You're right about that too. I think squid has that covered. Actually, it's a transition solution until I'm able to fully deploy kerberos.<br /><br />10:46, March 4, 2019, Rob Crittenden &lt;rcritten@redhat.com&gt;:<br /><blockquote><p>Alexander Bokovoy wrote:<br /></p><blockquote> On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote:<br /><blockquote> Thanks for your answer. Doing it the way you propose, squid uses<br /> basic       authentication, which exposes user names and passwords in<br /> the network        because of the simple base64<br /> encoding.                                       <br /></blockquote> Just set up your clients to use HTTPS proxy connection in the browser.<br /><br /> <a href="https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection">https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection</a><br /><br /> talks about it. Both Chrome-based browsers and Firefox do work just fine<br /> with HTTPS connection to the proxy for years now.<br /><br /></blockquote><p><br />Beyond the fact that the hash in the clear makes for possible replay<br />attacks unless Squid properly enforces nonces.<br /><br />rob<br /></p></blockquote>