User authentication in squid:
To Readers: All those starting with # are run by root user and ;'s are comments inside the configuration files
User authentication can be done with the help of the ncsa_auth module and with PAM
This module resides in /usr/lib/squid/ in the name nsca_auth.
edit squid.conf and add the following entries
acl all src 0.0.0.0/0.0.0.0
;inbuilt acl in squid.conf
acl clients src 10.0.0.1-10.0.0.150
;Here we are declaring an acl in the name
;clients which catches all the ip from 10.0.0.1 to 10.0.0.150
acl users proxy_auth REQUIRED
;another acl in the name users of type proxy_auth
;REQUIRED => accept any valid user.
;proxy_auth works only with the help of external authenticators.
;Here we are going to try, ncsa_auth and PAM.
http_access allow clients users
;Logical AND-ing here, both acls must be satisfied
;for access to be allowed.
http_access deny clients
;If the criteria is not met, deny clients immediately
;instead of traversing till acl 'all'
http_access deny all
;eventually deny all
;Note: by default squid denies all with the acl 'all'
auth_param basic program /var/lib/squid/ncsa_auth /etc/squid/.passwd
;Here we are using the authentication program nsca_auth
;basic => scheme which is used.
;/var/lib/squid/ncsa-auth => external authenticator
;/etc/squid/.passwd => file which contains
; username/password credentials.
save squid.conf and exit
Check the syntax of squid.conf
#squid -k parse /etc/squid/squid.conf
If it shows some problem, rectify it :P
Now we need to make the file which acts as the
Use the htpasswd command from httpd-tools-* rpm.
#htpasswd -c /etc/squid/.passwd mj0vy
enter the password for user mj0vy
when htpasswd is done for the first time we need to give the -c flag so that
it would create the password file. For adding more users to this password file
we should not give the -c flag as it would overwrite the existing users'
#htpasswd /etc/squid/.passwd sreejith
restart the squid service and configure clients' browser to listen to squid server
and check whether username and password are prompted while accessing the sites.
Note: Squid is a very heavy service. So instead of going for restarting the squid
with init script, do it like this
#squid -k reconfigure
With PAM Module:
One of the beauty with using PAM is that we can group level deny too!
auth_param basic program /usr/lib/squid/pam_auth
;Here we dont need to specify the username/password file as its declared
;in the PAM file associated with squid.
Its a single line
auth required pam_listfile.so item=user sense=allow
Make sure that /usr/lib/squid/pam_auth is setUID to root!
If not do it
#chmod +s /usr/lib/squid/pam_auth
Now add the UNIX users' name to /etc/squid/squid_users who you want to allow proxy access!
If you want to grant access using UNIX groups, change the PAM file as
Its a single line
auth required pam_listfile.so item=group sense=allow
Make the file /etc/squid/squid_groups and enter the groups who you want to allow access!
Note: Make sure the users who are trying to connect MUST be member of this UNIX group!
Note: As PAM checks /etc/passwd, /etc/group and /etc/shadow, the authentication process will be a bit slow!