≡ Menu

Howto: Squid proxy authentication using ncsa_auth helper

For fine control you may need to use Squid proxy server authentication. This will only allow authorized users to use proxy server.

You need to use proxy_auth ACLs to configure ncsa_auth module. Browsers send the user's authentication in the Authorization request header. If Squid gets a request and the http_access rule list gets to a proxy_auth ACL, Squid looks for the Authorization header. If the header is present, Squid decodes it and extracts a username and password.

However squid is not equipped with password authentication. You need to take help of authentication helpers. Following are included by default in most squid and most Linux distros:
=> NCSA: Uses an NCSA-style username and password file.
=> LDAP: Uses the Lightweight Directory Access Protocol
=> MSNT: Uses a Windows NT authentication domain.
=> PAM: Uses the Linux Pluggable Authentication Modules scheme.
=> SMB: Uses a SMB server like Windows NT or Samba.
=> getpwam: Uses the old-fashioned Unix password file.
=> SASL: Uses SALS libraries.
=> NTLM, Negotiate and Digest authentication

Configure an NCSA-style username and password authentication

I am going to assume that squid is installed and working fine.

Tip: Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization :)

Step # 1: Create a username/password

First create a NCSA password file using htpasswd command. htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of squid users.
# htpasswd /etc/squid/passwd user1
Output:

New password:
Re-type new password:
Adding password for user user1

Make sure squid can read passwd file:
# chmod o+r /etc/squid/passwd

Step # 2: Locate nsca_auth authentication helper

Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm (Redhat,CentOS,Fedora) or dpkg (Debian and Ubuntu) command:
# dpkg -L squid | grep ncsa_auth
Output:

/usr/lib/squid/ncsa_auth

If you are using RHEL/CentOS/Fedora Core or RPM based distro try:
# rpm -ql squid | grep ncsa_auth
Output:

/usr/lib/squid/ncsa_auth

Step # 3: Configure nsca_auth for squid proxy authentication

Now open /etc/squid/squid.conf file
# vi /etc/squid/squid.conf
Append (or modify) following configration directive:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Also find out your ACL section and append/modify
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

Save and close the file.

Where,

  • auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd : Specify squid password file and helper program location
  • auth_param basic children 5 : The number of authenticator processes to spawn.
  • auth_param basic realm Squid proxy-caching web server : Part of the text the user will see when prompted their username and password
  • auth_param basic credentialsttl 2 hours : Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.
  • auth_param basic casesensitive off : Specifies if usernames are case sensitive. It can be on or off only
  • acl ncsa_users proxy_auth REQUIRED : The REQURIED term means that any authenticated user will match the ACL named ncsa_users
  • http_access allow ncsa_users : Allow proxy access only if user is successfully authenticated.

Restart squid:
# /etc/init.d/squid restart

Now user is prompted for username and password.
Squid proxy authentication using ncsa_auth module

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

Comments on this entry are closed.

  • marco lunardi December 26, 2006, 10:11 pm

    authentication using ncsa_auth run with proxy transparent ?

  • nixCraft December 27, 2006, 3:21 am

    marco,

    You cannot use Proxy Authentication transparently

  • Mani M N S July 30, 2007, 12:55 pm

    Is htpasswd is available for download for FreeBSD. (pkg_add requires many components) Is their anyother way to generate password file like htpasswd?

  • Ken Davis August 7, 2007, 6:17 pm

    “Is htpasswd is available for download for FreeBSD. (pkg_add requires many components) Is their anyother way to generate password file like htpasswd?”

    – For me on ubuntu I installed apache2-utils, must be something similar on FreeBSD. E.g.:

    apt-cache search htpasswd, yields:

    apache2-utils – util…

    Awesome article btw! Got me up and running with no problems! Thanks!

    • Henyx June 10, 2014, 3:25 pm

      On Centos 6 try:

      yum provides \*bin/htpasswd

      • Henyx June 10, 2014, 3:29 pm

        Better yet …. try this one:

        yum install httpd-tools

  • Hedwig June 9, 2008, 9:56 am

    i have installed my FreeBSD & Squid with ./configure –enable-delay-pools –enable-arp-acl –enable-auth=”basic” –enable-basic-auth-helpers=”NCSA”
    when i want to use ncsa, and i’d like to use htpasswd to create username/password, this command is not found.
    what should i do?
    where do i have to find the htpasswd command?

