For fine control you may need to use Squid proxy server authentication. This will only allow authorized users to use proxy server.
You need to use proxy_auth ACLs to configure ncsa_auth module. Browsers send the user's authentication in the Authorization request header. If Squid gets a request and the http_access rule list gets to a proxy_auth ACL, Squid looks for the Authorization header. If the header is present, Squid decodes it and extracts a username and password.
However squid is not equipped with password authentication. You need to take help of authentication helpers. Following are included by default in most squid and most Linux distros:
=> NCSA: Uses an NCSA-style username and password file.
=> LDAP: Uses the Lightweight Directory Access Protocol
=> MSNT: Uses a Windows NT authentication domain.
=> PAM: Uses the Linux Pluggable Authentication Modules scheme.
=> SMB: Uses a SMB server like Windows NT or Samba.
=> getpwam: Uses the old-fashioned Unix password file.
=> SASL: Uses SALS libraries.
=> NTLM, Negotiate and Digest authentication
Configure an NCSA-style username and password authentication
I am going to assume that squid is installed and working fine.
Tip: Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization :)
Step # 1: Create a username/password
First create a NCSA password file using htpasswd command. htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of squid users.
# htpasswd /etc/squid/passwd user1
Output:
New password: Re-type new password: Adding password for user user1
Make sure squid can read passwd file:
# chmod o+r /etc/squid/passwd
Step # 2: Locate nsca_auth authentication helper
Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm (Redhat,CentOS,Fedora) or dpkg (Debian and Ubuntu) command:
# dpkg -L squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth
If you are using RHEL/CentOS/Fedora Core or RPM based distro try:
# rpm -ql squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth
Step # 3: Configure nsca_auth for squid proxy authentication
Now open /etc/squid/squid.conf file
# vi /etc/squid/squid.conf
Append (or modify) following configration directive:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Also find out your ACL section and append/modify
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
Save and close the file.
Where,
- auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd : Specify squid password file and helper program location
- auth_param basic children 5 : The number of authenticator processes to spawn.
- auth_param basic realm Squid proxy-caching web server : Part of the text the user will see when prompted their username and password
- auth_param basic credentialsttl 2 hours : Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.
- auth_param basic casesensitive off : Specifies if usernames are case sensitive. It can be on or off only
- acl ncsa_users proxy_auth REQUIRED : The REQURIED term means that any authenticated user will match the ACL named ncsa_users
- http_access allow ncsa_users : Allow proxy access only if user is successfully authenticated.
Restart squid:
# /etc/init.d/squid restart
Now user is prompted for username and password.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- My 10 UNIX Command Line Mistakes
- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
Facebook it - Tweet it - Print it -
We're here to help you make the most of sysadmin work. So, subscribe!
{ 62 comments… read them below or add one }
authentication using ncsa_auth run with proxy transparent ?
marco,
You cannot use Proxy Authentication transparently
Is htpasswd is available for download for FreeBSD. (pkg_add requires many components) Is their anyother way to generate password file like htpasswd?
“Is htpasswd is available for download for FreeBSD. (pkg_add requires many components) Is their anyother way to generate password file like htpasswd?”
- For me on ubuntu I installed apache2-utils, must be something similar on FreeBSD. E.g.:
apt-cache search htpasswd, yields:
apache2-utils – util…
…
Awesome article btw! Got me up and running with no problems! Thanks!
i have installed my FreeBSD & Squid with ./configure –enable-delay-pools –enable-arp-acl –enable-auth=”basic” –enable-basic-auth-helpers=”NCSA”
when i want to use ncsa, and i’d like to use htpasswd to create username/password, this command is not found.
what should i do?
where do i have to find the htpasswd command?
htpasswd is part of Apache package under FreeBSD. To install goto ports
thanks for the response. :)
i’ve succeeded installing the apache, and i can use the htpasswd command.
thanks a lot.
but i have another problem.
i created 1 new user with: htpasswd /usr/local/squid/etc/passwd user1
and it’s succeed.
i also followed the above instructions to have a NCSA-style username and password authentication.
i’ve reconfigure my squid.conf file.
but when i try to browse sites through internet explorer, the authorization doesn’t come up.
why?
