We run a squid proxy server at our two system network at home :) in unauthenticated mode. I was just going through the squid logs at /var/logs/squid/access.log, and I saw few miscreant IPs eating up my network bandwith by using our proxy server. Then, I decided to tune up the authentication mode for squid proxy server. Squid doesn't have its authentication module and we need to us LDAP,PAM or NCSA. I came accross NCSA based authentication at http://www.cyberciti.biz/tips/linux-unix-squid-proxy-server-authentication.html. Given below. It worked very well in our case.
Configure an NCSA-style username and password authentication
I am going to assume that squid is installed and working fine.
Tip: Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization :)
Step # 1: Create a username/password
First create a NCSA password file using htpasswd command. htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of squid users.
# htpasswd /etc/squid/passwd user1
Output:
New password:
Re-type new password:
Adding password for user user1
Make sure squid can read passwd file:
# chmod o+r /etc/squid/passwd
Step # 2: Locate nsca_auth authentication helper
Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm (Redhat,CentOS,Fedora) or dpkg (Debian and Ubuntu) command:
# dpkg -L squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth
If you are using RHEL/CentOS/Fedora Core or RPM based distro try:
# rpm -ql squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth
Step # 3: Configure nsca_auth for squid proxy authentication
Now open /etc/squid/squid.conf file
# vi /etc/squid/squid.conf
Append (or modify) following configration directive:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Also find out your ACL section and append/modify
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
Make sure that you do not have any other http_access statement.
Save and close the file.
Where,
* auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd : Specify squid password file and helper program location
* auth_param basic children 5 : The number of authenticator processes to spawn.
* auth_param basic realm Squid proxy-caching web server : Part of the text the user will see when prompted their username and password
* auth_param basic credentialsttl 2 hours : Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.
* auth_param basic casesensitive off : Specifies if usernames are case sensitive. It can be on or off only
* acl ncsa_users proxy_auth REQUIRED : The REQURIED term means that any authenticated user will match the ACL named ncsa_users
* http_access allow ncsa_users : Allow proxy access only if user is successfully authenticated.
Restart squid:
# /etc/init.d/squid restart
Configure an NCSA-style username and password authentication
I am going to assume that squid is installed and working fine.
Tip: Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization :)
Step # 1: Create a username/password
First create a NCSA password file using htpasswd command. htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of squid users.
# htpasswd /etc/squid/passwd user1
Output:
New password:
Re-type new password:
Adding password for user user1
Make sure squid can read passwd file:
# chmod o+r /etc/squid/passwd
Step # 2: Locate nsca_auth authentication helper
Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm (Redhat,CentOS,Fedora) or dpkg (Debian and Ubuntu) command:
# dpkg -L squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth
If you are using RHEL/CentOS/Fedora Core or RPM based distro try:
# rpm -ql squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth
Step # 3: Configure nsca_auth for squid proxy authentication
Now open /etc/squid/squid.conf file
# vi /etc/squid/squid.conf
Append (or modify) following configration directive:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Also find out your ACL section and append/modify
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
Make sure that you do not have any other http_access statement.
Save and close the file.
Where,
* auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd : Specify squid password file and helper program location
* auth_param basic children 5 : The number of authenticator processes to spawn.
* auth_param basic realm Squid proxy-caching web server : Part of the text the user will see when prompted their username and password
* auth_param basic credentialsttl 2 hours : Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.
* auth_param basic casesensitive off : Specifies if usernames are case sensitive. It can be on or off only
* acl ncsa_users proxy_auth REQUIRED : The REQURIED term means that any authenticated user will match the ACL named ncsa_users
* http_access allow ncsa_users : Allow proxy access only if user is successfully authenticated.
Restart squid:
# /etc/init.d/squid restart
0 readers commented:
Post a Comment