2025-12-03

Author: squidadm

squid-users/2025-December.txt

@@ -24,3 +24,93 @@ Cheers
 Amos
 
 
+From ngtech1ltd at gmail.com  Wed Dec  3 13:31:46 2025
+From: ngtech1ltd at gmail.com (NgTech LTD)
+Date: Wed, 3 Dec 2025 15:31:46 +0200
+Subject: [squid-users] MFA with squid, is it possible?
+Message-ID: <CABA8h=R2_LzKNDmqiJjixPOrqNu7eHPWa1P5zuExFR8U_k_iTQ@mail.gmail.com>
+
+I was wondering if it's possible to use 2fa with squid?
+If so, how?
+The authentication of squid is based on a couple methods, but, by what I
+can identify the 2fa? Is there any option to use some kind of token which
+can be acquired via some external authentication service?
+I am unsure if it's doable or not.
+I have seen a couple VPN services which offer 2fa, but all of these have
+connection based authentication.
+
+The only service I have seen which has a nice concept of 2fa is Defguard.
+It uses Wireguard combined with psk.
+The flow is that the app contacts a management service and the 2fa
+authentication is done against this service.
+Then this service generates the WG config PSK and pushes it to the WG
+service.
+The app then connects with a combination of KEY+PSK.
+The detection of connection invalidation ("disconnection") is when there is
+no activity after 3 minutes on the WG peer(or by disconnection in the app).
+Then the PSK is automatically being revoked/changed in the peer config
+which blocks it' usage.
+It's not a perfect solution but it's a nice enough implementation.
+
+The issue with a proxy connection is that the client-to-service connection
+is in plain text.
+So my assumption is that if we can secure the client-to-proxy and the
+generated config delivery to the client we can kind of consider it "secure
+enough".
+
+I am wondering to myself about the available options in the proxy market.
+
+Thanks,
+Eliezer
+-------------- next part --------------
+An HTML attachment was scrubbed...
+URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20251203/6890db3f/attachment.htm>
+
+From tony.albers at gmx.com  Wed Dec  3 16:55:10 2025
+From: tony.albers at gmx.com (Tony Albers)
+Date: Wed, 03 Dec 2025 17:55:10 +0100
+Subject: [squid-users] MFA with squid, is it possible?
+In-Reply-To: <CABA8h=R2_LzKNDmqiJjixPOrqNu7eHPWa1P5zuExFR8U_k_iTQ@mail.gmail.com>
+References: <CABA8h=R2_LzKNDmqiJjixPOrqNu7eHPWa1P5zuExFR8U_k_iTQ@mail.gmail.com>
+Message-ID: <B8316C89-DAE5-4EA3-9B4F-88B2812B23EF@gmx.com>
+
+On 3 December 2025 14:31:46 CET, NgTech LTD <ngtech1ltd at gmail.com> wrote:
+>I was wondering if it's possible to use 2fa with squid?
+>If so, how?
+>The authentication of squid is based on a couple methods, but, by what I
+>can identify the 2fa? Is there any option to use some kind of token which
+>can be acquired via some external authentication service?
+>I am unsure if it's doable or not.
+>I have seen a couple VPN services which offer 2fa, but all of these have
+>connection based authentication.
+>
+>The only service I have seen which has a nice concept of 2fa is Defguard.
+>It uses Wireguard combined with psk.
+>The flow is that the app contacts a management service and the 2fa
+>authentication is done against this service.
+>Then this service generates the WG config PSK and pushes it to the WG
+>service.
+>The app then connects with a combination of KEY+PSK.
+>The detection of connection invalidation ("disconnection") is when there is
+>no activity after 3 minutes on the WG peer(or by disconnection in the app).
+>Then the PSK is automatically being revoked/changed in the peer config
+>which blocks it' usage.
+>It's not a perfect solution but it's a nice enough implementation.
+>
+>The issue with a proxy connection is that the client-to-service connection
+>is in plain text.
+>So my assumption is that if we can secure the client-to-proxy and the
+>generated config delivery to the client we can kind of consider it "secure
+>enough".
+>
+>I am wondering to myself about the available options in the proxy market.
+>
+>Thanks,
+>Eliezer
+
+Check out privacyidea.org
+
+HTH
+
+/tony
+

squid-users/2025-December/027714.html

@@ -13,7 +13,7 @@
    </style>
    <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
 
