Difference between revisions of "Configuring proxy authentication for squid"

From Notes_Wiki
m
m
Line 10: Line 10:
==Enabling proxy authentication using custom plugin==
==Enabling proxy authentication using custom plugin==


===Authentication program===
For squid authentication a custom program which reads "username password" in endless loop from standard input is required.  This program should print OK if authentication is successful or ERR followed by optional error message if authentication fails.  Once such program is available then custom authentication can be setup as explained in following sub-section.
===Authentication configuration===
We can configure a program for basic authentication using lines like:
We can configure a program for basic authentication using lines like:
<pre>
<pre>

Revision as of 07:13, 11 April 2014

<yambe:breadcrumb self="Authentication">Squid proxy server configuration|Squid</yambe:breadcrumb>

Configuring proxy authentication for squid

Enabling proxy authentication using ldap

Refer to Squid proxy authentication using ldap


Enabling proxy authentication using custom plugin

Authentication program

For squid authentication a custom program which reads "username password" in endless loop from standard input is required. This program should print OK if authentication is successful or ERR followed by optional error message if authentication fails. Once such program is available then custom authentication can be setup as explained in following sub-section.


Authentication configuration

We can configure a program for basic authentication using lines like:

auth_param basic program /usr/lib64/squid/squid_auth_using_pop3/squid_auth_using_pop3
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Now we can use acl proxy_authentication like 'acl proxy_authentication proxy_auth'

After this whenever proxy encounters this acl proxy authentication would be forced. Note that we want to enable proxy authentication for all users then we can use

    http_access allow proxy_authentication

But if we want it to be enabled only in combination with other ACL like source address then we can use

    acl hostel_wireless_users src 172.17.0.0/16 172.16.0.0/16
    http_access allow hostel_wireless_users proxy_authentication

Here order of acls, that is first hostel_wireless_users and then proxy_authentication is very important, so that only for hostel_wireless_users proxy_authentication is enforced. If we reverse the order and try

    http_access allow proxy_authentication hostel_wireless_users

then squid will end up trying proxy_authentication for all users and later on will see if users are hostel_wireless_users or not which wont serve the purpose of selective authentication.

Hence ACLs are tried in the order in which they are given. This can be used to optimize ACLs so that rule which is more likely to fail is given higher preference.


<yambe:breadcrumb self="Authentication">Squid proxy server configuration|Squid</yambe:breadcrumb>