This is out of date! - In the end I built it with Squid

Documentation for the new proxy server.

Starting off with some ideas

Contents 1 objectives 1.1 primary 1.2 secondary 2 Squid 2.1 Pros 2.2 Cons 3 Apache 2 3.1 Pros 3.2 Cons 4 Thoughts 5 links and stuff

objectives

primary

• reliability
• secure password transmission
• eDirectory Intergration

secondary

• url blacklisting
• content filter
• remove the need for firewall content filter

Squid

Pros

• Large user base
• 3rd party applications
• purpose built application
• content filter add - ons
• url blacklisting - subs based like with sonicwall
• could be patched to support digest-ldap
• excellent caching mechanisms

Cons

• No secure LDAP backed authentication mechanism in current version
• version 3 in early beta (2 - 3 years)
• additional service to run
• in house maintenance if using 3 beta or 2 patched with digest-ldap
• potential difficulty with keeping digest-ldap working in 2 after merging on going bug/security patches

Apache 2

Pros

• in house knowledge
• very secure
• excellent reputation for stability
• excellent implementation of http spec
• works with existing authentication systems
• virus scanning
• url blacklisting - subscription based like sonicwall
• apache service needed anyway
• disk caching
• memory caching
• Custom modules with mod_python or mod_perl

Cons

• primarily intended as a web server
• uncertain of the forward proxy user base
• content filtering??
• Custom modules with mod_python or mod_perl ;-)
• Is it as fast as squid?

Thoughts

• IPSEC tunnel to proxy server: clients can be managed with group policy; can use http basic authentication on server; can intergrate with eDirectory via LDAP. Server configuration difficult
• SSH tunnel, as above but no group policy management. Server config easy, client config difficult. May expose access to loop back interface on server.
• apache forward proxy with custom modules to create apache style digest - should be able to bolt in to existing authentication modules.
• User self-management. http-digest authentication, local user database on server, password management interface secured with SSL and mod_auth_ldap. Users authenticate to web interface with eDirectory password and can then set there own password.
• Completely detached from eDirectory, http-digest authentication. Import users from cvs, and admin interface to update individual passwords. Similar to ninaa but no clear text passwords.

links and stuff

• http://software.othello.ch/mod_dnsbl/
• http://software.othello.ch/mod_clamav/
• http://www.squid-cache.org/mail-archive/squid-dev/200504/0015.html
• http://www.erenkrantz.com/oscon/OSCON%202005%20Apache%20HTTP%20Server%202.2.pdf
• http://forge.novell.com/modules/xfmod/project/?ldapdigest
• http://developer.novell.com/wiki/index.php/LDAP_Digest_Authentication_for_Squid
• http://support.novell.com/techcenter/articles/dnd20030806.html
• http://www.utexas.edu/its/unix/reference/oracledocs/v92/B10501_01/network.920/a96574/ldapfilt.htm
• http://www.ldapadministrator.com/
• http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ispstep.mspx
• http://www.freeswan.org/doc.html
• http://www.natecarlson.com/linux/ipsec-x509.php?cat=linux&page=ipsec-x509#casetup
• http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

md5("{$username}:{$realm}:{$password}")