The access control list
To tell Squid to check for user authentication, you need to add two special access control lines. The lines are:
acl name proxy_auth REQUIRED http_access allow name
These lines are inverse to the normal ACL logic. Normally, these lines would permit access to all people who passed the proxy authentication -- however, they actually deny it to anyone who fails authentication. For this reason, the following format is recommended for access control lists that require user authentication:
# set up the acl name for the local network acl localnetwork proxy_auth foo.bar.baz/xy.zz.y # set up the acl name for user authentication acl localusers proxy_auth REQUIRED # set up all the denies for those not in the local network http_access deny !localnetwork # set up the user authentication http_access allow localusers # set up the allows for the local network http_access allow localnetwork # deny anything that passes beyond this point http_access deny all
This ensures that anyone who is going to be denied because they're outside the local network is denied straight away, rather than passed through to the user authentication process. It's very confusing for the user to be asked for a user name and password and denied even if they enter a valid pair.
Those who fail user authentication are denied at the
http_access allow localusers rule, but those who pass authentication are passed on to the next line. This is the explicit allow rule for the local network. If it was not there, the users would fail at the
http_access deny all rule.
Squid ACLs have an implicit final rule which reverses the preceding rule. If the last rule was
http_access allow localusers, the implicit final rule would be
http_access deny all. Authenticated users would be passed through to the
deny all, and would be denied access. This is a common misconfiguration.
Incorrect ACL formats
The following format would fail because any user on the local network would be allowed access to the proxy. Authentication would not be checked.
# set up the allows for the local network http_access allow localnetwork # set up the user authentication http_access allow localusers
The following format would fail because the user authentication would succeed, then the check would pass through to the
deny all. User authentication
allow <whatever> rules act as if they were
# set up the user authentication http_access allow localusers # deny anything that passes beyond this point http_access deny all
The authentication modules
The authentication module is configured with the option
authenticate_program authentication module authentication file.
# authenticate_program example authenticate_program /squid/bin/ncsa_auth /squid/etc/passwd
The standard authentication modules are in
$SQUID-HOME/$SQUID-VERSION/auth_modules/. To compile and install the modules, go to their subdirectory and run
auth_modules% cd NCSA NCSA% make NCSA% make install
Standard authentication modules
Authenticates against LDAP databases. This needs open LDAP libraries from Openldap.org. See the ReadMe file in the LDAP module directory.
Microsoft NT domain authentication. This needs configuration changes made to the source. See the ReadMe file in the MSNT module directory.
Authenticates against the same type of password file as many NCSA-compliant web servers. No visible documentation, but the code is readable.
Pluggable Authentication Module. Ideal for PAM-enabled systems like Debian Linux. PAM is configurable to use a variety of authentication systems. Instructions are in the comments in the
Authenticates against an SMB server such as Windows NT or Samba. See the ReadMe file in the
SMB module directory.
Authenticates off the Unix password or shadow password file, or similar files which can be read by the C
getpwnam() library function. There is no visible documentation or readable code.
man getpwnam discusses the function. To use the shadow password file, the authenticator would need to be