Proxy servers are being increasingly deployed at organizations for performance benefits; however,
there still exists drawbacks in ease of client authentication in interception proxy mode mainly for Open
Source Proxy Servers.
Technically, an interception mode is not designed for client authentication, but implementation in
certain organizations does require this feature. In this paper, we focus on the World Wide Web, highlight
the existing transparent proxy authentication mechanisms, its drawbacks and propose an authentication
scheme for transparent proxy users by using external scripts based on the clients Internet Protocol
Address. This authentication mechanism has been implemented and verified on Squid-one of the most
widely used HTTP Open Source Proxy Server.
Design and Configuration of App Supportive Indirect Internet Access using a ...IJMER
Nowadays apps satisfy a wide array of requirements but are particularly very useful for educational institutions trying to realize their mobile learning systems or for companies wishing to bolster their businesses. A company/institute that wants to perform web filtering, caching, user monitoring etc. and allow Internet access only after authentication might use an explicit proxy. It has
been observed that most of the apps that need to connect to the Internet through an explicit proxy, do not
work whatsoever. In this paper, a solution has been proposed to get the apps working without having to
avoid the use of a proxy server. The solution is developed around transparent proxy and makes use of a captive portal for authentication. Oracle VM VirtualBox was used to develop a test bed for the experiment and pfSense was used as the firewall which has both proxy server and captive portal services integrated on a single platform. When tested, Windows 8 apps as well as Ubuntu apps worked well without sacrificing proxy server services such as web filtering. The proposed solution is widely
applicable and cost-effective as it uses open source software and essentially the same hardware as used
for explicit proxy deployments.
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
As products and companies move towards IoT model, users and machines alike need to interact with various APIs. Securing these APIs in a connected world can be a challenge faced by many. Fortunately, there are open standards addressing even the most complex of use cases - OAuth, OpenID and OpenID Connect happen to be widely adopted and have a growing support across many API and Identity Providers. In this session I'll talk about these standards, and walk through common use cases/flows from an API Provider as well as consumer's side. We will explore how these standards come together to not only secure the APIs, but also manage identity.
Design and Configuration of App Supportive Indirect Internet Access using a ...IJMER
Nowadays apps satisfy a wide array of requirements but are particularly very useful for educational institutions trying to realize their mobile learning systems or for companies wishing to bolster their businesses. A company/institute that wants to perform web filtering, caching, user monitoring etc. and allow Internet access only after authentication might use an explicit proxy. It has
been observed that most of the apps that need to connect to the Internet through an explicit proxy, do not
work whatsoever. In this paper, a solution has been proposed to get the apps working without having to
avoid the use of a proxy server. The solution is developed around transparent proxy and makes use of a captive portal for authentication. Oracle VM VirtualBox was used to develop a test bed for the experiment and pfSense was used as the firewall which has both proxy server and captive portal services integrated on a single platform. When tested, Windows 8 apps as well as Ubuntu apps worked well without sacrificing proxy server services such as web filtering. The proposed solution is widely
applicable and cost-effective as it uses open source software and essentially the same hardware as used
for explicit proxy deployments.
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
As products and companies move towards IoT model, users and machines alike need to interact with various APIs. Securing these APIs in a connected world can be a challenge faced by many. Fortunately, there are open standards addressing even the most complex of use cases - OAuth, OpenID and OpenID Connect happen to be widely adopted and have a growing support across many API and Identity Providers. In this session I'll talk about these standards, and walk through common use cases/flows from an API Provider as well as consumer's side. We will explore how these standards come together to not only secure the APIs, but also manage identity.
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
Look under the hood of several applications that implement the standard using various profiles and discuss the benefits of OpenID Connect versus OAuth2.0. Our goal is to deepen
understanding of the protocol and its uses.
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
Roland Hedberg, Umeå University
All you need to know about OpenID Connect, with concrete examples and hands-on demos that illustrate how OpenID Connect can be used in web and mobile scenarios.
Websites and applications are implementing social single sign-on to allow users to login using trusted authentication providers such as Google, Facebook, and even Salesforce. Join us to learn how to configure the OpenID Connect authentication provider to allow users to authenticate at Google to access a Salesforce environment. We'll also look at how you can relieve yourself of the burden of password management by having your web app login users via Salesforce.
