LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Authentication and Squid
Pages: 1, 2, 3

The access control list

To tell Squid to check for user authentication, you need to add two special access control lines. The lines are:



acl name proxy_auth REQUIRED
http_access allow name

These lines are inverse to the normal ACL logic. Normally, these lines would permit access to all people who passed the proxy authentication -- however, they actually deny it to anyone who fails authentication. For this reason, the following format is recommended for access control lists that require user authentication:

# set up the acl name for the local network
acl localnetwork proxy_auth foo.bar.baz/xy.zz.y
# set up the acl name for user authentication
acl localusers proxy_auth REQUIRED

# set up all the denies for those not in the local network
http_access deny !localnetwork
# set up the user authentication
http_access allow localusers
# set up the allows for the local network
http_access allow localnetwork
# deny anything that passes beyond this point
http_access deny all

Related Reading

Web CachingWeb Caching
By Duane Wessels
Table of Contents
Index
Sample Chapter
Full Description
Read Online -- Safari

This ensures that anyone who is going to be denied because they're outside the local network is denied straight away, rather than passed through to the user authentication process. It's very confusing for the user to be asked for a user name and password and denied even if they enter a valid pair.

Those who fail user authentication are denied at the http_access allow localusers rule, but those who pass authentication are passed on to the next line. This is the explicit allow rule for the local network. If it was not there, the users would fail at the http_access deny all rule.

Squid ACLs have an implicit final rule which reverses the preceding rule. If the last rule was http_access allow localusers, the implicit final rule would be http_access deny all. Authenticated users would be passed through to the deny all, and would be denied access. This is a common misconfiguration.

Incorrect ACL formats

The following format would fail because any user on the local network would be allowed access to the proxy. Authentication would not be checked.

# set up the allows for the local network
http_access allow localnetwork
# set up the user authentication
http_access allow localusers

The following format would fail because the user authentication would succeed, then the check would pass through to the deny all. User authentication allow <whatever> rules act as if they were deny !<whatever>.

# set up the user authentication
http_access allow localusers
# deny anything that passes beyond this point
http_access deny all

The authentication modules

The authentication module is configured with the option authenticate_program authentication module authentication file.

# authenticate_program example
authenticate_program /squid/bin/ncsa_auth /squid/etc/passwd

The standard authentication modules are in $SQUID-HOME/$SQUID-VERSION/auth_modules/. To compile and install the modules, go to their subdirectory and run make, then make install.

Example:

auth_modules% cd NCSA
NCSA% make
NCSA% make install

Standard authentication modules

LDAP
Authenticates against LDAP databases. This needs open LDAP libraries from Openldap.org. See the ReadMe file in the LDAP module directory.

MSNT
Microsoft NT domain authentication. This needs configuration changes made to the source. See the ReadMe file in the MSNT module directory.

NCSA
Authenticates against the same type of password file as many NCSA-compliant web servers. No visible documentation, but the code is readable.

PAM
Pluggable Authentication Module. Ideal for PAM-enabled systems like Debian Linux. PAM is configurable to use a variety of authentication systems. Instructions are in the comments in the .c file.

SMB
Authenticates against an SMB server such as Windows NT or Samba. See the ReadMe file in the SMB module directory.

getpwnam
Authenticates off the Unix password or shadow password file, or similar files which can be read by the C getpwnam() library function. There is no visible documentation or readable code. man getpwnam discusses the function. To use the shadow password file, the authenticator would need to be setuid root.

Pages: 1, 2, 3

Next Pagearrow




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: