auth: exclude incoming connections from src 127.0.0.1 from authentication by default

diladele / webproxy

Web Filtering Proxy for Microsoft Windows is a web filtering proxy and secure web gateway for Microsoft Windows. It can decrypt HTTPS traffic, filter HTTP requests and responses and inspect contents of HTML pages. The product deployed as a network service in Microsoft Windows and is managed by using Microsoft Management Console.

https://www.diladele.com/webproxy/

5 stars 3 forks source link

auth: exclude incoming connections from src 127.0.0.1 from authentication by default #656

Closed ra-at-diladele-com closed 1 year ago

ra-at-diladele-com commented 1 year ago

This can happen if:

admin enables the WPAD pointing all domain clients to proxy
admin opens a browser on the proxy box
browser connects to the proxy
proxy asks for auth
for some reason kerberos is not used when connection is done from the same host - ntlm is always used
browser shows the popup box

The system is not usable becase even clicking on the start menu now requires a connection to the proxy. Workaround is at https://webproxy.diladele.com/docs/faq/proxy/prevent_proxy_authentication_loops/ but it should work out of the box without any additional efforts from the admin, so hence is the bug.

ra-at-diladele-com commented 1 year ago

? should we automatically populate the global exclusions (preffered) or add the actual logic into the code (not preffered).

ra-at-diladele-com commented 1 year ago

no - decided to add a new policy nofilter to the list of policies that admin gets after installation. In that nofilter policy we have 127.0.0.1 set as policy member and also the automatically add all locally configured IPs as members of this policy checkbox.

If this checkbox is set, config storage tries to determine all IP addresses configured on the system and populates the member struct with them.

ra-at-diladele-com commented 1 year ago

implemented need to test