Configuring Squid proxy server to require user authentication
LinuxThis is one of those blog posts that is really just a mental note for myself in case I ever have to come back and find it again. Our company has some old legacy client-server applications that are now being required to connect to our new web services. As part of our development, one of the requirements was to make sure that the applications could reach our web services by way of a proxy server both with and without user authentication.
I temporarily set up my laptop with Squid proxy server for the Power Builder developers to test their applications through. It is a sweet little proxy server and I had it running withing just a matter of a few minutes. By default, it does not enable user authentication. After a bit of tinkering with it, I was able to easily add it. Here are the steps I took:
(NOTE: In Debian/Ubuntu, you will want to use sudo for all of the following)
First, we need to create an passwd file to use as our ACL, and give it the appropriate permissions
#touch /etc/squid/squid-passwd
#chmod o+r /etc/squid/squid_passwd
Now we will add our first user to the ACL. If you do not have the passwd command available, it can be added from a number of packages, including "apache2-utils"
#htpasswd /etc/squid/squid-passwd jdoe
New password:
Re-type new password:
Adding password for user jdoe
Now we need to edit our /etc/squid/squid.conf file. In the auth_param section, you need to add:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid-passwd
In the ACL section, you need to add:
acl ncsa_users proxy_auth REQUIRED
In the http_access section, you need to add:
http_access allow ncsa_users
Now, you need to restart the Squid service and any future connections will force the client to use a username and password.
Actually that isn't entirely true. From my very limited perspective, they seem to be valuable on a network where you have to babysit users and make sure they aren't doing what they are not supposed to be doing.
You can set up a router so that it only accepts outbound connections from the IP address of your proxy server, so you can guarantee that all of your users are passing through it to hit the outside world.
Given that scenario, you then give granular control to who can do what, either by way of ACL, IP address range, etc.
Another way they are used is to provide content caching, which can be managed by the proxy server. If bandwidth is a concern, you could potentially mitigate it a bit by caching content.
I am sure there are some other valuable uses, but those are a couple of the more obvious points anyway.
Loading....