  • nixCraft June 9, 2008, 11:22 am

    htpasswd is part of Apache package under FreeBSD. To install goto ports

    cd /usr/ports/www/apache22/
    make install clean
  • Hedwig June 10, 2008, 6:09 am

    thanks for the response. :)

    i’ve succeeded installing the apache, and i can use the htpasswd command.

    thanks a lot.

    but i have another problem.
    i created 1 new user with: htpasswd /usr/local/squid/etc/passwd user1
    and it’s succeed.

    i also followed the above instructions to have a NCSA-style username and password authentication.
    i’ve reconfigure my squid.conf file.

    but when i try to browse sites through internet explorer, the authorization doesn’t come up.
    why?

    Note: i already set the “lan connection + proxy” option.

  • anant tickoo July 15, 2008, 1:36 am

    using squid 2.6
    i used the setting above …

    acl ncsa_i proxy_auth REQUIRED
    http_access allow ncsa_i
    if i use this two lines in conf file ..squid fails to restart
    i can’t understand were is the bug

  • Shyamal September 13, 2008, 12:31 pm

    Dear,
    i hv configure with your above instration and i am able to get popup for user name and password. after entering password it is not loging it is not autorised.

    can u help me ?
    when i check the access log file the follow error are there.
    TCP_DENIED/407

    waiting for your reply.

  • anant September 13, 2008, 2:51 pm

    hey !! i had problems with the iptables….

    you also chack that …

    i restored it to original

  • Raja September 14, 2008, 9:19 am

    Hi Shyamal ,

    What is the problem is the password file should contain clear text and not digest text.The format of password file is as follows:
    username:password
    so check it I hope it will solve ur issue.

  • Shyamal Thaker September 17, 2008, 6:06 am

    Dear all
    Thanks for reply.
    What I have done,I have configured only squid.conf with following line , I hv not configured iptable , firewall.

    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
    #auth_param basic realm squid proxy-caching web server
    auth_param basic realm Rhel.Mail.com
    auth_param basic casesensitive off

    acl ncsa_users proxy_auth REQUIRED
    http_access allow ncsa_users

    Can u help me in detail what component I hv to configured I have just enter the ncsa_auth line in squid.conf that’s it

  • anant September 17, 2008, 7:10 am

    hi ,, you can refer the http://www.visolve.com/squid/squid30/externalsupport.php#auth_param for the detailed reference of you configuration.

    one more thing check the access given to squid_passwd.
    and have you register any user in that file …

    hope this helps

  • Shyamal Thaker September 17, 2008, 9:46 am

    Dear anant Thanks
    for your prompt reply , I want to tell you more thing I hv not installed squid separately I hv installed linux with squid and that /etc/squid/squid.conf I am using.
    I have created 2(two) user in that files with help of htpasswd the file permission as below
    -rw-r–r– 1 root root 40 Sep 14 02:29 squid_passwd

    Waiting for your reply.

  • Raja September 17, 2008, 11:07 am

    Hi Shyamal ,
    I told u the same ,it might be created with md5 encryption.so the solution is remove the file squid_passwd.and try this cmd,

    htpasswd -c /etc/squid/squid_passwd user1
    htppasswd /etc/squid/squid_passwd user2

    add the users how much u want and try again now

  • Shyamal Thaker September 17, 2008, 12:13 pm

    Dear raja
    thanks for reply,

    it is notworking

    password not acepting

    [root@rhel squid]# cat squid_passwd
    test:ueu4r5eSydxzM
    [root@rhel squid]#

    or if you are useing gtalk so we can talk online pls give me your email id. here i am giving my gmail id for fast comunication thakershyamal@gmail.com

    waiting for your reply.

  • Raja September 19, 2008, 2:59 am

    Hi Shyamal ,

    sorry for the delay.I was busy with my work.so Any how what u have done is correct.check the log.and let me know.
    u can contact me adhyakshahraja@gmail.com

  • anant September 19, 2008, 3:15 am

    hey onme liast thing is ur iprange in series of
    192.168.1.*. in not then i think you have to still play with ACL.

  • Shyamal Thaker September 19, 2008, 5:22 am

    Dear all
    thanks i hv add your id in my database, whenever r u free just online

  • Adam September 20, 2008, 5:57 pm

    Worked perfect, thanks for the article

  • Ahsan ul haq December 31, 2008, 2:41 pm

    Hi

    i configure my squid file as you describe but when i try to browse sites through internet explorer, the authorization doesn’t come up.
    plz reply on ihsan@nibge.org

  • killerbees19 December 31, 2008, 9:11 pm

    Hello guys, I just want to say: THANK YOU! :-)
    I tried to configure squid since two days, with your tutorial it works. Thanks a lot and a happy new year ;-)

    Regards, Christian

  • AnRkey January 28, 2009, 9:00 am

    You guys rock, thanks very much!