Presented by Bert Van Beeck, Technical Enablement Lead, ForgeRock at ForgeRock Open Identity Stack Summit, France 2013
Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/
Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/
Authentication and Authorization Architecture in the MEAN StackFITC
Save 10% off ANY FITC event with discount code 'slideshare'
See our upcoming events at www.fitc.ca
Yuri will discuss the challenges of authentication and authorization in the MEAN stack. Topics include architecture, best practices for determining client and server responsibilities, and the importance of sharing authorization context with the client logic in order to build an effective user experience. Angular and Node code samples will be used to illustrate.
Presented live at FITC's Spotlight: MEAN Stack event held on March 28th, 2014
More info at FITC.ca
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
SpringOne Platform 2016
Speaker: David Ferriera; Director, Cloud Technology, Forgerock
Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356IOSR Journals
Abstract: Web services are application based programming interfaces (API) or web APIs that are accessed
through Hypertext Transfer Protocol (HTTP) to execute on a remote system hosting the requested services. A
RESTFUL web service is a budding technology, and a light weight approach that do not restrict the clientserver
communication. The open authorization (OAuth) 2.0 protocol enables the users to grant third-party
application access to their web resources without sharing their login credential data. The Authorization Server
includes authorization information with the Access Token and signs the Access Token. An access token can be
reused until it expires. An authentication filter is used for business services. This paper presents a secure
communication at the message level with minimum overhead and provides a fine grained authenticity using the
Jersey framework.
Keywords: Open authorization (oauth), Restful web services, HTTP protocols and uniform resource
identifier(URI).
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
Look under the hood of several applications that implement the standard using various profiles and discuss the benefits of OpenID Connect versus OAuth2.0. Our goal is to deepen
understanding of the protocol and its uses.
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
Roland Hedberg, Umeå University
All you need to know about OpenID Connect, with concrete examples and hands-on demos that illustrate how OpenID Connect can be used in web and mobile scenarios.
Websites and applications are implementing social single sign-on to allow users to login using trusted authentication providers such as Google, Facebook, and even Salesforce. Join us to learn how to configure the OpenID Connect authentication provider to allow users to authenticate at Google to access a Salesforce environment. We'll also look at how you can relieve yourself of the burden of password management by having your web app login users via Salesforce.
Presented by Bert Van Beeck, Technical Enablement Lead, ForgeRock at ForgeRock Open Identity Stack Summit, France 2013
Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/
Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/
Authentication and Authorization Architecture in the MEAN StackFITC
Save 10% off ANY FITC event with discount code 'slideshare'
See our upcoming events at www.fitc.ca
Yuri will discuss the challenges of authentication and authorization in the MEAN stack. Topics include architecture, best practices for determining client and server responsibilities, and the importance of sharing authorization context with the client logic in order to build an effective user experience. Angular and Node code samples will be used to illustrate.
Presented live at FITC's Spotlight: MEAN Stack event held on March 28th, 2014
More info at FITC.ca
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
SpringOne Platform 2016
Speaker: David Ferriera; Director, Cloud Technology, Forgerock
Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356IOSR Journals
Abstract: Web services are application based programming interfaces (API) or web APIs that are accessed
through Hypertext Transfer Protocol (HTTP) to execute on a remote system hosting the requested services. A
RESTFUL web service is a budding technology, and a light weight approach that do not restrict the clientserver
communication. The open authorization (OAuth) 2.0 protocol enables the users to grant third-party
application access to their web resources without sharing their login credential data. The Authorization Server
includes authorization information with the Access Token and signs the Access Token. An access token can be
reused until it expires. An authentication filter is used for business services. This paper presents a secure
communication at the message level with minimum overhead and provides a fine grained authenticity using the
Jersey framework.
Keywords: Open authorization (oauth), Restful web services, HTTP protocols and uniform resource
identifier(URI).
