From 2fc5124b7ea5dd6b7035574e68be0f6441aec77e Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 11 Aug 2014 11:49:31 +0200
Subject: [PATCH] proxy: Allow HTTP Basic authentication against Active
 Directory servers

Some clients may not support NTLMv2. Basic authentication can
now be activated. This is dangerous as it sends the credentials
in cleartext to the proxy server.
---
 doc/language_issues.es |  1 +
 doc/language_issues.fr |  1 +
 doc/language_issues.nl |  1 +
 doc/language_issues.pl |  1 +
 doc/language_issues.ru |  1 +
 doc/language_issues.tr |  1 +
 doc/language_missings  |  4 ++++
 html/cgi-bin/proxy.cgi | 30 +++++++++++++++++++++++++++++-
 langs/de/cgi-bin/de.pl |  1 +
 langs/en/cgi-bin/en.pl |  1 +
 10 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/doc/language_issues.es b/doc/language_issues.es
index 57df9d6e53..e256975128 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -598,6 +598,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index d2344ed3dc..62dd5d5c94 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -608,6 +608,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 607d6807d9..7360d4fcb5 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -664,6 +664,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy group access control
 WARNING: untranslated string: advproxy group required
 WARNING: untranslated string: atm device
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 57df9d6e53..e256975128 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -598,6 +598,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 03e48b7902..d7d3d26dff 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -601,6 +601,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index b920727593..623df9836e 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -667,6 +667,7 @@ WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm
 WARNING: untranslated string: advproxy AUTH method ntlm auth
+WARNING: untranslated string: advproxy basic authentication
 WARNING: untranslated string: advproxy group access control
 WARNING: untranslated string: advproxy group required
 WARNING: untranslated string: bytes
diff --git a/doc/language_missings b/doc/language_missings
index 57c0870e36..376a460ce7 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -19,6 +19,7 @@
 < adsl settings
 < advproxy AUTH method ntlm
 < advproxy AUTH method ntlm auth
+< advproxy basic authentication
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -566,6 +567,7 @@
 < adsl settings
 < advproxy AUTH method ntlm
 < advproxy AUTH method ntlm auth
+< advproxy basic authentication
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -1106,6 +1108,7 @@
 < adsl settings
 < advproxy AUTH method ntlm
 < advproxy AUTH method ntlm auth
+< advproxy basic authentication
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -1622,6 +1625,7 @@
 < adsl settings
 < advproxy AUTH method ntlm
 < advproxy AUTH method ntlm auth
+< advproxy basic authentication
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index 9abcb9181f..772852bb8f 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -267,6 +267,7 @@ $proxysettings{'LDAP_BINDDN_USER'} = '';
 $proxysettings{'LDAP_BINDDN_PASS'} = '';
 $proxysettings{'LDAP_GROUP'} = '';
 $proxysettings{'NTLM_AUTH_GROUP'} = '';
+$proxysettings{'NTLM_AUTH_BASIC'} = 'off';
 $proxysettings{'NTLM_DOMAIN'} = '';
 $proxysettings{'NTLM_PDC'} = '';
 $proxysettings{'NTLM_BDC'} = '';
@@ -895,6 +896,10 @@ $checked{'NTLM_USER_ACL'}{'positive'} = '';
 $checked{'NTLM_USER_ACL'}{'negative'} = '';
 $checked{'NTLM_USER_ACL'}{$proxysettings{'NTLM_USER_ACL'}} = "checked='checked'";
 
+$checked{'NTLM_AUTH_BASIC'}{'on'} = '';
+$checked{'NTLM_AUTH_BASIC'}{'off'} = '';
+$checked{'NTLM_AUTH_BASIC'}{$proxysettings{'NTLM_AUTH_BASIC'}} = "checked='checked'";
+
 $checked{'RADIUS_ENABLE_ACL'}{'off'} = '';
 $checked{'RADIUS_ENABLE_ACL'}{'on'} = '';
 $checked{'RADIUS_ENABLE_ACL'}{$proxysettings{'RADIUS_ENABLE_ACL'}} = "checked='checked'";
@@ -2002,6 +2007,14 @@ END
 if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth') {
 	print <<END;
 		<hr size ='1'>
+		<table width='100%'>
+			<td width='20%' class='base'>$Lang::tr{'advproxy basic authentication'}:</td>
+			<td width='40%'><input type='checkbox' name='NTLM_AUTH_BASIC' $checked{'NTLM_AUTH_BASIC'}{'on'} /></td>
+			<td colspan='2'>&nbsp;</td>
+		</table>
+
+		<hr size='1' />
+
 		<table width='100%'>
 			<tr>
 				<td colspan='4'><b>$Lang::tr{'advproxy group access control'}</b></td>
@@ -3376,7 +3389,22 @@ END
 			}
 			print FILE "\n";
 
-			print FILE "auth_param ntlm children $proxysettings{'AUTH_CHILDREN'}\n";
+			print FILE "auth_param ntlm children $proxysettings{'AUTH_CHILDREN'}\n\n";
+
+			# BASIC authentication
+			if ($proxysettings{'NTLM_AUTH_BASIC'} eq "on") {
+				print FILE "auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic";
+				if ($proxysettings{'NTLM_AUTH_GROUP'}) {
+					my $ntlm_auth_group = $proxysettings{'NTLM_AUTH_GROUP'};
+					$ntlm_auth_group =~ s/\\/\+/;
+
+					print FILE " --require-membership-of=\"$ntlm_auth_group\"";
+				}
+				print FILE "\n";
+				print FILE "auth_param basic children 10\n";
+				print FILE "auth_param basic realm IPFire Web Proxy Server\n";
+				print FILE "auth_param basic credentialsttl 2 hours\n\n";
+			}
 		}
 
 		if ($proxysettings{'AUTH_METHOD'} eq 'radius')
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 37a2431c45..6c46f70bfa 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -196,6 +196,7 @@
 'advproxy back to main page' => 'ZurÃ¼ck zur Hauptseite',
 'advproxy banned ip clients' => 'Gesperrte IP-Adressen (eine pro Zeile)',
 'advproxy banned mac clients' => 'Gesperrte MAC-Adressen (eine pro Zeile)',
+'advproxy basic authentication' => 'Erlaube HTTP-Basic-Authentifizierung',
 'advproxy cache management' => 'Cacheverwaltung',
 'advproxy cache replacement policy' => 'Cache Ersetzungsrichtlinie',
 'advproxy cache-digest' => 'Cache-Digest-Erstellung aktivieren',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index ef6b5df4ff..b537868d2c 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -196,6 +196,7 @@
 'advproxy back to main page' => 'Back to main page',
 'advproxy banned ip clients' => 'Banned IP addresses (one per line)',
 'advproxy banned mac clients' => 'Banned MAC addresses (one per line)',
+'advproxy basic authentication' => 'Allow HTTP Basic authentication',
 'advproxy cache management' => 'Cache management',
 'advproxy cache replacement policy' => 'Cache replacement policy',
 'advproxy cache-digest' => 'Enable Cache-Digest Generation',
-- 
2.39.2