  • Helmi Indra January 29, 2009, 7:17 pm

    Hi

    i’ve configured my squid as above, but squid cannot start anyway, can you trace where my fault is?
    here is my conf :
    #ACL’s
    acl login_user proxy_auth REQUIRED
    http_access allow login_user

    #proxy_auth program
    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/password
    auth_param basic children 5
    auth_param basic realm Proxy Badilag
    auth_param basic credentialsttl 2 hours
    auth_param basic casesensitive off

    and here is the error comment :
    > service squid restart
    Stopping squid: [OK]
    Starting squid: [FAILED]
    2009/01/30 02:16:07| Processing Configuration File: /etc/squid/squid.conf (depth 0)
    2009/01/30 02:16:07| Starting Authentication on port 0.0.0.0:14348
    2009/01/30 02:16:07| Disabling Authentication on port 0.0.0.0:14348 (interception enabled)
    2009/01/30 02:16:07| Can’t use proxy auth because no authentication schemes are fully configured.
    FATAL: ERROR: Invalid ACL: acl login_user proxy_auth REQUIRED

    Squid Cache (Version 3.0.STABLE10): Terminated abnormally.
    CPU Usage: 0.007 seconds = 0.003 user + 0.004 sys
    Maximum Resident Size: 0 KB
    Page faults with physical i/o: 0

    thanks before….

  • macPerl January 31, 2009, 1:06 pm

    Thank you so much.

    As a newbie to linux/ubuntu/squid it was an excellent help.

  • Andry February 10, 2009, 2:31 am

    How do you control auth user for blocking some host, i try to limit with acl but it won’t work.

    eg. auth user cannot access google.com but other site are ok

  • suvendu kumar mohapatra February 17, 2009, 3:46 am

    Hi,
    When i am trying to open any ineternet sites, the browser is asking for user authentication. When I enter my authentication, I am being able to access the internet. I am using red hat linux. Kindly tell a solution so that the browser will never ask for authentication means the browser will take my user id and password automatically and should not ask me. I am opearated behind a proxy server.

  • Fendy Ahmad March 29, 2009, 3:44 am

    If you guys having this error:

    Invalid Proxy Auth ACL 'acl ncsa_users proxy_auth REQUIRED' because no authentication schemes are fully configured.

    Just make sure that the code below is set after all the auth_param


    acl ncsa_users proxy_auth REQUIRED
    http_access allow ncsa_users

    Hope this helps.

    • brave February 5, 2014, 11:45 am

      this solution worked out for me. thanks Fendy Ahmad

  • Madhusudhan April 11, 2009, 4:21 pm

    Yes Dear,

    It is help full but in the same authuntication can’t get complete user details like from time to time uses for the need use other tools for compile the logs.

    Regards
    Linux Admin

  • earthurcom May 11, 2009, 2:39 pm

    Hello,
    I’ve the same problem than Hedwig, i followed the instruction (and it succeed).
    however, when i try to browse sites through internet explorer, the authorization doesn’t come up.
    why?

    thanks in advance

  • Upasana May 13, 2009, 11:57 am

    HellO guys,

    I have to configure a Squid along with an antivirus Gateway (computer Associates). Traffic flows as in the following

    End-Users -> Antivirus Gateway -> Squid -> Internet.

    I have done almost all works. I could do authentication well. but one more scenery.
    1. I want all end-users should be authenticated via Squid (already achieved :-) )
    2. Antivirus (CA gateway security) gateway need no authentication from Squid. Its traffic should pass Squid tranperantly. ie, for only one sysytem (ie for gateway server) squid should not pose authentication windows.

    Any idea.
    Is there a Keyword “NOTREQUIRED” (to use along with proxy_auth).

    Please reply
    :-)
    Thanks
    Upasana

  • alamgir June 5, 2009, 12:41 pm

    I have a Linux server & under that i have 150+ client, i want set authentication user name & password of a website in proxy. Just example my http://www.abc.com website login user name :test & password :test123 , when any client brows www,abc.com then it automatically login that site no required to put user & password.

  • iyke June 18, 2009, 4:01 pm

    i want a server that i can use to connect workstations to the internet so that whenever any user tries to connect even with a computer not part of the workstations (such as a laptop via wireless), the user inputs a username and password earlier assigned to the person. please can squid proxy server do that?