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
Advanced mechanism for single sign on for distributed computer networkseSAT Journals
Abstract A distributed computer networks could be a special form of the network that facilitates the purchasers to use completely different network services that is provided by the service suppliers. Within the distributed computer networks, user verification is a crucial method for the protection. Within the verification, the choice is taken whether the user is legal or not and then enabled the users to access the service. In general users are using multiple usernames and passwords for to access different applications on a distributed computer network. This increase the burden of the user and organization administrator as each and every account of the organization is going to be handled with their explicit username and credential. A new certification plan that is named as single sign-on mechanism that facilitates the users with one identity token to be verified by multiple service suppliers. Single sign-on is one of user authentication method that allows a user to enter one name and identity token so as to access multiple applications. The method authenticates the user for all the applications they have been offered access to and eliminates additional prompts after they switch applications throughout a specific session. However, existing approaches which are utilizing single sign-on scheme have some drawbacks relating to security needs. Thus, through this paper, we will discuss regarding the event of security from earlier stage to present stage. And clearly discuss regarding the authentication steps between user and service supplier. Keywords — single sign-on, authentication token , mutual authentication
Research Inventy : International Journal of Engineering and Scienceresearchinventy
Research Inventy : International Journal of Engineering and Science is published by the group of young academic and industrial researchers with 12 Issues per year. It is an online as well as print version open access journal that provides rapid publication (monthly) of articles in all areas of the subject such as: civil, mechanical, chemical, electronic and computer engineering as well as production and information technology. The Journal welcomes the submission of manuscripts that meet the general criteria of significance and scientific excellence. Papers will be published by rapid process within 20 days after acceptance and peer review process takes only 7 days. All articles published in Research Inventy will be peer-reviewed.
This presentation will illustrate what is the common issues when the API is made publicly available, how API gateway can be utilized to enhance security, performance improvement can be accomplished by using API gateway.
A captive portal offers an easy setup and may be a viable solution to support your organization. It works well for users who want to access your network with devices, such as laptops, tablets, and smartphones.
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
apidays Helsinki & North 2023
API Ecosystems - Connecting Physical and Digital
June 5 & 6, 2023
API authorization with Open Policy Agent
Anders Eknert, Developer Advocate at Styra
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Similar to Design and Implementation of an IP based authentication mechanism for Open Source Proxy Servers in Interception Mode (20)
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Design and Implementation of an IP based authentication mechanism for Open Source Proxy Servers in Interception Mode
1. Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
DOI : 10.5121/acij.2013.4103 23
Design and Implementation of an IP based
authentication mechanism for Open Source Proxy
Servers in Interception Mode
Tejaswi Agarwal1
and Mike Leonetti2
1
School of Computing Science and Engineering, Vellore Institute of Technology, India
tejaswi.agarwal2010@vit.ac.in
2
New York, USA
mikealeonetti@gmail.com
ABSTRACT
Proxy servers are being increasingly deployed at organizations for performance benefits; however,
there still exists drawbacks in ease of client authentication in interception proxy mode mainly for Open
Source Proxy Servers.
Technically, an interception mode is not designed for client authentication, but implementation in
certain organizations does require this feature. In this paper, we focus on the World Wide Web, highlight
the existing transparent proxy authentication mechanisms, its drawbacks and propose an authentication
scheme for transparent proxy users by using external scripts based on the clients Internet Protocol
Address. This authentication mechanism has been implemented and verified on Squid-one of the most
widely used HTTP Open Source Proxy Server.
KEYWORDS
Interception Proxy, Authentication, Squid, Cookie Based Authentication
1. INTRODUCTION
The reach of internet connectivity has penetrated tremendously over the last decade, and with
such a growing demand, there has been an increase in the access and response time of the World
Wide Web. Increase in bandwidth has not necessarily helped in decreasing the access time [1].
This has prompted organizations to deploy proxy servers which would cache Internet resources
for re-use by the set of clients connected to a network.
Proxy servers are systems deployed to act as an intermediary for clients seeking resources
from other servers or clients to connect to the World Wide Web. Proxy servers are deployed to
keep clients anonymous, to block unwanted content on a network, to save network bandwidth
by supplying commonly accessed data to clients, and to log and audit client usage [2]. Every
request from the client passes through the proxy server, which in turn may or may not modify
the client request based on its implementation mechanism.
Client authentication is an essential feature required in situations where users would need to
authenticate in order to access the Internet. Client authentication is easily configurable in non-
transparent mode where every client will have to suitably modify the workstation browser
2. Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
24
settings. A non-transparent proxy requires client configuration on each client system connected
to the network by manually specifying the proxy servers IP address or DNS. Large
organizations, where manually configuring every client is an overhead, turn to the use of proxy
servers in interception mode for ease of configuration and access.
However, client authentication in interception mode is not suitably designed in Open Source
Proxy Servers. Interception Proxying works by having an active agent (the proxy) where there
should be none. The browser does not expect a proxy server to be present and is being confused
when the request comes from the proxy server in intercepting mode. A user of the browser
wouldn’t expect credentials to be sent to a third party when it is not expecting a proxy server.
