HTTP Proxy User Authentication

As previously stated, the HTTP proxy can optionally require users to authenticate themselves. The addition of a USER attribute to a rule, along with an associated proxyuser object name, will cause requests to require authentication (based on the source and/or destination addresses within the rule).

HTTP proxy authentication uses the same mechanisms as other proxies. See Chapter 9, Authentication for information about SunScreen user authentication mechanisms.

The SunScreen HTTP proxy supports the Basic HTTP authentication method and provides several HTTP proxy authentication variables for configuring the method.

These variables do not normally need alteration, and come prefigured for immediate operation. The variables are:

• sys= Screen (optional)

• prg=httpp

• name=AuthBasicRealm

• value=SunScreen (optional - prefigured as shown)

• description="descriptive text" (optional)

• enabled | disabled (prefigured as enabled)

The Basic authentication mechanism allows use of a Realm name; this realm name is displayed by the user's browser as part of the authentication, and is intended to be useful in identifying the collection of resources being protected by authentication. It is an authentication mechanism between the user and the programs he or she wants to access. The administrator knows about this and other kinds of authentication associated with a firewall, but an end user may not. The realm variable identifies who or what is interposing this authentication on the proxy. What the user sees in the password process of the browser varies depending on how these variables are set. The word "SunScreen" could be replaced with some company-specific term, for instance.

• sys= Screen (optional)

• prg=httpp

• name=AuthBasicTTL

• value=authttl (default is "15m")

• description="descriptive text" (optional)

• enabled | disabled (prefigured as enabled)

authttl is a timeout, constructed of an unsigned number, followed optionally by one of the scaling characters (d, h, m, or s). These indicate time units of days, hours, minutes, or seconds, respectively. The scaling characters are case-insensitive, and the default unit scale is seconds.

Credentials for proxy authentication are stored by the browser and offered repeatedly with subsequent requests. This functionality prevents annoying the user with many such challenges, which would otherwise render web browsing unusable. However, the SunScreen administrator is allowed to place a reasonable upper limit on the amount of time a given browser instance (or group of instances) will be allowed to reuse the same credentials without requalification. Tailoring this variable restricts the time which an unattended browser might be usable by another party before the latter would be required to re-authenticate. The AuthBasicTTL variable controls this time-to-live setting for credentials using the Basic authentication method.