  • Cagri Ersen July 16, 2009, 2:36 pm

    There is a way to get only htpasswd program.

    You can just run
    make -C /usr/ports/www/apache22

    then copy the binary and lib files from the work directory like this:


    mkdir /usr/local/sbin/.libs
    cp /usr/ports/www/apache22/work/httpd-2.2.11/support/htpasswd /usr/local/sbin/
    cp /usr/ports/www/apache22/work/httpd-2.2.11/support/.libs/htpasswd /usr/local/sbin/.libs/

    Also you can run
    make -C /usr/ports/www/apache22 clean
    for cleaning all compiled files. (But you can’t use htpasswd again)

    That’s all.

  • JOn October 3, 2009, 6:12 pm

    Another great simple to the point guide.

    Thanks,

    Jon

  • test October 12, 2009, 4:51 pm

    Regarding
    `Hello,
    I’ve the same problem than Hedwig, i followed the instruction (and it succeed).
    however, when i try to browse sites through internet explorer, the authorization doesn’t come up.
    why?`

    put:

    http_access allow ncsa_users

    above any other similar lines like:

    http_access allow localnet
    http_access allow localhost

  • Mo October 30, 2009, 11:37 pm

    Thanks, Awesome manual!!! all went fine,

  • Cygnus November 16, 2009, 8:22 pm

    For those following tutorial and having problems with basic ncsa_auth
    check your permissions on /etc/squid/passwd file – proxy or squid should be able to read it, and if you are not running squid as root authentication is going to fail.

  • Roshan December 11, 2009, 8:09 am

    How to configure dns in linux

  • anant tickoo December 12, 2009, 5:48 pm

    search for bind. this is DNS server for Linux..

    hope this helps

    http://www.yssdragil.com

  • bezt January 1, 2010, 8:01 pm

    Thx for u’re article.
    Thats work (^o^)/

  • Myo Khaing January 12, 2010, 2:56 am

    Dear all,
    How to do WPAD(Web Proxy Auto Discovery)
    Pls tell me about
    Thanks

  • bezt February 1, 2010, 5:38 pm

    This only Authenticate user account. But what about ACL on different user/admin?
    U can’t combine ACL with ncsa_auth, I mean what if user login with his password then change his IP to IP admin? .ncsa_auth can’t authenticate user account + IP machine + ACL user. Sorry for my bad English
    Any Idea?

  • PROXYGUY February 8, 2010, 7:16 am

    yeah i got it running! but how can i restrict user account to use only once. because the username i created can use multiple times… like if the account is already in use.. the next user with the same account well be denied..

    • RODEL R. BANEZ August 18, 2011, 12:38 am

      ACL Name
      Max Logon IPs per user
      Strictly Enforced
      remember to set Authenticate IP Cache to > 0 in “Authentication Programs Module”

  • Ya mum February 17, 2010, 6:44 am

    Nice! real great explination!

    Greetz

  • Andrius March 24, 2010, 11:01 pm

    For those who got TCP_DENIED/407 error:

    Trye username and password from lover case letter.

  • captainoi1 May 4, 2010, 4:46 pm

    thank for the information,
    it work.
    To others who failed to get the authentication to work, maybe you should check your cache.log files.
    At first, the authentication was not working on my server, however after checking on the cache.log file, i found out the password file name was wrong.

    thank man

  • wyhteagle May 7, 2010, 8:04 pm

    Thanks for the help everything is running awesome!!!

  • rey May 10, 2010, 7:42 pm

    hi I just make the all tutorial and when make a request the browser ask for user:pass but when I type in the user and pass it don’t allow access,
    an important thing is that when I add the first user asuin htpasswd /etc/squid/passwd user1 it returns saying that must use -c then I make

    htpasswd -c /etc/squid/passwd user1 and it work it add the user, but after that it don’t ask for a password so this steep don’t show:
    New password:
    Re-type new password:
    Adding password for user user1

    instead it create the user and asing a ramdom password, then I edit the file /etc/squid/passwd and I see the user1:5T6uud*9?h so I assume that that’s the username and password, but it don’t work

    this is my configuration:

    acl internal_network src 190.1.1.0-190.1.1.255
    http_access allow internal_network

    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours
    auth_param basic casesensitive off

    acl ncsa_users proxy_auth REQUIRED
    http_access allow ncsa_users

  • Kamran May 27, 2010, 12:24 pm

    nice artical but please any guide me how can I encrypt the clear text password user getting it with sanffirs.

