Wednesday, February 12, 2025

Chrome and proxy settings with FortiOS Digest-Auth

 Okay 


Here's the issue a friend of mine has proxies in their network that are being mitigated. These proxies are open to the internal network.

So a user was hammering the proxy so hard the fotigate folded and collapsed. The solution was to set up auth and groups and only allow the groups that needed proxy access.

So an explicit web proxy was created but the main issue was Chrome was not honoring proxy settings.

Firefox btw did work from the get but Chrome was ignoring the proxy settings. If you start Chrome from a shell it works


e.g

open -a /Applications/Google\ Chrome.app --args --proxy-server=http://webproxy.socpuppets.net:3128 

In the fortigate we tried basic-auth to make things simple but ended up deploying digest-auth


# important cfg items


config authentication scheme

    edit "exproxy"

        set method negotiate

    next

    edit "Auth-scheme-Negotiate"

        set method digest

        set user-database "local-user-db"

    next

end


config authentication setting

    set active-auth-scheme "Auth-scheme-Negotiate"

end


config authentication rule

    edit "proxy-auth"

        set srcaddr "all"

        set ip-based disable

        set active-auth-method "Auth-scheme-Negotiate"

    next

end


By using diag wad debug and user commands we could verify the auth


 diag wad user  list


ID: 13, IP: 192.168.1.111, VDOM: root

  user name   : Control

  duration    : 462

  auth_type   : Session

  auth_method : Digest

  pol_id      : 1

  g_id        : 7

  user_based  : 0

  expire      : no

  LAN:

    bytes_in=1545373 bytes_out=7355346

  WAN:

    bytes_in=7325278 bytes_out=1473615



(sample debug output )


[499] __wad_hauth_user_node_put(2017): wad_http_session_free (8168): putting node(ref=107) 0x548f3b5c

[499] __wad_hauth_user_node_put(2017): wad_session_context_put (127): putting node(ref=106) 0x548f3b5c

[499] wad_auth_rule_match(1075): match auth rule succ: proxy-auth

[499] wad_http_request_get_user(25424): process=499 auth-rule=proxy-auth user=/0/0 ip-based/auth-cookie/transact=0/0/0 tp_proxy_auth=0 auth_req=(nil) auth_line=0x553f0898

[499] wad_http_parse_combo_line(280): parse auth line long=0

[499] wad_http_parse_combo_line(303): parse auth line ret=1

[499] wad_hauth_is_sso_guest(1287): check guest for Control/7

[499] wad_digest_authenticate(513): user=Control

[499] wad_http_digest_nonce_is_stale(188): stale=0 nc=4

[499] wad_http_auth_update_user_ext2(2773): updating user. ip: 192.168.1.111, type:SESSION

[499] wad_http_auth_update_user_ext2(2786): user found: Control(0x543294bc)

[499] __wad_hauth_user_node_hold(2007): wad_http_auth_update_user_ext2 (2810): holding node 0x548f3b5c

[499] wad_auth_membership_match(1187): grp(Guest-group): id=1 type=firewall member_sz=5; user(Control): type=firewall ms=(nil) ms-type=-1 member_sz=-1

[499] wad_auth_membership_match(1187): grp(IKEv2): id=2 type=firewall member_sz=2; user(Control): type=firewall ms=(nil) ms-type=-1 member_sz=-1

[499] wad_auth_membership_match(1187): grp(authg): id=6 type=firewall member_sz=1; user(Control): type=firewall ms=(nil) ms-type=-1 member_sz=-1

[499] wad_auth_membership_match(1187): grp(onelogin): id=4 type=firewall member_sz=1; user(Control): type=firewall ms=(nil) ms-type=-1 member_sz=-1

[499] wad_auth_membership_match(1187): grp(proxy_user): id=7 type=firewall member_sz=3; user(Control): type=firewall ms=(nil) ms-type=-1 member_sz=-1

[499] wad_auth_membership_match(1187): grp(radius): id=3 type=firewall member_sz=1; user(Control): type=firewall ms=(nil) ms-type=-1 member_sz=-1

[499] wad_auth_membership_match(1187): grp(remote-fgts): id=5 type=firewall member_sz=1; user(Control): type=firewall ms=(nil) ms-type=-1 member_sz=-1

[499] wad_auth_membership_match(1187): grp(SSO_Guest_Users): id=16777215 type=guest member_sz=0; user(Control): type=firewall ms=(nil) ms-type=-1 member_sz=-1

[499] wad_http_auth_status_proc(24919): authenticate result=success

[499] __wad_hauth_user_node_hold(2007): wad_user_node_stats_hold (473): holding node 0x548f3b5c

[499] __wad_hauth_user_node_hold(2007): wad_http_session_update_user_node (20525): holding node 0x548f3b5c

[499] __wad_hauth_user_node_hold(2007): wad_auth_update_usr_info (795): holding node 0x548f3b5c

[499] __wad_hauth_user_node_hold(2007): wad_http_auth_status_proc (24930): holding node 0x548f3b5c

[499] __wad_hauth_user_node_put(2017): wad_fw_pol_async_ctx_close (3127): putting node(ref=110) 0x548f3b5c

[499] __wad_hauth_user_node_hold(2007): wad_user_node_stats_hold (473): holding node 0x548f3b5c

[499] __wad_hauth_user_node_put(2017): wad_user_node_stats_put (479): putting node(ref=110) 0x548f3b5c


We tested numerous times by clearing the authenticated session with both Chrome ( Version 133.0.6943.99 (Official Build) (arm64) and Firefox browser ( 35.0 (aarch64) )

diag wad user clear


By the summer will will redo this setup and use a squid setup that supports digest-auth.




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \



Posted by at No comments:
Subscribe to: Posts (Atom)