-   
+   <LINK REL="Next"  HREF="027715.html">
  </HEAD>
  <BODY BGCOLOR="#ffffff">
    <H1>[squid-users] CVE-2025-62168</H1>
@@ -24,7 +24,8 @@ <H1>[squid-users] CVE-2025-62168</H1>
     <I>Wed Dec  3 03:32:07 UTC 2025</I>
     <P><UL>
 
-        
+        <LI>Next message (by thread): <A HREF="027715.html">[squid-users] MFA with squid, is it possible?
+</A></li>
          <LI> <B>Messages sorted by:</B> 
               <a href="date.html#27714">[ date ]</a>
               <a href="thread.html#27714">[ thread ]</a>
@@ -52,12 +53,14 @@ <H1>[squid-users] CVE-2025-62168</H1>
 
 </PRE>
 
+
 <!--endarticle-->
     <HR>
     <P><UL>
         <!--threads-->
 
-	
+	<LI>Next message (by thread): <A HREF="027715.html">[squid-users] MFA with squid, is it possible?
+</A></li>
          <LI> <B>Messages sorted by:</B> 
               <a href="date.html#27714">[ date ]</a>
               <a href="thread.html#27714">[ thread ]</a>

squid-users/2025-December/027715.html

@@ -0,0 +1,96 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [squid-users] MFA with squid, is it possible?
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20MFA%20with%20squid%2C%20is%20it%20possible%3F&In-Reply-To=%3CCABA8h%3DR2_LzKNDmqiJjixPOrqNu7eHPWa1P5zuExFR8U_k_iTQ%40mail.gmail.com%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <style type="text/css">
+       pre {
+           white-space: pre-wrap;       /* css-2.1, curent FF, Opera, Safari */
+           }
+   </style>
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="027714.html">
+   <LINK REL="Next"  HREF="027716.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[squid-users] MFA with squid, is it possible?</H1>
+    <B>NgTech LTD</B> 
+    <A HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20MFA%20with%20squid%2C%20is%20it%20possible%3F&In-Reply-To=%3CCABA8h%3DR2_LzKNDmqiJjixPOrqNu7eHPWa1P5zuExFR8U_k_iTQ%40mail.gmail.com%3E"
+       TITLE="[squid-users] MFA with squid, is it possible?">ngtech1ltd at gmail.com
+       </A><BR>
+    <I>Wed Dec  3 13:31:46 UTC 2025</I>
+    <P><UL>
+        <LI>Previous message (by thread): <A HREF="027714.html">[squid-users] CVE-2025-62168
+</A></li>
+        <LI>Next message (by thread): <A HREF="027716.html">[squid-users] MFA with squid, is it possible?
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#27715">[ date ]</a>
+              <a href="thread.html#27715">[ thread ]</a>
+              <a href="subject.html#27715">[ subject ]</a>
+              <a href="author.html#27715">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>I was wondering if it's possible to use 2fa with squid?
+If so, how?
+The authentication of squid is based on a couple methods, but, by what I
+can identify the 2fa? Is there any option to use some kind of token which
+can be acquired via some external authentication service?
+I am unsure if it's doable or not.
+I have seen a couple VPN services which offer 2fa, but all of these have
+connection based authentication.
+
+The only service I have seen which has a nice concept of 2fa is Defguard.
+It uses Wireguard combined with psk.
+The flow is that the app contacts a management service and the 2fa
+authentication is done against this service.
+Then this service generates the WG config PSK and pushes it to the WG
+service.
+The app then connects with a combination of KEY+PSK.
+The detection of connection invalidation (&quot;disconnection&quot;) is when there is
+no activity after 3 minutes on the WG peer(or by disconnection in the app).
+Then the PSK is automatically being revoked/changed in the peer config
+which blocks it' usage.
+It's not a perfect solution but it's a nice enough implementation.
+
+The issue with a proxy connection is that the client-to-service connection
+is in plain text.
+So my assumption is that if we can secure the client-to-proxy and the
+generated config delivery to the client we can kind of consider it &quot;secure
+enough&quot;.
+
+I am wondering to myself about the available options in the proxy market.
+
+Thanks,
+Eliezer
+-------------- next part --------------
+An HTML attachment was scrubbed...
+URL: &lt;<A HREF="http://lists.squid-cache.org/pipermail/squid-users/attachments/20251203/6890db3f/attachment.htm">http://lists.squid-cache.org/pipermail/squid-users/attachments/20251203/6890db3f/attachment.htm</A>&gt;
+</PRE>
+
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message (by thread): <A HREF="027714.html">[squid-users] CVE-2025-62168
+</A></li>
+	<LI>Next message (by thread): <A HREF="027716.html">[squid-users] MFA with squid, is it possible?
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#27715">[ date ]</a>
+              <a href="thread.html#27715">[ thread ]</a>
+              <a href="subject.html#27715">[ subject ]</a>
+              <a href="author.html#27715">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://lists.squid-cache.org/listinfo/squid-users">More information about the squid-users
+mailing list</a><br>
+</body></html>

