[squid-users] MFA with squid, is it possible?

[NgTech LTD]

I was wondering if it's possible to use 2fa with squid?
If so, how?
The authentication of squid is based on a couple methods, but, by what I
can identify the 2fa? Is there any option to use some kind of token which
can be acquired via some external authentication service?
I am unsure if it's doable or not.
I have seen a couple VPN services which offer 2fa, but all of these have
connection based authentication.

The only service I have seen which has a nice concept of 2fa is Defguard.
It uses Wireguard combined with psk.
The flow is that the app contacts a management service and the 2fa
authentication is done against this service.
Then this service generates the WG config PSK and pushes it to the WG
service.
The app then connects with a combination of KEY+PSK.
The detection of connection invalidation ("disconnection") is when there is
no activity after 3 minutes on the WG peer(or by disconnection in the app).
Then the PSK is automatically being revoked/changed in the peer config
which blocks it' usage.
It's not a perfect solution but it's a nice enough implementation.

The issue with a proxy connection is that the client-to-service connection
is in plain text.
So my assumption is that if we can secure the client-to-proxy and the
generated config delivery to the client we can kind of consider it "secure
enough".

I am wondering to myself about the available options in the proxy market.

Thanks,
Eliezer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20251203/6890db3f/attachment.htm>