Loading ...Howto: Squid proxy authentication using ncsa_auth helper
For fine control you may need to use Squid proxy server authentication. This will only allow authorized users to use proxy server.
You need to use proxy_auth ACLs to configure ncsa_auth module. Browsers send the user's authentication in the Authorization request header. If Squid gets a request and the http_access rule list gets to a proxy_auth ACL, Squid looks for the Authorization header. If the header is present, Squid decodes it and extracts a username and password.
However squid is not equipped with password authentication. You need to take help of authentication helpers. Following are included by default in most squid and most Linux distros:
=> NCSA: Uses an NCSA-style username and password file.
=> LDAP: Uses the Lightweight Directory Access Protocol
=> MSNT: Uses a Windows NT authentication domain.
=> PAM: Uses the Linux Pluggable Authentication Modules scheme.
=> SMB: Uses a SMB server like Windows NT or Samba.
=> getpwam: Uses the old-fashioned Unix password file.
=> SASL: Uses SALS libraries.
=> NTLM, Negotiate and Digest authentication
Configure an NCSA-style username and password authentication
I am going to assume that squid is installed and working fine.
Tip: Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization 
Step # 1: Create a username/password
First create a NCSA password file using htpasswd command. htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of squid users.
# htpasswd /etc/squid/passwd user1
Output:
New password: Re-type new password: Adding password for user user1
Make sure squid can read passwd file:
# chmod o+r /etc/squid/passwd
Step # 2: Locate nsca_auth authentication helper
Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm (Redhat,CentOS,Fedora) or dpkg (Debian and Ubuntu) command:
# dpkg -L squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth
If you are using RHEL/CentOS/Fedora Core or RPM based distro try:
# rpm -ql squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth
Step # 3: Configure nsca_auth for squid proxy authentication
Now open /etc/squid/squid.conf file
# vi /etc/squid/squid.conf
Append (or modify) following configration directive:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Also find out your ACL section and append/modify
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
Save and close the file.
Where,
- auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd : Specify squid password file and helper program location
- auth_param basic children 5 : The number of authenticator processes to spawn.
- auth_param basic realm Squid proxy-caching web server : Part of the text the user will see when prompted their username and password
- auth_param basic credentialsttl 2 hours : Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.
- auth_param basic casesensitive off : Specifies if usernames are case sensitive. It can be on or off only
- acl ncsa_users proxy_auth REQUIRED : The REQURIED term means that any authenticated user will match the ACL named ncsa_users
- http_access allow ncsa_users : Allow proxy access only if user is successfully authenticated.
Restart squid:
# /etc/init.d/squid restart
Now user is prompted for username and password.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Configure squid for LDAP authentication using squid_ldap_auth helper
- Squid Proxy Server Limit the number of simultaneous Web connections from a client with maxconn ACL
- Install Squid Proxy Server on CentOS / Redhat enterprise Linux 5
- nixCraft FAQ Roundup ~ Oct, 10, 2007
- Linux Iptables allow SQUID proxy incoming client request
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
authentication using ncsa_auth run with proxy transparent ?
marco,
You cannot use Proxy Authentication transparently
Is htpasswd is available for download for FreeBSD. (pkg_add requires many components) Is their anyother way to generate password file like htpasswd?
“Is htpasswd is available for download for FreeBSD. (pkg_add requires many components) Is their anyother way to generate password file like htpasswd?”
- For me on ubuntu I installed apache2-utils, must be something similar on FreeBSD. E.g.:
apt-cache search htpasswd, yields:
apache2-utils - util…
…
Awesome article btw! Got me up and running with no problems! Thanks!
i have installed my FreeBSD & Squid with ./configure –enable-delay-pools –enable-arp-acl –enable-auth=”basic” –enable-basic-auth-helpers=”NCSA”
when i want to use ncsa, and i’d like to use htpasswd to create username/password, this command is not found.
what should i do?
where do i have to find the htpasswd command?
htpasswd is part of Apache package under FreeBSD. To install goto ports
thanks for the response.
i’ve succeeded installing the apache, and i can use the htpasswd command.
thanks a lot.
but i have another problem.
i created 1 new user with: htpasswd /usr/local/squid/etc/passwd user1
and it’s succeed.
i also followed the above instructions to have a NCSA-style username and password authentication.
i’ve reconfigure my squid.conf file.
but when i try to browse sites through internet explorer, the authorization doesn’t come up.
why?
Note: i already set the “lan connection + proxy” option.
using squid 2.6
i used the setting above …
acl ncsa_i proxy_auth REQUIRED
http_access allow ncsa_i
if i use this two lines in conf file ..squid fails to restart
i can’t understand were is the bug