  • Mande U.A. June 23, 2010, 11:37 am

    I have done the steps as you have given. But it is saying that ncsa_auth no such file or directory. pls guide me

    UAMANDE

  • jason gumarang July 6, 2010, 2:30 am

    Guys..if you cant get the authorization to come out, please try this.

    acl ncsa_users proxy_auth REQUIRED (Add this to the bottom of the ACL section of squid.conf)

    http_access allow ncsa_users (Add this at the top of the http_access section of squid.conf)

    e.g.
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    acl ncsa_users proxy_auth REQUIRED

    #Recommended minimum configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow ncsa_users
    http_access allow manager localhost
    http_access allow our_networks
    http_access deny manager

    hope i solve your problems

  • Mohan August 26, 2010, 7:20 am

    My configuration is
    # be allowed
    acl our_networks src 192.168.1.0/24 192.168.2.0/24
    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
    auth_param basic realm Squid proxy-caching web server
    acl ncsa_users proxy_auth REQUIRED
    http_access allow ncsa_users
    http_access allow our_networks

    I am getting this error
    Aug 26 23:12:49 centos1 squid[4040]: The basicauthenticator helpers are crashing too rapidly, need help!
    Aug 26 23:12:49 centos1 squid[4038]: Squid Parent: child process 4040 exited due to signal 6
    to signal 6
    Aug 26 23:12:55 centos1 squid[4038]: Squid Parent: child process 4059 started

    Guys any body please update on this issue.

  • kartik October 27, 2010, 7:32 pm

    I am getting tcp_denied/407 error . What should I do ?

  • x__d November 29, 2010, 11:24 am

    how do i use this htpasswd command

    on win[7]x64

    i tried but it does not recognise the command

    :]] some help with example

  • Ankalagon December 5, 2010, 8:06 pm

    Great,

    works fine,

    thank you very much!

  • Jarkko February 24, 2011, 7:30 am

    Anyone who has the problem that the authentication window pops up but the authentication fails all the time, try this: in squid.conf set auth_param basic casesensitive on

    I dont really know why but it worked for me. I spent many hours until I accidentally found this out so I hope this helps somebody.

  • kebo June 22, 2011, 5:59 am

    Stopping squid: [FAILED]
    Starting squid: [FAILED]
    for that?

  • RODEL R. BANEZ August 6, 2011, 10:52 am

    The info was very interesting but the problem is that. one user account can authenticate multiple times. You should also show us how to limit a user authentication because this is the most important in authentication program is to limit the account login. and how to auto ban the account if its use multiple times in different pc. I hope you can give us a code in squid

  • Juan Garcia October 14, 2011, 4:56 pm

    Followed the example and got the proxy authentication to work successfully…. This is a very nicely written example of how to get started. The only thing I had to do extra, was to install a package that would allow me to run the “htpasswd” command.

    Thanks a bunch,

    Juan

  • LtPitt December 15, 2011, 10:20 am

    What a post!

    God bless you.

  • Iska June 8, 2012, 2:10 pm

    Arigatou Gozaimasu,
    That’s really work,
    and thanks for the explanation, it help me to finish my report . . .

    and for the first one who comment this post,
    for SQUID 2.5 or latter
    if you want to transparent proxy:
    you can add “transparent” at squid.conf
    http_port 3128 transparent
    and after that, run iptables
    #iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
    and active the fowarding
    #echo “1” > /proc/sys/net/ipv4/ip_foward
    and restart your squid

  • Mitchelle July 11, 2012, 9:25 am

    Hi,
    We are using squid proxy authentication using samba. Users are given there username and password to authenticate in browser.
    Only issue is that it accepts the authentication even if user enters “space” as username and password, can we prohibit empty space to be accepted in authentication.
    Thanks
    Regards
    Mitch

  • Manikandan July 26, 2012, 10:34 am

    thaks vivek_gite works perfect :) :)

    hi pioneers,i have one query

    i can look out use of cmd # tailf /var/log/squid/access.log | grep mani
    but i need a seperate file for each users

    sample user_name || passwd
    1.mani || passwdmani file name like “squid_access_mani”
    2.Roni || passwdrey file name “squid_access_roni”

  • Prabu K August 31, 2012, 7:47 am

    This is working firebox only. Not working IE…. help me………

  • Akshay September 7, 2012, 4:20 pm

    I did the setting it works fine if I remove intercept from http_port squidip intercept
    I like to configure it with intercept or transparent proxy is it possible

  • Akshay September 7, 2012, 4:27 pm

    problem when using transparent proxy how to overcome

  • Govind September 18, 2012, 12:25 pm

    How you have customized the Username Password authentication login ??

