Squid Proxy Authentication
Server Training - Proxy Server

Squid Authentication

You may come into a situation where you want users to authenticate in order to access the Internet.   This provides several advantages. First, you can control when and how users will access the Internet.  For example, you could set it up so users could only access the Internet during breaks and at lunch.  Second, when you have users authenticate you will be able to track all access that users have to the Internet in logs.  Without authentication you will not have a name attached to each web page, and each image that users access. This provides a good way to manage company policies for how the Internet is used.  NCSA authentication is used for the example because it is the easiest to setup.


NCSA Authentication
The NCSA authentication is easy to use because it is self contained.  In order to use this program add the line listed below.

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user

Basic authentication is somewhat insecure but is often used.  Digest authentication is more secure but more difficult to configure. The problem with NTLM is that is proprietary.

Listed below are the parameters required to set up the authentication. The realm listed below is simply the name that will appear on the login screen.  This name can be descriptive of the type of login that it provides access for.

The auth_param directive must be defined before the proxy_auth directive in order for it to work.

auth_param basic children 5

auth_param basic realm Linux Class

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

Note that you must tell squid that proxy authentication is required.  Then you will list the name of the acl, in this example class is used, in the http_access allow.  Note the acl is listed with the other acls that you have and the http_access line must be listed with the other http_access lines.

acl class proxy_auth REQUIRED

http_access allow class

You must create the file /etc/squid/squid_user.  This file will contain the username and password that must be entered to access the Internet.  You will use the htpasswd command to edit the file.  First create the file, you could use any name, here it is called squid_user.

touch /etc/squid/squid_user

htpasswd /etc/squid/squid_user username_you_want

Then you will be asked to enter the password twice.  Be sure to use the name of the user instead of username_you_want. 

Be sure to set up each client in the browser!!!!