Hence browsers are designed not to give away credentials when it is not manually configured to
a proxy server.
To overcome the limitations of client authentication we designed a mechanism for user
authentication in Interception mode using external PERL scripts. The authentication mechanism
maintains a centralised database of logged in users based on client IP address and deny access to
the clients who are not logged in. The scripts are designed in a way to accept user input of
credentials, verify it against an existing LDAP directory and log the user IP on the database for
a specified amount of time if the credentials are correct, thus allowing Internet access to this
particular client. We have implemented and verified this using Squid, one of the most widely
used proxy servers. Squid is very well adept to tackle external Access Control lists, and hence, it
would conveniently verify against an SQL table if the script to check for the validity of IP
address in the table, is externally linked to Squid in its configuration file.
Section 2 will throw light on Transparent Proxy and issues with authentication in transparent
proxy. Section 3 explains the existing authentication mechanisms in transparent mode and its
drawbacks. Section 4 discusses the algorithm used in our authentication mechanism in detail
and its design. Section 5 will explain on the two types of implementation scenario based on how
the proxy server is set up. We conclude with a discussion on performance and future aspects of
this mechanism.
2.TRANSPARENT PROXY AND ITS PROBLEM
A. Overview of Transparent Proxy
Interception proxy, also known as transparent or forced proxy intercepts communication at
the network layer without requiring any client configurations. The main aim of using
interception proxy is to avoid administrative overhead and maintain an Active Directory Group
Access Policy for clients. Clients are not aware of the proxy and a web-browser believes it is
directly taking to the web-server, whereas it is in essence talking to a proxy server.
Transparent proxy creates authentication problems as the web browser believes it is interacting
directly to a server and does not let HTTP Authentication headers pass through to the client. A
transparent proxy does not modify the client request or response, except what is required for
proxy authentication and identification [3]. A transparent proxy is essentially located between
the client and the Internet, with the proxy performing functions of a gateway or a router [4].
B. Issues in Transparent Proxy
In a transparent proxy when the gateway and the proxy reside on different hosts it is not
possible to communicate the Original IP and port to the proxy server. Authentication creates
problems as during an authentication challenge the proxy emits the details about the
authentication to be performed, and sends a token value. The browser integrates that token into
the website which the client had requested, as it assumes that the response has been received
from the web-server because the browser is not configured to a proxy server address. This
3. Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
25
results in silent corruption of the security credentials in the context of the browser. Thus
authentication in interception mode fails due to security feature enabled in browsers which
prevents credentials being sent to an unknown host.
3.EXISTING MECHANISM
A. Captive Portal and its constraints
A captive portal is a Web page that the user of a public-access network is obliged to view
and interact with before access is granted. Captive Portal is implemented in transparent mode
where it forces an HTTP client connected to the network to pass through a special web-page
mostly for authentication purpose. All client packets are intercepted, until the user authenticates
itself via a web-browser. Captive Portals are deployed at several open Wi-Fi hotspots to control
Internet Access.
In the case of Captive Portals, the entire Internet becomes unavailable to all users who are
not logged in. This implies any packets regardless of destination port or IP address are blocked
until a user passes authentication. A client will always have to first authenticate with the help of
a browser, even if it does not intend to use the browser.
With transparent proxy authentication clients are only restricted web usage and with the proxy
server’s granular ACL rules, more control can be given on what web pages can be "whitelisted"
or "blacklisted". This type of flexibility on Internet restriction makes it more ideal for
organizations who still wish to have its users restricted from checking social media websites and
becoming distracted while not interrupting important processes like software updates or other
Internet programs that would be necessary for productivity.
B. Cookie based authentication and its constraints
Cookie-based authentication is intended to provide a means of differentiating users sharing
the same host at the same time. In a cookie-based SSL Proxy Authentication method, the
authentication and user ID is tied to a cookie stored in the browser for the length of the session.
Proxy servers do have custom variables that could be used to extract cookies saved on the
client browser. However, a security aspect in cookies is that they all have domain variable set.
This means that the browser can only send that cookie to a specific domain [5]. Since in most
cases it’s not feasible to set a cookie for every single possible domain a user will access, the
cookie method is not feasible for transparent authentication. Also, other client applications
except the browser will not have an idea of the cookie saved in the browser. Thus other client
applications and service software will not be able to access the network resources [6].
