proxy: Allow HTTP Basic authentication against Active Directory servers

Some clients may not support NTLMv2. Basic authentication can now be activated. This is dangerous as it sends the credentials in cleartext to the proxy server.
2026-04-10 19:15:54 +02:00 · 2014-08-11 11:49:31 +02:00
parent 8ed77b039f
commit 2fc5124b7e
10 changed files with 41 additions and 1 deletions
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -598,6 +598,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -608,6 +608,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -664,6 +664,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy group access control
 WARNING: untranslated string: advproxy group required
 WARNING: untranslated string: atm device
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -598,6 +598,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -601,6 +601,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -667,6 +667,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy group access control
 WARNING: untranslated string: advproxy group required
 WARNING: untranslated string: bytes
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -19,6 +19,7 @@
 < adsl settings
 < advproxy AUTH method ntlm
 < advproxy AUTH method ntlm auth
+< advproxy basic authentication
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -566,6 +567,7 @@
 < adsl settings
 < advproxy AUTH method ntlm
 < advproxy AUTH method ntlm auth
+< advproxy basic authentication
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -1106,6 +1108,7 @@
 < adsl settings
 < advproxy AUTH method ntlm
 < advproxy AUTH method ntlm auth
+< advproxy basic authentication
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -1622,6 +1625,7 @@
 < adsl settings
 < advproxy AUTH method ntlm
 < advproxy AUTH method ntlm auth
+< advproxy basic authentication
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -267,6 +267,7 @@ $proxysettings{'LDAP_BINDDN_USER'} = '';
 $proxysettings{'LDAP_BINDDN_PASS'} = '';
 $proxysettings{'LDAP_GROUP'} = '';
 $proxysettings{'NTLM_AUTH_GROUP'} = '';
+$proxysettings{'NTLM_AUTH_BASIC'} = 'off';
 $proxysettings{'NTLM_DOMAIN'} = '';
 $proxysettings{'NTLM_PDC'} = '';
 $proxysettings{'NTLM_BDC'} = '';
@@ -895,6 +896,10 @@ $checked{'NTLM_USER_ACL'}{'positive'} = '';
 $checked{'NTLM_USER_ACL'}{'negative'} = '';
 $checked{'NTLM_USER_ACL'}{$proxysettings{'NTLM_USER_ACL'}} = "checked='checked'";

+$checked{'NTLM_AUTH_BASIC'}{'on'} = '';
+$checked{'NTLM_AUTH_BASIC'}{'off'} = '';
+$checked{'NTLM_AUTH_BASIC'}{$proxysettings{'NTLM_AUTH_BASIC'}} = "checked='checked'";
+
 $checked{'RADIUS_ENABLE_ACL'}{'off'} = '';
 $checked{'RADIUS_ENABLE_ACL'}{'on'} = '';
 $checked{'RADIUS_ENABLE_ACL'}{$proxysettings{'RADIUS_ENABLE_ACL'}} = "checked='checked'";
@@ -2002,6 +2007,14 @@ END
 if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth') {
 	print <<END;
 		<hr size ='1'>
+		<table width='100%'>
+			<td width='20%' class='base'>$Lang::tr{'advproxy basic authentication'}:</td>
+			<td width='40%'><input type='checkbox' name='NTLM_AUTH_BASIC' $checked{'NTLM_AUTH_BASIC'}{'on'} /></td>
+			<td colspan='2'>&nbsp;</td>
+		</table>
+
+		<hr size='1' />
+
 		<table width='100%'>
 			<tr>
 				<td colspan='4'><b>$Lang::tr{'advproxy group access control'}</b></td>
@@ -3376,7 +3389,22 @@ END
 			}
 			print FILE "\n";

-			print FILE "auth_param ntlm children $proxysettings{'AUTH_CHILDREN'}\n";
+			print FILE "auth_param ntlm children $proxysettings{'AUTH_CHILDREN'}\n\n";
+
+			# BASIC authentication
+			if ($proxysettings{'NTLM_AUTH_BASIC'} eq "on") {
+				print FILE "auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic";
+				if ($proxysettings{'NTLM_AUTH_GROUP'}) {
+					my $ntlm_auth_group = $proxysettings{'NTLM_AUTH_GROUP'};
+					$ntlm_auth_group =~ s/\\/\+/;
+
+					print FILE " --require-membership-of=\"$ntlm_auth_group\"";
+				}
+				print FILE "\n";
+				print FILE "auth_param basic children 10\n";
+				print FILE "auth_param basic realm IPFire Web Proxy Server\n";
+				print FILE "auth_param basic credentialsttl 2 hours\n\n";
+			}
 		}

 		if ($proxysettings{'AUTH_METHOD'} eq 'radius')
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -196,6 +196,7 @@
 'advproxy back to main page' => 'Zurück zur Hauptseite',
 'advproxy banned ip clients' => 'Gesperrte IP-Adressen (eine pro Zeile)',
 'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)',
+'advproxy basic authentication' => 'Erlaube HTTP-Basic-Authentifizierung',
 'advproxy cache management' => 'Cacheverwaltung',
 'advproxy cache replacement policy' => 'Cache Ersetzungsrichtlinie',
 'advproxy cache-digest' => 'Cache-Digest-Erstellung aktivieren',
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -196,6 +196,7 @@
 'advproxy back to main page' => 'Back to main page',
 'advproxy banned ip clients' => 'Banned IP addresses (one per line)',
 'advproxy banned mac clients' => 'Banned MAC addresses (one per line)',
+'advproxy basic authentication' => 'Allow HTTP Basic authentication',
 'advproxy cache management' => 'Cache management',
 'advproxy cache replacement policy' => 'Cache replacement policy',
 'advproxy cache-digest' => 'Enable Cache-Digest Generation',