squid-users/2025-December/027716.html

@@ -0,0 +1,97 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [squid-users] MFA with squid, is it possible?
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20MFA%20with%20squid%2C%20is%20it%20possible%3F&In-Reply-To=%3CB8316C89-DAE5-4EA3-9B4F-88B2812B23EF%40gmx.com%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <style type="text/css">
+       pre {
+           white-space: pre-wrap;       /* css-2.1, curent FF, Opera, Safari */
+           }
+   </style>
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="027715.html">
+   
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[squid-users] MFA with squid, is it possible?</H1>
+    <B>Tony Albers</B> 
+    <A HREF="mailto:squid-users%40lists.squid-cache.org?Subject=Re%3A%20%5Bsquid-users%5D%20MFA%20with%20squid%2C%20is%20it%20possible%3F&In-Reply-To=%3CB8316C89-DAE5-4EA3-9B4F-88B2812B23EF%40gmx.com%3E"
+       TITLE="[squid-users] MFA with squid, is it possible?">tony.albers at gmx.com
+       </A><BR>
+    <I>Wed Dec  3 16:55:10 UTC 2025</I>
+    <P><UL>
+        <LI>Previous message (by thread): <A HREF="027715.html">[squid-users] MFA with squid, is it possible?
+</A></li>
+        
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#27716">[ date ]</a>
+              <a href="thread.html#27716">[ thread ]</a>
+              <a href="subject.html#27716">[ subject ]</a>
+              <a href="author.html#27716">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>On 3 December 2025 14:31:46 CET, NgTech LTD &lt;<A HREF="https://lists.squid-cache.org/listinfo/squid-users">ngtech1ltd at gmail.com</A>&gt; wrote:
+&gt;<i>I was wondering if it's possible to use 2fa with squid?
+</I>&gt;<i>If so, how?
+</I>&gt;<i>The authentication of squid is based on a couple methods, but, by what I
+</I>&gt;<i>can identify the 2fa? Is there any option to use some kind of token which
+</I>&gt;<i>can be acquired via some external authentication service?
+</I>&gt;<i>I am unsure if it's doable or not.
+</I>&gt;<i>I have seen a couple VPN services which offer 2fa, but all of these have
+</I>&gt;<i>connection based authentication.
+</I>&gt;<i>
+</I>&gt;<i>The only service I have seen which has a nice concept of 2fa is Defguard.
+</I>&gt;<i>It uses Wireguard combined with psk.
+</I>&gt;<i>The flow is that the app contacts a management service and the 2fa
+</I>&gt;<i>authentication is done against this service.
+</I>&gt;<i>Then this service generates the WG config PSK and pushes it to the WG
+</I>&gt;<i>service.
+</I>&gt;<i>The app then connects with a combination of KEY+PSK.
+</I>&gt;<i>The detection of connection invalidation (&quot;disconnection&quot;) is when there is
+</I>&gt;<i>no activity after 3 minutes on the WG peer(or by disconnection in the app).
+</I>&gt;<i>Then the PSK is automatically being revoked/changed in the peer config
+</I>&gt;<i>which blocks it' usage.
+</I>&gt;<i>It's not a perfect solution but it's a nice enough implementation.
+</I>&gt;<i>
+</I>&gt;<i>The issue with a proxy connection is that the client-to-service connection
+</I>&gt;<i>is in plain text.
+</I>&gt;<i>So my assumption is that if we can secure the client-to-proxy and the
+</I>&gt;<i>generated config delivery to the client we can kind of consider it &quot;secure
+</I>&gt;<i>enough&quot;.
+</I>&gt;<i>
+</I>&gt;<i>I am wondering to myself about the available options in the proxy market.
+</I>&gt;<i>
+</I>&gt;<i>Thanks,
+</I>&gt;<i>Eliezer
+</I>
+Check out privacyidea.org
+
+HTH
+
+/tony
+</PRE>
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message (by thread): <A HREF="027715.html">[squid-users] MFA with squid, is it possible?
+</A></li>
+	
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#27716">[ date ]</a>
+              <a href="thread.html#27716">[ thread ]</a>
+              <a href="subject.html#27716">[ subject ]</a>
+              <a href="author.html#27716">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://lists.squid-cache.org/listinfo/squid-users">More information about the squid-users
+mailing list</a><br>
+</body></html>