Note: i already set the “lan connection + proxy” option.
using squid 2.6
i used the setting above …
acl ncsa_i proxy_auth REQUIRED
http_access allow ncsa_i
if i use this two lines in conf file ..squid fails to restart
i can’t understand were is the bug
Dear,
i hv configure with your above instration and i am able to get popup for user name and password. after entering password it is not loging it is not autorised.
can u help me ?
when i check the access log file the follow error are there.
TCP_DENIED/407
waiting for your reply.
hey !! i had problems with the iptables….
you also chack that …
i restored it to original
Hi Shyamal ,
What is the problem is the password file should contain clear text and not digest text.The format of password file is as follows:
username:password
so check it I hope it will solve ur issue.
Dear all
Thanks for reply.
What I have done,I have configured only squid.conf with following line , I hv not configured iptable , firewall.
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#auth_param basic realm squid proxy-caching web server
auth_param basic realm Rhel.Mail.com
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
Can u help me in detail what component I hv to configured I have just enter the ncsa_auth line in squid.conf that’s it
hi ,, you can refer the http://www.visolve.com/squid/squid30/externalsupport.php#auth_param for the detailed reference of you configuration.
one more thing check the access given to squid_passwd.
and have you register any user in that file …
hope this helps
Dear anant Thanks
for your prompt reply , I want to tell you more thing I hv not installed squid separately I hv installed linux with squid and that /etc/squid/squid.conf I am using.
I have created 2(two) user in that files with help of htpasswd the file permission as below
-rw-r–r– 1 root root 40 Sep 14 02:29 squid_passwd
Waiting for your reply.
Hi Shyamal ,
I told u the same ,it might be created with md5 encryption.so the solution is remove the file squid_passwd.and try this cmd,
htpasswd -c /etc/squid/squid_passwd user1
htppasswd /etc/squid/squid_passwd user2
add the users how much u want and try again now
Dear raja
thanks for reply,
it is notworking
password not acepting
[root@rhel squid]# cat squid_passwd
test:ueu4r5eSydxzM
[root@rhel squid]#
or if you are useing gtalk so we can talk online pls give me your email id. here i am giving my gmail id for fast comunication thakershyamal@gmail.com
waiting for your reply.
Hi Shyamal ,
sorry for the delay.I was busy with my work.so Any how what u have done is correct.check the log.and let me know.
u can contact me adhyakshahraja@gmail.com
hey onme liast thing is ur iprange in series of
192.168.1.*. in not then i think you have to still play with ACL.
Dear all
thanks i hv add your id in my database, whenever r u free just online
Worked perfect, thanks for the article
Hi
i configure my squid file as you describe but when i try to browse sites through internet explorer, the authorization doesn’t come up.
plz reply on ihsan@nibge.org
Hello guys, I just want to say: THANK YOU! :-)
I tried to configure squid since two days, with your tutorial it works. Thanks a lot and a happy new year ;-)
Regards, Christian
You guys rock, thanks very much!
Hi
i’ve configured my squid as above, but squid cannot start anyway, can you trace where my fault is?
here is my conf :
#ACL’s
acl login_user proxy_auth REQUIRED
http_access allow login_user
#proxy_auth program
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/password
auth_param basic children 5
auth_param basic realm Proxy Badilag
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
and here is the error comment :
> service squid restart
Stopping squid: [OK]
Starting squid: [FAILED]
2009/01/30 02:16:07| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2009/01/30 02:16:07| Starting Authentication on port 0.0.0.0:14348
2009/01/30 02:16:07| Disabling Authentication on port 0.0.0.0:14348 (interception enabled)
2009/01/30 02:16:07| Can’t use proxy auth because no authentication schemes are fully configured.
