0

Configuring Squid proxy server to require user authentication

Posted : Jan 10, 2008 7:32 AM
Linux

This is one of those blog posts that is really just a mental note for myself in case I ever have to come back and find it again.  Our company has some old legacy client-server applications that are now being required to connect to our new web services.   As part of our development, one of the requirements was to make sure that the applications could reach our web services by way of a proxy server both with and without user authentication.

I temporarily set up my laptop with Squid proxy server for the Power Builder developers to test their applications through.  It is a sweet little proxy server and I had it running withing just a matter of a few minutes.  By default, it does not enable user authentication.  After a bit of tinkering with it, I was able to easily add it.    Here are the steps I took:

(NOTE:  In Debian/Ubuntu, you will want to use sudo for all of the following) 

First, we need to create an passwd file to use as our ACL, and give it the appropriate permissions

#touch /etc/squid/squid-passwd
#chmod o+r /etc/squid/squid_passwd 

Now we will add our first user to the ACL.  If you do not have the passwd command available, it can be added from a number of packages, including "apache2-utils"

#htpasswd /etc/squid/squid-passwd jdoe
New password:
Re-type new password:
Adding password for user jdoe

Now we need to edit our /etc/squid/squid.conf file.  In the auth_param section, you need to add:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid-passwd

In the ACL section, you need to add:

acl ncsa_users proxy_auth REQUIRED

In the http_access section, you need to add:

http_access allow ncsa_users

Now, you need to restart the Squid service and any future connections will force the client to use a username and password.

 

tags:
Linux
 
Rob Wilkerson said:
 
Might be worth following this up with a more general article about proxy servers in general and how/why they're used (using a real world scenario). I've never used one, but I don't know whether that's because I haven't needed one or because I haven't _known_ that I needed one. :-)
 
posted 667 days ago
Add Comment Reply to: this comment OR this thread
 
 
I have now run one and used one and I still don't know why! :)

Actually that isn't entirely true. From my very limited perspective, they seem to be valuable on a network where you have to babysit users and make sure they aren't doing what they are not supposed to be doing.

You can set up a router so that it only accepts outbound connections from the IP address of your proxy server, so you can guarantee that all of your users are passing through it to hit the outside world.

Given that scenario, you then give granular control to who can do what, either by way of ACL, IP address range, etc.

Another way they are used is to provide content caching, which can be managed by the proxy server. If bandwidth is a concern, you could potentially mitigate it a bit by caching content.

I am sure there are some other valuable uses, but those are a couple of the more obvious points anyway.
 
posted 667 days ago
Add Comment Reply to: this comment OR this thread
 

Search

Talkbox
Scriptalizer
Recent Blog Entries
A linux guy's experience with Windows 7
Strange behavior with ColdFusion ExpandPath() when using Symbolic Links
Photos from the Dallas Adobe User Group Tour event
Solving java.lang.SecurityException: Seed must be between 20 and 64 bytes. Only 8 bytes supplied.
Making your application flow obvious in Mach-II with event-mappings
How to set JAVA_HOME environment variable in Ubuntu
Interfaces in ColdFusion - I think I have finally come around on CFINTERFACE
Setting up Apache, OpenBD, Railo and ColdFusion - Part 4 - Installing Railo under Tomcat with Apache webserver
Setting up Apache, OpenBD, Railo and ColdFusion - Part 3 - Installing ColdFusion and customizing the connector
Setting up Apache, OpenBD, Railo and ColdFusion - Part 2 - Installing Tomcat/Apache/OpenBD
Archives
All Categories 
AIR (2) 
Blog (2) 
Browsers (4) 
ColdFusion (222) 
Conferences (1) 
Deep thoughts (1) 
Family (2) 
Flash (2) 
Flex (3) 
Fun (5) 
General (10) 
Health (1) 
InstantSpot (17) 
Internet (3) 
Java (3) 
Javascript (5) 
Linux (13) 
Outdoors (4) 
Rant (2) 
Servers (6) 
SQL (1) 
Technology (3) 
Tips and Tricks (8) 
TV (1) 
Ubuntu (14) 
Windows (3) 
tags
Action Script Editor Apache ColdFusion Dallas Cowboys Diet Evolution Firefox Fitness Gnome Hitler Java Plugin Linux Mach-II mod_rewrite OnSessionEnd partitions PCLinuxOS Postfix Server Administration server migration

View all tags