    • Akshay September 19, 2012, 1:53 pm

      I have use the username and password that stored in squidpasswd as given in above steps

  • alfrapha September 22, 2012, 11:26 am

    You should not *append* auth_param, but should insert it *before* acl part. Otherwise you will get FATAL error when trying to start squid.

  • MojoQ October 12, 2012, 12:26 pm

    Thanks for this tutorial!
    Still works with squid3 but paths must be changed accordingly
    e.g.
    /usr/lib/squid3/ncsa_auth
    /etc/squid3/passwd

    Helped me out a lot!

  • Matt November 30, 2012, 5:03 pm

    i have problem:
    Client log:
    [25:24] Starting: Test 2: Connection through the Proxy Server
    [26:25] Error : connection to the proxy server was closed unexpectedly.
    Please make sure that the proxy server protocol and address are correct.
    [26:25] Test failed.
    [26:25] Testing Finished.

    Server log:
    1354294595.946 60477 ***.***.***.*** TCP_MISS/503 0 CONNECT http://www.google.com:80 user1 DIRECT/2607:f8b0:4003:c01::63 –

  • javed June 25, 2013, 7:19 am

    ./configure –enable-auth=”basic”
    This is not working in squid 3.3.5 at centos 6.4 when i am comiling squid,
    Error displayed :
    Unrecognized argument.

  • Rajat Ganguly July 17, 2013, 10:03 am

    How will I identify which user, created by above way, has accessed how much data & how will I restrict the user to use upto certain limit of data (download/upload)

  • CR September 2, 2013, 6:22 am

    I my having network that used proxy with authentication.
    Is there anyway I can store the proxy server name, username and password in this conf file and then just use the IP address of that machine for accessing internet over other machines directly.

  • Sutanu September 24, 2013, 5:45 pm

    Dear All,

    The transparent proxy is also available with “forwarded_for” option, the syntax is

    forwarded_for server ip

    inside squid.conf file

    ThNX
    Love u nixcraft

  • Anees September 30, 2013, 4:59 pm

    can we change the location of password file from /etc/passwd to any other thing?

    I try changing and it is not working

  • Ilia June 17, 2014, 6:13 pm

    When using basic_ncsa_auth, does it send password on the very first prompt in plain text and subject to man-in-the-middle attack, right?

  • udiniq August 28, 2014, 8:49 am

    thanks very much for this tutorial. :)

  • soph September 13, 2014, 11:47 am

    # htpasswd /etc/squid/passwd sophie
    htpasswd: cannot modify file /etc/squid/passwd; use ‘-c’ to create it
    root@silly:/etc/squid3# htpasswd -c /etc/squid/passwd sophie
    htpasswd: cannot create file /etc/squid/passwd

    Then I gave up.

    • Ilia October 22, 2014, 4:56 am

      You must use -c key as your file doesn’t exist, try using:

      htpasswd -c /etc/squid/passwd sophie

  • Yurii February 3, 2015, 8:46 am

    Hello!
    I have a problem with configuring squid 3.1. I have several outgoing ips and i created same amount of users. I want to setup squid so that one user can access to only one outgoing ip. Users use authentication (login/pass) so i tried to make one acl by one proxy_auth. But smth is wrong.
    Here is my conf file:

    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports

    My part on

    auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/internet_users
    auth_param basic children 5
    acl internet_users proxy_auth REQUIRED
    http_access allow internet_users

    #here i tried to identify user by login and chose to him special outgoing address
    acl user1 proxy_auth user1
    acl user2 proxy_auth user2
    tcp_outgoing_address xxx.xx.xx.xxx user1
    tcp_outgoing_address yyy.yy.yy.yyy user2

    My Part off

    http_access allow localnet
    http_access allow localhost
    http_access deny all
    http_port 3128
    hierarchy_stoplist cgi-bin ?
    coredump_dir /var/spool/squid
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320

    internet_users contains user1 and user2 with passwords.

    But when i try to connect to proxy server like user1 and after this like user2 squid redirecting me on user1’s outgoing ip in first and second time too. But in the second time squid must use user2’s outgoing ip.

    Can someone please point me where i mistaked?
    Thanks!