FATAL: ERROR: Invalid ACL: acl login_user proxy_auth REQUIRED
Squid Cache (Version 3.0.STABLE10): Terminated abnormally.
CPU Usage: 0.007 seconds = 0.003 user + 0.004 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
thanks before….
Thank you so much.
As a newbie to linux/ubuntu/squid it was an excellent help.
How do you control auth user for blocking some host, i try to limit with acl but it won’t work.
eg. auth user cannot access google.com but other site are ok
Hi,
When i am trying to open any ineternet sites, the browser is asking for user authentication. When I enter my authentication, I am being able to access the internet. I am using red hat linux. Kindly tell a solution so that the browser will never ask for authentication means the browser will take my user id and password automatically and should not ask me. I am opearated behind a proxy server.
If you guys having this error:
Invalid Proxy Auth ACL 'acl ncsa_users proxy_auth REQUIRED' because no authentication schemes are fully configured.Just make sure that the code below is set after all the auth_param
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
Hope this helps.
Yes Dear,
It is help full but in the same authuntication can’t get complete user details like from time to time uses for the need use other tools for compile the logs.
Regards
Linux Admin
Hello,
I’ve the same problem than Hedwig, i followed the instruction (and it succeed).
however, when i try to browse sites through internet explorer, the authorization doesn’t come up.
why?
thanks in advance
HellO guys,
I have to configure a Squid along with an antivirus Gateway (computer Associates). Traffic flows as in the following
End-Users -> Antivirus Gateway -> Squid -> Internet.
I have done almost all works. I could do authentication well. but one more scenery.
1. I want all end-users should be authenticated via Squid (already achieved :-) )
2. Antivirus (CA gateway security) gateway need no authentication from Squid. Its traffic should pass Squid tranperantly. ie, for only one sysytem (ie for gateway server) squid should not pose authentication windows.
Any idea.
Is there a Keyword “NOTREQUIRED” (to use along with proxy_auth).
Please reply
:-)
Thanks
Upasana
I have a Linux server & under that i have 150+ client, i want set authentication user name & password of a website in proxy. Just example my http://www.abc.com website login user name :test & password :test123 , when any client brows www,abc.com then it automatically login that site no required to put user & password.
i want a server that i can use to connect workstations to the internet so that whenever any user tries to connect even with a computer not part of the workstations (such as a laptop via wireless), the user inputs a username and password earlier assigned to the person. please can squid proxy server do that?
There is a way to get only htpasswd program.
You can just run
make -C /usr/ports/www/apache22then copy the binary and lib files from the work directory like this:
mkdir /usr/local/sbin/.libs
cp /usr/ports/www/apache22/work/httpd-2.2.11/support/htpasswd /usr/local/sbin/
cp /usr/ports/www/apache22/work/httpd-2.2.11/support/.libs/htpasswd /usr/local/sbin/.libs/
Also you can run
make -C /usr/ports/www/apache22 cleanfor cleaning all compiled files. (But you can’t use htpasswd again)
That’s all.
Another great simple to the point guide.
Thanks,
Jon
Regarding
`Hello,
I’ve the same problem than Hedwig, i followed the instruction (and it succeed).
however, when i try to browse sites through internet explorer, the authorization doesn’t come up.
why?`
put:
http_access allow ncsa_users
above any other similar lines like:
http_access allow localnet
http_access allow localhost
Thanks, Awesome manual!!! all went fine,
For those following tutorial and having problems with basic ncsa_auth
check your permissions on /etc/squid/passwd file – proxy or squid should be able to read it, and if you are not running squid as root authentication is going to fail.
How to configure dns in linux
search for bind. this is DNS server for Linux..
hope this helps
http://www.yssdragil.com
Thx for u’re article.
