa with squid? |
| 40 | +</I> |
| 41 | +Of course. |
| 42 | + |
| 43 | +><i> If so, how? |
| 44 | +</I> |
| 45 | +As you know, helpers can do anything you can code/script as their |
| 46 | +actions to validate standard HTTP login credentials. |
| 47 | + |
| 48 | +All it takes is a helper that triggers the 2nd-factor query before |
| 49 | +accepting the login. |
| 50 | + |
| 51 | +A classic example of this which is available in all Squid today is the |
| 52 | +SQL_session helper "ACTIVE" mode. In that case the 2nd-factor is the |
| 53 | +prior use of some specific URL. |
| 54 | + |
| 55 | +A more modern example is OAuth Bearer authentication. Though this |
| 56 | +requires patching of Squid since the feature is not yet passed official |
| 57 | +review. |
| 58 | + |
| 59 | +A somewhat unconventional approach prior to Bearer invention was/is to |
| 60 | +use HTTP Basic auth where the password is a temporary token (or Digest |
| 61 | +auth with a single-use nonce) that can only validate when used on a POST |
| 62 | +with some 2nd-factor details in the request message content. Whereupon |
| 63 | +the user:pass details are changed to something else. |
| 64 | + |
| 65 | + |
| 66 | +><i> The authentication of squid is based on a couple methods, but, by what I |
| 67 | +</I>><i> can identify the 2fa? Is there any option to use some kind of token |
| 68 | +</I>><i> which can be acquired via some external authentication service? |
| 69 | +</I> |
| 70 | +2FA is pretty much the definition of a how captured-portal logins work. |
| 71 | +So yes, or course. |
| 72 | + |
| 73 | +Modern Squid are configured with "auth_param ... key_extras" in |
| 74 | +squid.conf to pass arbitrary 2FA details to the helper. These can be |
| 75 | +user-provided such as 2FA tokens, or something implicit like client IP |
| 76 | +or Set-Cookie headers. |
| 77 | + |
| 78 | + |
| 79 | +><i> I am unsure if it's doable or not. |
| 80 | +</I>><i> I have seen a couple VPN services which offer 2fa, but all of these have |
| 81 | +</I>><i> connection based authentication. |
| 82 | +</I> |
| 83 | +Nod. VPN are typically connection-oriented designs. It is way easier to |
| 84 | +tie tracking of whole sessions to something persistent like TCP socket |
| 85 | +or src-IP, than to juggle 2FA on a per-message basis. |
| 86 | + |
| 87 | + |
| 88 | +><i> The issue with a proxy connection is that the client-to-service |
| 89 | +</I>><i> connection is in plain text. |
| 90 | +</I> |
| 91 | +As others have mentioned, Squid is perfectly capable of receiving |
| 92 | +encrypted traffic directly from any agent. |
| 93 | + |
| 94 | +The misconception comes from Browsers historically lacking the ability |
| 95 | +to use encrypted proxies. Which is entirely a Browser issue, not a |
| 96 | +property of Squid. |
| 97 | + |
| 98 | + |
| 99 | +Cheers |
| 100 | +Amos |
| 101 | +</PRE> |
| 102 | + |
| 103 | +<!--endarticle--> |
| 104 | + <HR> |
| 105 | + <P><UL> |
| 106 | + <!--threads--> |
| 107 | + <LI>Previous message (by thread): <A HREF="027717.html">[squid-users] MFA with squid, is it possible? |
| 108 | +</A></li> |
| 109 | + |
| 110 | + <LI> <B>Messages sorted by:</B> |
| 111 | + <a href="date.html#27718">[ date ]</a> |
| 112 | + <a href="thread.html#27718">[ thread ]</a> |
| 113 | + <a href="subject.html#27718">[ subject ]</a> |
| 114 | + <a href="author.html#27718">[ author ]</a> |
| 115 | + </LI> |
| 116 | + </UL> |
| 117 | + |
| 118 | +<hr> |
| 119 | +<a href="https://lists.squid-cache.org/listinfo/squid-users">More information about the squid-users |
| 120 | +mailing list</a><br> |
| 121 | +</body></html> |
0 commit comments