4.ALGORITHM AND DESIGN
In Interception proxy setup, the proxy server becomes the middleman to intercept all packets
with a destination of port 80.The proxy server takes the client request, does the web page fetch
(or takes from its cache), and pretends to be the page for the client. The proxy on the machine is
configured for interception proxy mode. The proxy then knows that URI provided in the host
header is relative and not full and it must assemble the fully qualified URI from the host header.
Using the now full URI the proxy is then able to fetch the webpage and deliver it to the client
[7]. Thus the client has absolutely no knowledge of the traffic being intercepted.
Through the use of powerful external ACL configuration, the proxy server could be
expanded to support a wider variety of authentication types. In our case, a program written in
Perl serves as the enacting authenticator.
4. Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
26
Figure 1: Algorithm and Design
When a request comes through Squid and its user defined ACL rules decide that
authentication is required before the client can either be allowed or denied the page, it calls
upon the Perl script using the requesting client's IP. At that point the Perl script then performs a
query on a MySQL database table to see if the IP address of the client exists as being
authenticated and that his authentication session is not expired.
If the IP address is found in the table and the session is not expired, the requested web page
will be displayed just as it normally would. However, if the IP address is not found or the
session is expired custom web page will be displayed in its place describing the details of the
access issue and that authentication is needed.
On that access denied page a link is then displayed with further instructions for proper
authentication. When the user clicks on said link, he is brought to another custom Perl/CGI
program that will allow him to input his user, password, and desired duration of access. On
successful authentication, the IP of his machine will then be added to the MySQL table of
authenticated IP addresses. The user then has the ability to browse the Internet until the session
expires according to the use of the previous Perl program.
In this method, any form of authentication can become applicable. For example,
organisations can take advantage of internal LDAP or ActiveDirectory users and groups to
centrally manage user Internet access. On the other end of the spectrum, users can also be stored
in a flat file on another server. Other authentication policies like combination of text and
graphical passwords could also be used [12]. With the help of the figure given below, we
explain our design with an LDAP directory.
5. Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
27
Fig. 2: Client Authentication mechanism implementation
1. Client requests internet access which passes through Squid Proxy server.
2. Squid through an external ACL and PERL script checks the SQL database whether the client
IP is present in the database for allowing Internet Access.
3. The PERL script returns a value of ‘OK’ in case the client IP is logged and allows internet
access. The script intimates Squid by sending a return ‘ERR’ in case the client IP is not in the
SQL Database.
4. Squid, on receiving a value of ‘OK’ grants internet access to the client for a specific time as
permitted by the Access Control Lists.
5. Squid, on receiving a value ‘ERR’ is configured to send the user an external page for
authentication. This is achieved by modifying Squid Access Control Lists.
Figure 3: External Authentication Page
6. Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
28
6. Client credentials are verified through an existing LDAP directory containing usernames and
passwords. Internet access is allowed to the user on successful authentication credentials.
7. User IP is logged into the SQL table for a specific amount of time, before the user has to
login again.
Figure 4: Successful Login for Specified Time
The user IP address will be automatically deleted from the SQL table once the user session is
timed out. Configurable user session limits, inactivity timers, and user name request polls are
other methods to determine user logout status. Upon user logout, the User IP address is deleted
from the SQL table confirming that the user has logged out and terminating the session.
The pseudo code, which eliminates IP address from the table and checks for an existing IP
address is as follows:
while( <STDIN> )
{
# Store the IP address
$ip_address = $_;
$current_time = time();
$dbh = DBI->connect( "dbi:mysql:$mysql_db;$mysql_host",
$mysql_user, $mysql_pass );
$dbh->do( qq/DELETE FROM addresses WHERE
`end_time`<$current_time;/ );
$dbh->do( q/DELETE FROM `groups` WHERE NOT EXISTS (SELECT `user`
FROM `addresses` WHERE `user`=`groups`.`user`);/ );
$query_handle = $dbh->prepare( qq/SELECT `addresses`.`user` FROM
`addresses` JOIN `groups` USING(`user`) WHERE
`addresses`.`ip`='$ip_address' AND `groups`.`group`='$group' LIMIT 0,
1;/ );
$query_handle->execute();
# Make sure the value exists first
@result = $query_handle->fetchrow_array();
if( @result and defined($result[0]) )
{
print( "OK user=".$result[1]."n" );
}
else
7. Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
29
{
print( "ERRn" );
}
$query_handle->finish();
$dbh->disconnect();
}
5.IMPLEMENTATION
The design proposed above was successfully implemented and tested using Squid proxy
server in two ways. Type 1 requires Squid to be on the router/gateway system. In this
implementation, packets marked to be forwarded to destination port 80 are redirected to the
local Squid port on the machine (port 3128 by default).