Thats work (^o^)/
Dear all,
How to do WPAD(Web Proxy Auto Discovery)
Pls tell me about
Thanks
This only Authenticate user account. But what about ACL on different user/admin?
U can’t combine ACL with ncsa_auth, I mean what if user login with his password then change his IP to IP admin? .ncsa_auth can’t authenticate user account + IP machine + ACL user. Sorry for my bad English
Any Idea?
yeah i got it running! but how can i restrict user account to use only once. because the username i created can use multiple times… like if the account is already in use.. the next user with the same account well be denied..
ACL Name
Max Logon IPs per user
Strictly Enforced
remember to set Authenticate IP Cache to > 0 in “Authentication Programs Module”
Nice! real great explination!
Greetz
For those who got TCP_DENIED/407 error:
Trye username and password from lover case letter.
thank for the information,
it work.
To others who failed to get the authentication to work, maybe you should check your cache.log files.
At first, the authentication was not working on my server, however after checking on the cache.log file, i found out the password file name was wrong.
thank man
Thanks for the help everything is running awesome!!!
hi I just make the all tutorial and when make a request the browser ask for user:pass but when I type in the user and pass it don’t allow access,
an important thing is that when I add the first user asuin htpasswd /etc/squid/passwd user1 it returns saying that must use -c then I make
htpasswd -c /etc/squid/passwd user1 and it work it add the user, but after that it don’t ask for a password so this steep don’t show:
New password:
Re-type new password:
Adding password for user user1
instead it create the user and asing a ramdom password, then I edit the file /etc/squid/passwd and I see the user1:5T6uud*9?h so I assume that that’s the username and password, but it don’t work
this is my configuration:
acl internal_network src 190.1.1.0-190.1.1.255
http_access allow internal_network
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
nice artical but please any guide me how can I encrypt the clear text password user getting it with sanffirs.
I have done the steps as you have given. But it is saying that ncsa_auth no such file or directory. pls guide me
UAMANDE
Guys..if you cant get the authorization to come out, please try this.
acl ncsa_users proxy_auth REQUIRED (Add this to the bottom of the ACL section of squid.conf)
http_access allow ncsa_users (Add this at the top of the http_access section of squid.conf)
e.g.
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl ncsa_users proxy_auth REQUIRED
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow ncsa_users
http_access allow manager localhost
http_access allow our_networks
http_access deny manager
hope i solve your problems
My configuration is
# be allowed
acl our_networks src 192.168.1.0/24 192.168.2.0/24
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic realm Squid proxy-caching web server
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
http_access allow our_networks
I am getting this error
Aug 26 23:12:49 centos1 squid[4040]: The basicauthenticator helpers are crashing too rapidly, need help!
Aug 26 23:12:49 centos1 squid[4038]: Squid Parent: child process 4040 exited due to signal 6
to signal 6
Aug 26 23:12:55 centos1 squid[4038]: Squid Parent: child process 4059 started
Guys any body please update on this issue.
I am getting tcp_denied/407 error . What should I do ?
how do i use this htpasswd command
on win[7]x64
i tried but it does not recognise the command
:]] some help with example
Great,
works fine,
thank you very much!
Anyone who has the problem that the authentication window pops up but the authentication fails all the time, try this: in squid.conf set auth_param basic casesensitive on
I dont really know why but it worked for me. I spent many hours until I accidentally found this out so I hope this helps somebody.
Stopping squid: [FAILED]
Starting squid: [FAILED]
for that?
The info was very interesting but the problem is that. one user account can authenticate multiple times. You should also show us how to limit a user authentication because this is the most important in authentication program is to limit the account login. and how to auto ban the account if its use multiple times in different pc. I hope you can give us a code in squid
Followed the example and got the proxy authentication to work successfully…. This is a very nicely written example of how to get started. The only thing I had to do extra, was to install a package that would allow me to run the “htpasswd” command.
Thanks a bunch,
Juan
What a post!
God bless you.