From patchwork Sun Jun 21 10:57:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 3213
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 49qTyG0pYHz3wbg
	for <patchwork@web04.haj.ipfire.org>; Sun, 21 Jun 2020 10:57:10 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 49qTyD1W3dzcT;
	Sun, 21 Jun 2020 10:57:08 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 49qTyC4hBsz2yZm;
	Sun, 21 Jun 2020 10:57:07 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49qTyB1Nwfz2xmj
 for <development@lists.ipfire.org>; Sun, 21 Jun 2020 10:57:06 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 49qTy8565WzBY
 for <development@lists.ipfire.org>; Sun, 21 Jun 2020 10:57:04 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1592737025;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=BZeZEVZ+bWytyqQFHyOXr2d1NgjkVPWtcMsoFAIAKEk=;
 b=8JHtCqHlprz/8+XXNs2Qq0xcJgSzdYKRa9TsgFtN4CM71Oou0C7MYsFEsbnGdRZe7zXd72
 txJyIkRg2mUxQcBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1592737025;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=BZeZEVZ+bWytyqQFHyOXr2d1NgjkVPWtcMsoFAIAKEk=;
 b=DUcnL7jzlGWwN4XFDPlaBIg3LwQsvay2YkR4VYWZZ459U1C2RBR3a+V3WUVIJ++4NVbu6D
 Y454vpDA95qgXB21JeiqHC9ycAV+rN2Y7pA9D64LzP+pTxTZf2Dcv2Y47rLj7lKKwxs/Ez
 SQEAPSH5IIQNd/V9srUBJPIPvHei+bmyj146qMP1FYUQfhgVFBgsiMOWCiPcvVWLHJkA4X
 GNRKhQJ+iVj832lIVRyLT8IieYtb9cLjkQJ6jekmTGWkDIMcJ5S6gjGZNe2B2h+g2iUidp
 wIwBL9nphKcJMd51PxzfydBcPhVJevnYpbMWLlBwRWdeXkFWJSxJUytW4xFkrA==
To: development@lists.ipfire.org
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH 1/2] proxy.cgi: remove old CVS licence clutter
Message-ID: <6852616d-9fca-abf4-89ca-ea0a7f01d487@ipfire.org>
Date: Sun, 21 Jun 2020 10:57:00 +0000
MIME-Version: 1.0
Content-Language: en-US
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.mailfrom=peter.mueller@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 html/cgi-bin/proxy.cgi | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index 73646a5ae..d1de4522d 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -18,13 +18,6 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
 #                                                                             #
 ###############################################################################
-#
-# (c) 2004-2009 marco.s - http://www.advproxy.net
-#
-# This code is distributed under the terms of the GPL
-#
-# $Id: advproxy.cgi,v 3.0.2 2009/02/04 00:00:00 marco.s Exp $
-#
 
 use strict;
 use Apache::Htpasswd;

From patchwork Sun Jun 21 10:57:29 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 3214
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 49qTym3kR2z3wbg
	for <patchwork@web04.haj.ipfire.org>; Sun, 21 Jun 2020 10:57:36 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 49qTym0YMGz1yx;
	Sun, 21 Jun 2020 10:57:36 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 49qTyl6s72z2yJ8;
	Sun, 21 Jun 2020 10:57:35 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49qTyk36KKz2xmj
 for <development@lists.ipfire.org>; Sun, 21 Jun 2020 10:57:34 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 49qTyj30cQz1dv
 for <development@lists.ipfire.org>; Sun, 21 Jun 2020 10:57:33 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1592737054;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=8dKJ6ZuTB5+aA9IAih+ecTriqkwL8XLbRgAvr/4C+FY=;
 b=uw1QWZ43RHRwaodZZie7wWqZxSApS5YEzUeZL3eEs2YTPRr4nEFxZcozE4z+kDZAJNHRSy
 5OuE8kmX8I0Vu8Aw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1592737054;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=8dKJ6ZuTB5+aA9IAih+ecTriqkwL8XLbRgAvr/4C+FY=;
 b=KenTL5eqilkBu78gu+Y3g0CnckYMBPz+Z69XkXAlsRuDvBlszYGDEPj4XZaPb6yJECOmX+
 RByaG/ug6f1HiiuyiorGgCgevUYueTtMbUZNN8h5PHOFoReKUctDtPIoLeim+2mfcD7Pm2
 vnNkkL2o4LWuPgWdr0uThVru+yfXW8iPt0apCfPOegE+lo0gyzuSBrelft/1Xwi1SRVSsE
 FphO9ZTtXa3NLaYvwAzauDJgXwk8U+O7u3o/q0qgroK2A6bgmYBCyZZ4jyxE88+xmw/pLh
 ET70p1KwoT3tSOdhqCJESdt5zAPKpCeaK3P6gTNb66FJRhWH0nqLaR9COFkm5Q==
Subject: [PATCH 2/2] Revert "proxy: Remove AUTH_IPCACHE_TTL"
To: development@lists.ipfire.org
References: <6852616d-9fca-abf4-89ca-ea0a7f01d487@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Message-ID: <4357973b-1354-f7b3-dc71-78f14b298e9f@ipfire.org>
Date: Sun, 21 Jun 2020 10:57:29 +0000
MIME-Version: 1.0
In-Reply-To: <6852616d-9fca-abf4-89ca-ea0a7f01d487@ipfire.org>
Content-Language: en-US
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.mailfrom=peter.mueller@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This reverts commit dc637f087fe07ab26ae1dee00133da69bab5e6a1.

