Monday, November 03, 2008

Enabling basic authentication in Squid

Found this in my gmail archive and thought it would be easier to have it on my blog. 
 I had replied with this to someone on the lug.lk mailing list. 

Actually noticed an error on my reply as well, which is corrected on the below. 

 -2007-08-01 

Squid supports lot of authentication methods. I'll put the basic method that uses ncsa_auth program. 
You need to make the following changes to your squid.conf. 

Please be advised that the below, gives only a very basic proxy setup with authentication. 

 If you want something complex, you might want to the squid documentation. 

**Backup your existing squid.conf

Put/uncomment following lines to your squid.conf

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd 

ncsa_auth program is installed along squid in redhat flavours, under /usr/lib/squid/ . 
"/etc/squid/passwd" is the name of the file where all the passwords will be kept. 
You can change this to point to wherever you want in the file system. 

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off 

First line below is an ACL named "authenticated_user" Second line defines the networks in the LAN. 
This should be changed according to your setup. ( i just copied over from def: squid.configuration :-) )

The third allows http access through the proxy for Authenticated connections coming from the specified networks. 

acl authenticated_user proxy_auth REQUIRED 
acl our_networks src 192.168.1.0/24 192.168.2.0/24 
http_access allow our_networks authenticated_user

Once you have made the above changes to the squid.conf you have to create the username/passwords in the specified file. ( /etc/squid/squid_passwd in this ) 

For that, do, htpasswd -c /etc/squid/squid_passwd username password 

After adding the 1st user in the above way, to add more new users, use the below method. 

htpasswd /etc/squid/squid_passwd username password 

You can find out various parameters you can use with htpasswd from the man page. 

When everything is done, simply restart the squid service.. 

If you want squid to connect to a separate service for authentication, refer to the squid documentation, there are quite a few methods that are currently supported.

2 comments:

Timothy Lang Sr. said...

umm.. I am new to linux/squid/ and using dansguardian for blocking and reporting..

I wanted to setup an auth method for the dans guardian to prompt for access and grant if the ldap (AKA AD in windows is authenicated against)

can you help with that?

Yajith Dayarathna said...

hi,
sorry for the very delayed reply.. Since DansGuardian and Squid are normally integrated using cache_peer, you should be able to do the necessary authentications at the Squid level, when a client makes a request.
However im not sure if DansGuardian alone is capable of such things.

changing opnsense mtu

 note to self When an OpnSense is deployed on Proxmox environment where MTU is <1500, it doesn't seem to auto-detect and leaves the O...