Type 2 allows for Squid to be placed on a separate server. In this implementation, the router
will recognize packets being forwarded with a destination port of 80, as in Type 1, but it will
opt to route these packets through the server with Squid. Rules on the router will then allow the
server with Squid will also then allow all traffic forwarded from that machine to destination port
80 as normal passage.
Implementation of the two scenarios have slightly different requirements and therefore have
slightly different configurations.
5.1 Type 1 Implementation:
The first type was implemented using 25 clients each on a separate Desktop system. In this
implementation, the gateway is a Gentoo Linux system running iptables and a Linux kernel
version 2.6 for routing. Squid is installed directly on the gateway. The internal network connects
all client workstations using “dumb” switches and no VLANs or additional subnets of any kind
are implemented.
To set up the local transparent proxy, iptables is also configured to REDIRECT traffic
outbound for destination port 80 to the local machine port 3128 (the Squid port) in the
PREROUTING NAT table [8]. Squid is then configured in interception proxy mode [9].
Additionally, Squid is configured with an allow, deny policy allowing all of the subnet to a list
of specific websites “approved” by the organization. All other websites are denied.
Squid is then set up with a special external access control rule before the final deny rule on
the subnet. This external access control rule runs a Perl program with the IP address of the
computer requesting the IP address. That program then queries an InnoDB engine MySQL
database table to see if the IP address exists. If the IP address is found then the user is
authenticated and allowed to browse the page thus the final deny rule. If the IP is not found the
user becomes denied regardless.
This implementation is completely transparent and nearly unavoidable for a normal user
attempting to access the Internet. However, no other ports become affected so other traffic is
unaffected. In addition, once a user is authenticated to be able to gain a higher amount of access,
all other applications on the machine such as Windows Updates then also has elevated access as
well. This is an additional benefit of using the user's IP address to check for the user to be
“logged in” by the Squid external access control Perl program mentioned above.
8. Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
30
Figure 5: Type 1 implementation with Squid is directly on the gateway
Due to the Time to Live option on the Squid external access control, web pages that have
already been cleared for access have that setting cached for a certain period of time [10]. In the
case of this scenario the TTL time was set to five minutes. Also, MySQL has been tuned so that
more memory would be used for caching tables so that IO access frequency can be limited to
save time [11].
Due to these optimizations, the performance penalty for the queries run per page request is
negligible. Users are able to browse the Internet normally without noticing any changes. Users
with login privileges through the special login page adapt quickly to be able to enter their
username and password to extend their web access. The ability to manage the users who have
access in LDAP becomes great advantage as well for management.
5.2 Type 2 Implementation
In Type 2,a slightly different network configuration was implemented. Type 2 features the
Squid interception proxy as a virtual machine. The Squid VM, installed with Ubuntu Linux, is
also separate from the gateway device.
In this scenario, the Squid VM is configured to allow port redirection of destination port 80 to
3128. Squid listens on that port and is configured for interception and transparent proxying. The
Squid VM is also set for packet REDIRECTing just as before, except there are no specific
masquerading rules for outbound traffic in the POSTROUTING NAT table as would be
required if the machine functioned as the sole gateway. The VM machine is also set with the
main gateway appliance as its gateway.
The gateway device is configured to route all traffic for destination port 80 to the Squid VM.
This is different from modifying the IP address in the packet (NAT) and then sending it to the
Squid VM. If the IP address in the packets were changed and then sent to the Squid VM, Squid
would only see the source address of all packets as the router/gateway and the IP based
authentication scheme would become useless.
9. Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
31
Figure 6: Type 2 implementation where Squid is on a Virtual Machine
This design was implemented with 10 clients using Citrix Desktop virtual machines with
different dynamic IPs for each machine. It features the same table structures and Perl programs
as described in Type 1 implementation. However, in this scenario Squid is configured in the
access control rules to deny a list of “bad” or blacklisted domains and allow all other web pages.
In addition, the external access rule running our special Perl program, takes precedence over the
blacklisted domains.
Effectively, in Type 2 as in Type 1, users are unaware of the presence of the proxy itself.
