Squid proxy and user authentication

Submitted by DerGrobe on Mon, 02/02/2009 - 13:14

There are cases where you want to control the access to your proxy server. This could be via IP-restrictions and/or authentication via user name and password.

I recently configured my Squid to support user authentication. There are different options for authorization via authorization helpers:

  • LDAP: Authenticates against LDAP databases.
  • MSNT: Microsoft NT domain authentication.
  • NCSA: Authenticates against the same type of password file as many NCSA-compliant web servers (e.g. Apache htpasswd)
  • PAM: Authenticates against Pluggable Authentication Module (common Linux authentication).
  • SMB: Authenticates against an SMB server (e.g. Samba).
  • getpwnam: Authenticates using Unix password or shadow password file

Setup authentication

Edit squid.conf (usually at /etc/squid/squid.conf) and edit the auth_param part for basic authentication.

  1. auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/htpasswd
  2. auth_param basic children 5
  3. auth_param basic realm Squid proxy-caching web server
  4. auth_param basic credentialsttl 2 hours
  5. auth_param basic casesensitive off

  • credentialsttl 2 hours: Credentials are valid for 2 hours
  • casesensitive off: Username is not case-sensitive

If you're uncertain about the path to the ncsa_auth helper you can run dpkg -L squid |grep ncsa_auth on a Debian-based system or rpm -ql squid | grep ncsa_auth on an RPM-based system to find out where this helper is.

The password file is created via

  1. # htpasswd -c <password file> username

or you can add another user with 

  1. # htpasswd <password file> username

To actually enable the authentication you have to add 

  1. acl ncsa_users proxy_auth REQUIRED
  2. http_access allow ncsa_users

to you ACL section of squid.conf> and restart Squid of course.

  • acl ncsa_users proxy_auth REQUIRED: All rules matching ncsa_users require authentication to the proxy
  • http_access allow ncsa_users: Allow proxy access only to users of ncsa_users group, which in fact means authenticated users.

Remark:
As far as I know it's technically not possible to use this for a transparent proxy setup.

Technorati Tags:Technorati Tags:
Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Newsvine
  • Facebook
  • Google
  • Yahoo
  • Technorati
  • Icerocket

Trackback URL for this post:

http://www.schnuckelig.eu/trackback/132
No votes yet