Saturday, June 28, 2008

User/Group authentication in squid

User authentication in squid:
To Readers: All those starting with # are run by root user and ;'s are comments inside the configuration files

User authentication can be done with the help of the ncsa_auth module and with PAM

With ncsa_aith:
This module resides in /usr/lib/squid/ in the name nsca_auth.

edit squid.conf and add the following entries

#vim /etc/squid/squid.conf

acl all src
;inbuilt acl in squid.conf

acl clients src
;Here we are declaring an acl in the name
;clients which catches all the ip from to

acl users proxy_auth REQUIRED
;another acl in the name users of type proxy_auth
;REQUIRED => accept any valid user.
;proxy_auth works only with the help of external authenticators.
;Here we are going to try, ncsa_auth and PAM.

http_access allow clients users
;Logical AND-ing here, both acls must be satisfied
;for access to be allowed.

http_access deny clients
;If the criteria is not met, deny clients immediately
;instead of traversing till acl 'all'

http_access deny all
;eventually deny all
;Note: by default squid denies all with the acl 'all'

auth_param basic program /var/lib/squid/ncsa_auth /etc/squid/.passwd
;Here we are using the authentication program nsca_auth
;basic => scheme which is used.
;/var/lib/squid/ncsa-auth => external authenticator
;/etc/squid/.passwd => file which contains
; username/password credentials.

save squid.conf and exit

Check the syntax of squid.conf
#squid -k parse /etc/squid/squid.conf
If it shows some problem, rectify it :P

Now we need to make the file which acts as the
username/password database!
Use the htpasswd command from httpd-tools-* rpm.

#htpasswd -c /etc/squid/.passwd mj0vy

enter the password for user mj0vy
when htpasswd is done for the first time we need to give the -c flag so that
it would create the password file. For adding more users to this password file
we should not give the -c flag as it would overwrite the existing users'

#htpasswd /etc/squid/.passwd sreejith

restart the squid service and configure clients' browser to listen to squid server
and check whether username and password are prompted while accessing the sites.
Note: Squid is a very heavy service. So instead of going for restarting the squid
with init script, do it like this
#squid -k reconfigure

With PAM Module:
One of the beauty with using PAM is that we can group level deny too!

#vim /etc/squid/squid.conf

auth_param basic program /usr/lib/squid/pam_auth
;Here we dont need to specify the username/password file as its declared
;in the PAM file associated with squid.

#vim /etc/pam.d/squid
Its a single line
auth required item=user sense=allow

file=/etc/squid/squid_users onerr=fail

Make sure that /usr/lib/squid/pam_auth is setUID to root!
If not do it
#chmod +s /usr/lib/squid/pam_auth

Now add the UNIX users' name to /etc/squid/squid_users who you want to allow proxy access!

If you want to grant access using UNIX groups, change the PAM file as

Its a single line
auth required item=group sense=allow
file=/etc/squid/squid_groups onerr=fail

Make the file /etc/squid/squid_groups and enter the groups who you want to allow access!
Note: Make sure the users who are trying to connect MUST be member of this UNIX group!

Note: As PAM checks /etc/passwd, /etc/group and /etc/shadow, the authentication process will be a bit slow!


mohan said...

Hi Sreejith,
I saw some usefull tips in ur Blog spot abt Squid....Now i wanna configure following scenario in my office..Can u help me...I'm very new to Squid...


1.Wanna Create 2 Groups
* Power User
* Super User
2.Power user have all rights to access all sites except some illegal sites...
3.Super User have limited access of sites...Eg: Gmail,Rediff And Yahoo Like tat..

This is the condition...I hope u ll send Gud reply..Thanks in advance..


swadesh said...

HI Sreejith,

This is Swadesh. we met at KIIT University
in Orissa. I have a doubt in squid proxy server. I want to know which user uses how much bandwidth. Is this possible ?