Rationale: "authenticate_ip_ttl" can be safely used as it does not
introduces an authentication bypass, but saves relationships between
successfully authenticated users and their IP addresses.

"max_user_ip" depends on such an authentication cache, so credential
sharing between several IPs (on purpose or by chance) can be detected
properly. This is useful in case of crompromised machines and/or
attackers in internal networks having stolen proxy authentication
credentials.

Quoted from squid.conf.documented or man 5 squid.conf:

>       acl aclname max_user_ip [-s] number
>         # This will be matched when the user attempts to log in from more
>         # than <number> different ip addresses. The authenticate_ip_ttl
>         # parameter controls the timeout on the ip entries. [fast]
>         # If -s is specified the limit is strict, denying browsing
>         # from any further IP addresses until the ttl has expired. Without
>         # -s Squid will just annoy the user by "randomly" denying requests.
>         # (the counter is reset each time the limit is reached and a
>         # request is denied)
>         # NOTE: in acceleration mode or where there is mesh of child proxies,
>         # clients may appear to come from multiple addresses if they are
>         # going through proxy farms, so a limit of 1 may cause user problems.

Fixes: #11994

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 doc/language_issues.de |  3 ---
 doc/language_issues.en |  2 ++
 doc/language_issues.es |  7 ++-----
 doc/language_issues.fr |  3 ---
 doc/language_issues.it |  3 ---
 doc/language_issues.nl |  3 ---
 doc/language_issues.pl |  7 ++-----
 doc/language_issues.ru |  5 +----
 doc/language_issues.tr |  3 ---
 html/cgi-bin/proxy.cgi | 28 +++++++++++++++++++---------
 10 files changed, 26 insertions(+), 38 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 2dc986d0a..f2d628d51 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -48,7 +48,6 @@ WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
 WARNING: translation string unused: adsl settings
 WARNING: translation string unused: advproxy AUTH method ntlm
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -73,8 +72,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 88fa6ed79..76c4237d4 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -128,6 +128,7 @@ WARNING: untranslated string: advproxy AUTH method radius = RADIUS
 WARNING: untranslated string: advproxy AUTH no auth = Domains without authentication (one per line)
 WARNING: untranslated string: advproxy AUTH number of auth processes = Number of authentication processes
 WARNING: untranslated string: advproxy AUTH realm = Authentication realm prompt
+WARNING: untranslated string: advproxy AUTH user IP cache TTL = User/IP cache TTL (in minutes)
 WARNING: untranslated string: advproxy IDENT authorized users = Authorized users (one per line)
 WARNING: untranslated string: advproxy IDENT aware hosts = Ident aware hosts (one per line)
 WARNING: untranslated string: advproxy IDENT identd settings = Common identd settings
@@ -206,6 +207,7 @@ WARNING: untranslated string: advproxy errmsg acl cannot be empty = Access contr
 WARNING: untranslated string: advproxy errmsg auth cache ttl = Invalid value for authentication cache TTL
 WARNING: untranslated string: advproxy errmsg auth children = Invalid number of authentication processes
 WARNING: untranslated string: advproxy errmsg auth ipcache may not be null = Authentication cache TTL may not be 0 when using IP address limits
+WARNING: untranslated string: advproxy errmsg auth ipcache ttl = Invalid value for user/IP cache TTL
 WARNING: untranslated string: advproxy errmsg cache = The RAM cache size is greater than the harddisk cache size:
 WARNING: untranslated string: advproxy errmsg hdd cache size = Invalid value for harddisk cache size (min 10 MB required)
 WARNING: untranslated string: advproxy errmsg ident timeout = Invalid ident timeout
diff --git a/doc/language_issues.es b/doc/language_issues.es
index ef78d6680..4d74fe91b 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -24,7 +24,6 @@ WARNING: translation string unused: add xtaccess
 WARNING: translation string unused: add-route
 WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -49,8 +48,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc
@@ -900,7 +897,7 @@ WARNING: untranslated string: fireinfo please enable = Please enable the fireinf
 WARNING: untranslated string: fireinfo settings = Fireinfo settings
 WARNING: untranslated string: fireinfo system version = System versions
 WARNING: untranslated string: fireinfo why descr1 = It is very important for the development of IPFire that you enable this
-WARNING: untranslated string: fireinfo why descr2 = service. 
+WARNING: untranslated string: fireinfo why descr2 = service.
 WARNING: untranslated string: fireinfo why enable = Why should I enable fireinfo?