Despite being location on a VM, Again, users adapt quickly to being able to log in to elevate
their browsing privileges.
6.RESULTS AND PERFORMANCE
The MySQL database lookups as well as the packet re-routing and interception by Squid do
not produce a noticeable performance decrease. The presence of the LDAP user database makes
for quick and easy management of users who are permitted to “log in” to gain these extended
privileges.
The only area where there is a performance penalty is that every URL request from the client
would trigger a MySQL query. However, with MySQL tuning and keys this can be minimized.
Also, Squid can be configured with a time to live option on the external ACL so that it will
remember the authentication on a URL for a specified amount of time. This also serves to
minimize lookups.
The table below shows an efficient comparison of some of the existing methods to the proposed
method.
10. Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
32
Table 1: Comparison of the Proposed IP based Authentication to other methods
7.CONCLUSION AND FUTURE WORK
Client authentication is transparent mode is an essential feature required for web-proxies.
This paper proposed and implemented a transparent client authentication mechanism, using
external scripts. The external scripts would redirect the client to the authenticating server before
granting Internet access to the client. With the IP based mechanism we have proposed, a
custom web page served by Apache handles the authentication using HTML forms and POST
variables. Squid does not handle the authentication and thus the existing drawbacks of the
browser not accepting the authenticating challenge in transparent mode has been resolved. As
seen from the table above, the proposed mechanism performs better than some of the existing
mechanisms in many ways. This could be achieved and implemented in medium set-ups to
provide ease of access to the clients connected in a network. Future work would be analyze and
improve performance of this implementation.
8. ACKNOWLEDGEMENT
This work was carried out at Indian Institute of Technology, Madras under the guidance of
and Dr. V. Kamakoti and Vasan Srini. We thank them for their feedback and support.
9. REFERENCES
[1] R. Howard, and B. J. Jansen, "A Proxy server experiment: an indication of the changing nature of the
web," Proc of the Seventh International Conference on computer Communications and Networks
(ICCCN '98), pp. 646–649, Washington, DC, October 1998.
[2] Squid Cache Wiki. http://wiki.squid-cache.org/WhySquid
[3] IETF Requests for Comments 2616 http://www.ietf.org/rfc/rfc2616.txt
[4] IETF Requests for Comments 1919 http://www.ietf.org/rfc/rfc1919.txt
[5] IETF Requests for Comments 2109 http://www.ietf.org/rfc/rfc2109.txt
[6] Yamai, N. Okayama K. and Nakamura, M. “An Identification Method of PCs behind NAT Router
with Proxy Authentication on HTTP Communication” 2011 IEEE/IPSJ International Symposium on
Applications and the Internet (SAINT ‘11),Munich Bavaria, July 2011
[7] Transparent Proxying with Squid
http://linuxdevcenter.com/pub/a/linux/2001/10/25/transparent_proxy.html
[8] Squid HTTP Port Documentation http://www.squid-cache.org/Doc/config/http_port/
[9] Squid Interception Proxy setup. http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
RequiresClient
Configuration
SupportsUser
Authentication HTTP Filtering HTTPS Filtering FTP Filtering
Requires
Proprietary
Hardware/Software
Integrateswith
AD/LDAP
Complex
ACLsforURL
access
Local
Caching
Canfilter
“malicious
content”
Advanced
logging
URL
blockingby
category
Captive Portal No Yes No No No No No No No No No No
WebProxy Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes
TransparentWeb Proxy No No Yes No Yes No Yes Yes Yes Yes Yes Yes
Sonicwall Firewall
Device No Yes Yes Yes Yes Yes Yes No No Yes Yes Yes
SquidTransparentWeb
Proxy+Script(Proposed) No Yes Yes No Yes No Yes Yes Yes Yes Yes Yes
11. Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
33
[10] Squid External ACL type. http://www.squid-cache.org/Doc/config/external_acl_type/)
[11] InnoDB configuration http://dev.mysql.com/doc/refman/5.0/en/innodb-configuration.html
[12] Chandrashekar Singh, Lenandlar Singh, “Investigating the Combination of Text and Graphical
Passwords for a more secure and usable experience”, International Journal of Network Security & Its
Applications (IJNSA), Vol.3, No.2, March 2011
[13] A. Niemi, J. Arkko, V. Torvine, "Hypertext Transfer Protocol (HTTP) Digest Authentication using
Authentication and Key Agreement (AKA)", IETF Request for Comments RFC 3310, September
2002