squid-users/2025-December/author.html

@@ -19,20 +19,30 @@ <h1>December 2025 Archives by author</h1>
                     </a></b></li>
       </ul>
       <p><b>Starting:</b> <i>Wed Dec  3 03:32:07 UTC 2025</i><br>
-         <b>Ending:</b> <i>Wed Dec  3 03:32:07 UTC 2025</i><br>
-         <b>Messages:</b> 1<p>
+         <b>Ending:</b> <i>Wed Dec  3 16:55:10 UTC 2025</i><br>
+         <b>Messages:</b> 3<p>
      <ul>
 
+<LI><A HREF="027716.html">[squid-users] MFA with squid, is it possible?
+</A><A NAME="27716">&nbsp;</A>
+<I>Tony Albers
+</I>
+
 <LI><A HREF="027714.html">[squid-users] CVE-2025-62168
 </A><A NAME="27714">&nbsp;</A>
 <I>Amos Jeffries
+</I>
+
+<LI><A HREF="027715.html">[squid-users] MFA with squid, is it possible?
+</A><A NAME="27715">&nbsp;</A>
+<I>NgTech LTD
 </I>
 
     </ul>
     <p>
       <a name="end"><b>Last message date:</b></a> 
-       <i>Wed Dec  3 03:32:07 UTC 2025</i><br>
-    <b>Archived on:</b> <i>Wed Dec  3 03:32:12 UTC 2025</i>
+       <i>Wed Dec  3 16:55:10 UTC 2025</i><br>
+    <b>Archived on:</b> <i>Wed Dec  3 16:55:24 UTC 2025</i>
     <p>
    <ul>
          <li> <b>Messages sorted by:</b>

squid-users/2025-December/date.html

@@ -19,20 +19,30 @@ <h1>December 2025 Archives by date</h1>
                     </a></b></li>
       </ul>
       <p><b>Starting:</b> <i>Wed Dec  3 03:32:07 UTC 2025</i><br>
-         <b>Ending:</b> <i>Wed Dec  3 03:32:07 UTC 2025</i><br>
-         <b>Messages:</b> 1<p>
+         <b>Ending:</b> <i>Wed Dec  3 16:55:10 UTC 2025</i><br>
+         <b>Messages:</b> 3<p>
      <ul>
 
 <LI><A HREF="027714.html">[squid-users] CVE-2025-62168
 </A><A NAME="27714">&nbsp;</A>
 <I>Amos Jeffries
+</I>
+
+<LI><A HREF="027715.html">[squid-users] MFA with squid, is it possible?
+</A><A NAME="27715">&nbsp;</A>
+<I>NgTech LTD
+</I>
+
+<LI><A HREF="027716.html">[squid-users] MFA with squid, is it possible?
+</A><A NAME="27716">&nbsp;</A>
+<I>Tony Albers
 </I>
 
     </ul>
     <p>
       <a name="end"><b>Last message date:</b></a> 
-       <i>Wed Dec  3 03:32:07 UTC 2025</i><br>
-    <b>Archived on:</b> <i>Wed Dec  3 03:32:12 UTC 2025</i>
+       <i>Wed Dec  3 16:55:10 UTC 2025</i><br>
+    <b>Archived on:</b> <i>Wed Dec  3 16:55:24 UTC 2025</i>
     <p>
    <ul>
          <li> <b>Messages sorted by:</b>