 WARNING: untranslated string: fireinfo why read more = Read more about the reasons.
 WARNING: untranslated string: fireinfo your profile id = Your profile ID
@@ -958,7 +955,7 @@ WARNING: untranslated string: fwdfw err tgt_port = Invalid destination port.
 WARNING: untranslated string: fwdfw err time = You have to select at least one day.
 WARNING: untranslated string: fwdfw external port nat = External port (NAT)
 WARNING: untranslated string: fwdfw hint ip1 = The last generated rule may never match, because source and destination subnets may overlap.
-WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense: 
+WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense:
 WARNING: untranslated string: fwdfw hint mac = The destination group contains MAC addresses, which will be skipped during rule creation.
 WARNING: untranslated string: fwdfw iface = Interface
 WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections per IP address
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index fd10b171e..c5953d5ba 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -52,7 +52,6 @@ WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
 WARNING: translation string unused: adsl settings
 WARNING: translation string unused: advproxy AUTH method ntlm
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -77,8 +76,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 16ff776b5..059c73a59 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -26,7 +26,6 @@ WARNING: translation string unused: add-route
 WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
 WARNING: translation string unused: advproxy AUTH method ntlm
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -51,8 +50,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 328a8e1f2..8a79baa83 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -25,7 +25,6 @@ WARNING: translation string unused: add xtaccess
 WARNING: translation string unused: add-route
 WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -50,8 +49,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index ef78d6680..4d74fe91b 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -24,7 +24,6 @@ WARNING: translation string unused: add xtaccess
 WARNING: translation string unused: add-route
 WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -49,8 +48,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc
@@ -900,7 +897,7 @@ WARNING: untranslated string: fireinfo please enable = Please enable the fireinf
 WARNING: untranslated string: fireinfo settings = Fireinfo settings
 WARNING: untranslated string: fireinfo system version = System versions
 WARNING: untranslated string: fireinfo why descr1 = It is very important for the development of IPFire that you enable this
-WARNING: untranslated string: fireinfo why descr2 = service. 
+WARNING: untranslated string: fireinfo why descr2 = service.
 WARNING: untranslated string: fireinfo why enable = Why should I enable fireinfo?
 WARNING: untranslated string: fireinfo why read more = Read more about the reasons.
 WARNING: untranslated string: fireinfo your profile id = Your profile ID
@@ -958,7 +955,7 @@ WARNING: untranslated string: fwdfw err tgt_port = Invalid destination port.
 WARNING: untranslated string: fwdfw err time = You have to select at least one day.
 WARNING: untranslated string: fwdfw external port nat = External port (NAT)
 WARNING: untranslated string: fwdfw hint ip1 = The last generated rule may never match, because source and destination subnets may overlap.
-WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense: 
+WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense:
 WARNING: untranslated string: fwdfw hint mac = The destination group contains MAC addresses, which will be skipped during rule creation.
 WARNING: untranslated string: fwdfw iface = Interface
 WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections per IP address
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 0a579d406..d435f0437 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -25,7 +25,6 @@ WARNING: translation string unused: add xtaccess
 WARNING: translation string unused: add-route
 WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -50,8 +49,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc
@@ -952,7 +949,7 @@ WARNING: untranslated string: fwdfw err tgt_port = Invalid destination port.
 WARNING: untranslated string: fwdfw err time = You have to select at least one day.
 WARNING: untranslated string: fwdfw external port nat = External port (NAT)
 WARNING: untranslated string: fwdfw hint ip1 = The last generated rule may never match, because source and destination subnets may overlap.
-WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense: 
+WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense:
 WARNING: untranslated string: fwdfw hint mac = The destination group contains MAC addresses, which will be skipped during rule creation.
 WARNING: untranslated string: fwdfw iface = Interface
 WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections per IP address
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index d04c99305..d4cbbac2d 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -48,7 +48,6 @@ WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
 WARNING: translation string unused: adsl settings
 WARNING: translation string unused: advproxy AUTH method ntlm
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -73,8 +72,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index d1de4522d..fdf9bddaf 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -232,6 +232,7 @@ $proxysettings{'AUTH_METHOD'} = 'none';
 $proxysettings{'AUTH_REALM'} = '';
 $proxysettings{'AUTH_MAX_USERIP'} = '';
 $proxysettings{'AUTH_CACHE_TTL'} = '60';
+$proxysettings{'AUTH_IPCACHE_TTL'} = '0';
 $proxysettings{'AUTH_CHILDREN'} = '5';
 $proxysettings{'NCSA_MIN_PASS_LEN'} = '6';
 $proxysettings{'NCSA_BYPASS_REDIR'} = 'off';
@@ -437,18 +438,23 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'}
 				}
 			}
 		}
+		if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
+			((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+		{
+			$errormessage = $Lang::tr{'advproxy errmsg max userip'};
+			goto ERROR;
+		}
 		if (!($proxysettings{'AUTH_CACHE_TTL'} =~ /^\d+/))
 		{
 			$errormessage = $Lang::tr{'advproxy errmsg auth cache ttl'};
 			goto ERROR;
 		}
-		if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
-			((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+		if (!($proxysettings{'AUTH_IPCACHE_TTL'} =~ /^\d+/))
 		{
-			$errormessage = $Lang::tr{'advproxy errmsg max userip'};
+			$errormessage = $Lang::tr{'advproxy errmsg auth ipcache ttl'};
 			goto ERROR;
 		}
-		if (!($proxysettings{'AUTH_MAX_USERIP'} eq ''))
+		if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && ($proxysettings{'AUTH_IPCACHE_TTL'} eq '0'))
 		{
 			$errormessage = $Lang::tr{'advproxy errmsg auth ipcache may not be null'};
 			goto ERROR;
@@ -1735,6 +1741,10 @@ print <<END
 	<td class='base'>$Lang::tr{'advproxy AUTH limit of IP addresses'}:</td>
 	<td><input type='text' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
 </tr>
+<tr>
+	<td class='base'>$Lang::tr{'advproxy AUTH user IP cache TTL'}:</td>
+	<td><input type='text' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
+</tr>
 <tr>
 	<td class='base'>$Lang::tr{'advproxy AUTH always required'}:</td>
 	<td><input type='checkbox' name='AUTH_ALWAYS_REQUIRED' $checked{'AUTH_ALWAYS_REQUIRED'}{'on'} /></td>
@@ -2031,6 +2041,7 @@ print <<END
 <td><input type='hidden' name='AUTH_CHILDREN'        value='$proxysettings{'AUTH_CHILDREN'}'></td>
 <td><input type='hidden' name='AUTH_CACHE_TTL'       value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_MAX_USERIP'      value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL'     value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_ALWAYS_REQUIRED' value='$proxysettings{'AUTH_ALWAYS_REQUIRED'}'></td>
 <td><input type='hidden' name='AUTH_REALM'           value='$proxysettings{'AUTH_REALM'}'></td>
 <td><input type='hidden' name='DST_NOAUTH'           value='$proxysettings{'DST_NOAUTH'}'></td>
@@ -2042,6 +2053,7 @@ print <<END
 <td><input type='hidden' name='AUTH_CHILDREN'        value='$proxysettings{'AUTH_CHILDREN'}'></td>
 <td><input type='hidden' name='AUTH_CACHE_TTL'       value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_MAX_USERIP'      value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL'     value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_REALM'           value='$proxysettings{'AUTH_REALM'}'></td>
 END
 ; }
@@ -3255,11 +3267,6 @@ END
 	}
 	print FILE "\n";
 
-	# If we use authentication, users must always authenticate
-	unless ($proxysettings{"AUTH_METHOD"} eq "") {
-		print FILE "authenticate_ip_ttl 0\n\n";
-	}
-
 	if ((!($proxysettings{'AUTH_METHOD'} eq 'none')) && (!($proxysettings{'AUTH_METHOD'} eq 'ident')))
 	{
 		if ($proxysettings{'AUTH_METHOD'} eq 'ncsa')
@@ -3268,6 +3275,7 @@ END
 			print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
 			print FILE "auth_param basic realm $authrealm\n";
 			print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+			if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
 		}
 
 		if ($proxysettings{'AUTH_METHOD'} eq 'ldap')
@@ -3312,6 +3320,7 @@ END
 			print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
 			print FILE "auth_param basic realm $authrealm\n";
 			print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+			if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
 		}
 
 		if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth')
@@ -3352,6 +3361,7 @@ END
 			print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
 			print FILE "auth_param basic realm $authrealm\n";
 			print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+			if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
 		}
 
 		print FILE "\n";