webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 19:23:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Revert "proxy: Remove AUTH_IPCACHE_TTL"

Browse Source 
This reverts commit dc637f087f.

Rationale: "authenticate_ip_ttl" can be safely used as it does not
introduces an authentication bypass, but saves relationships between
successfully authenticated users and their IP addresses.

"max_user_ip" depends on such an authentication cache, so credential
sharing between several IPs (on purpose or by chance) can be detected
properly. This is useful in case of crompromised machines and/or
attackers in internal networks having stolen proxy authentication
credentials.

Quoted from squid.conf.documented or man 5 squid.conf:

>       acl aclname max_user_ip [-s] number
>         # This will be matched when the user attempts to log in from more
>         # than <number> different ip addresses. The authenticate_ip_ttl
>         # parameter controls the timeout on the ip entries. [fast]
>         # If -s is specified the limit is strict, denying browsing
>         # from any further IP addresses until the ttl has expired. Without
>         # -s Squid will just annoy the user by "randomly" denying requests.
>         # (the counter is reset each time the limit is reached and a
>         # request is denied)
>         # NOTE: in acceleration mode or where there is mesh of child proxies,
>         # clients may appear to come from multiple addresses if they are
>         # going through proxy farms, so a limit of 1 may cause user problems.

Fixes: #11994

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This commit is contained in:
Peter Müller
2020-06-21 10:57:29 +00:00
committed by Arne Fitzenreiter
parent abbec6069a
commit 0f8251fe64
10 changed files with 28 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
doc/language_issues.it
View File

@@ -26,7 +26,6 @@ WARNING: translation string unused: add-route
WARNING: translation string unused: admin user password has been changed
WARNING: translation string unused: administrator user password
WARNING: translation string unused: advproxy AUTH method ntlm
WARNING: translation string unused: advproxy AUTH user IP cache TTL
WARNING: translation string unused: advproxy LDAP auth
WARNING: translation string unused: advproxy NTLM BDC hostname
WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -51,8 +50,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
WARNING: translation string unused: advproxy chgwebpwd new password confirm
WARNING: translation string unused: advproxy chgwebpwd old password
WARNING: translation string unused: advproxy chgwebpwd username
WARNING: translation string unused: advproxy content based throttling
WARNING: translation string unused: advproxy errmsg auth ipcache ttl
WARNING: translation string unused: advproxy errmsg change fail
WARNING: translation string unused: advproxy errmsg change success
WARNING: translation string unused: advproxy errmsg invalid bdc