I am considering moving from the anonymous proxy to a proxy that requires authentication so that every device wanting internet access has to authenticate to the proxy, and all traffic on https:// is monitored, not just http. Has anyone made this conversion? How did it go for you? Any hiccups along the way?
What type of authentication do you have in mind?
A lot of IPFire’s use Captive portal, which uses MAC authentication, which is easy to setup but also easy to bypass.
If you want something more sophisticated there is Local , Radius or ident authentication on the bottom of the proxy page:
I haven’t tried this recently but I think Local authentication was simple to setup a while ago
I was just thinking local, but I would like to here what others’ experience has been like.
Hi,
for the vast majority of the IPFire environments I administer, the web proxy requires local authentication. Generally, enforcing this works fine for Linux/BSD systems (both desktop and servers), convincing Windows 10 to use proxy authentication was a tad iffy in the past. No sufficient experience with macOS systems over here.
Especially if you cannot do a greenfield approach, it might be beneficial to introduce proxy authentication gradually, such as by exempting known problematic network segments by adding these to the list of unrestricted source networks, and untick the “Require authentication for unrestricted source addresses” checkbox.
Note that for HTTPS traffic, only the destination FQDN will be logged, as the full URL is not visible to the web proxy. However, the FQDN alone should be sufficient to investigate in most cases. 
Thanks, and best regards,
Peter MĂĽller
1 Like