For fine control you may need to use Squid proxy server authentication. This will only allow authorized users to use proxy server.
You need to use proxy_auth ACLs to configure ncsa_auth module. Browsers send the user's authentication in the Authorization request header. If Squid gets a request and the http_access rule list gets to a proxy_auth ACL, Squid looks for the Authorization header. If the header is present, Squid decodes it and extracts a username and password.
However squid is not equipped with password authentication. You need to take help of authentication helpers. Following are included by default in most squid and most Linux distros:
=> NCSA: Uses an NCSA-style username and password file.
=> LDAP: Uses the Lightweight Directory Access Protocol
=> MSNT: Uses a Windows NT authentication domain.
=> PAM: Uses the Linux Pluggable Authentication Modules scheme.
=> SMB: Uses a SMB server like Windows NT or Samba.
=> getpwam: Uses the old-fashioned Unix password file.
=> SASL: Uses SALS libraries.
=> NTLM, Negotiate and Digest authentication
Configure an NCSA-style username and password authentication
I am going to assume that squid is installed and working fine.
Tip: Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization :)
Step # 1: Create a username/password
First create a NCSA password file using htpasswd command. htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of squid users.
# htpasswd /etc/squid/passwd user1
Output:
New password: Re-type new password: Adding password for user user1
Make sure squid can read passwd file:
# chmod o+r /etc/squid/passwd
Step # 2: Locate nsca_auth authentication helper
Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm (Redhat,CentOS,Fedora) or dpkg (Debian and Ubuntu) command:
# dpkg -L squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth
If you are using RHEL/CentOS/Fedora Core or RPM based distro try:
# rpm -ql squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth
Step # 3: Configure nsca_auth for squid proxy authentication
Now open /etc/squid/squid.conf file
# vi /etc/squid/squid.conf
Append (or modify) following configration directive:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Also find out your ACL section and append/modify
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
Save and close the file.
Where,
- auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd : Specify squid password file and helper program location
- auth_param basic children 5 : The number of authenticator processes to spawn.
- auth_param basic realm Squid proxy-caching web server : Part of the text the user will see when prompted their username and password
- auth_param basic credentialsttl 2 hours : Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.
- auth_param basic casesensitive off : Specifies if usernames are case sensitive. It can be on or off only
- acl ncsa_users proxy_auth REQUIRED : The REQURIED term means that any authenticated user will match the ACL named ncsa_users
- http_access allow ncsa_users : Allow proxy access only if user is successfully authenticated.
Restart squid:
# /etc/init.d/squid restart
Now user is prompted for username and password.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- 10 Greatest Open Source Software Of 2009
- My 10 UNIX Command Line Mistakes
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email this to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: May/31/2008
{ 44 comments… read them below or add one }
authentication using ncsa_auth run with proxy transparent ?
marco,
You cannot use Proxy Authentication transparently
Is htpasswd is available for download for FreeBSD. (pkg_add requires many components) Is their anyother way to generate password file like htpasswd?
“Is htpasswd is available for download for FreeBSD. (pkg_add requires many components) Is their anyother way to generate password file like htpasswd?”
- For me on ubuntu I installed apache2-utils, must be something similar on FreeBSD. E.g.:
apt-cache search htpasswd, yields:
apache2-utils – util…
…
Awesome article btw! Got me up and running with no problems! Thanks!
i have installed my FreeBSD & Squid with ./configure –enable-delay-pools –enable-arp-acl –enable-auth=”basic” –enable-basic-auth-helpers=”NCSA”
when i want to use ncsa, and i’d like to use htpasswd to create username/password, this command is not found.
what should i do?
where do i have to find the htpasswd command?
htpasswd is part of Apache package under FreeBSD. To install goto ports
thanks for the response. :)
i’ve succeeded installing the apache, and i can use the htpasswd command.
thanks a lot.
but i have another problem.
i created 1 new user with: htpasswd /usr/local/squid/etc/passwd user1
and it’s succeed.
i also followed the above instructions to have a NCSA-style username and password authentication.
i’ve reconfigure my squid.conf file.
but when i try to browse sites through internet explorer, the authorization doesn’t come up.
why?
Note: i already set the “lan connection + proxy” option.
using squid 2.6
i used the setting above …
acl ncsa_i proxy_auth REQUIRED
http_access allow ncsa_i
if i use this two lines in conf file ..squid fails to restart
i can’t understand were is the bug
Dear,
i hv configure with your above instration and i am able to get popup for user name and password. after entering password it is not loging it is not autorised.
can u help me ?
when i check the access log file the follow error are there.
TCP_DENIED/407
waiting for your reply.
hey !! i had problems with the iptables….
you also chack that …
i restored it to original
Hi Shyamal ,
What is the problem is the password file should contain clear text and not digest text.The format of password file is as follows:
username:password
so check it I hope it will solve ur issue.
Dear all
Thanks for reply.
What I have done,I have configured only squid.conf with following line , I hv not configured iptable , firewall.
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#auth_param basic realm squid proxy-caching web server
auth_param basic realm Rhel.Mail.com
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
Can u help me in detail what component I hv to configured I have just enter the ncsa_auth line in squid.conf that’s it
hi ,, you can refer the http://www.visolve.com/squid/squid30/externalsupport.php#auth_param for the detailed reference of you configuration.
one more thing check the access given to squid_passwd.
and have you register any user in that file …
hope this helps
Dear anant Thanks
for your prompt reply , I want to tell you more thing I hv not installed squid separately I hv installed linux with squid and that /etc/squid/squid.conf I am using.
I have created 2(two) user in that files with help of htpasswd the file permission as below
-rw-r–r– 1 root root 40 Sep 14 02:29 squid_passwd
Waiting for your reply.
Hi Shyamal ,
I told u the same ,it might be created with md5 encryption.so the solution is remove the file squid_passwd.and try this cmd,
htpasswd -c /etc/squid/squid_passwd user1
htppasswd /etc/squid/squid_passwd user2
add the users how much u want and try again now
Dear raja
thanks for reply,
it is notworking
password not acepting
[root@rhel squid]# cat squid_passwd
test:ueu4r5eSydxzM
[root@rhel squid]#
or if you are useing gtalk so we can talk online pls give me your email id. here i am giving my gmail id for fast comunication thakershyamal@gmail.com
waiting for your reply.
Hi Shyamal ,
sorry for the delay.I was busy with my work.so Any how what u have done is correct.check the log.and let me know.
u can contact me adhyakshahraja@gmail.com
hey onme liast thing is ur iprange in series of
192.168.1.*. in not then i think you have to still play with ACL.
Dear all
thanks i hv add your id in my database, whenever r u free just online
Worked perfect, thanks for the article
Hi
i configure my squid file as you describe but when i try to browse sites through internet explorer, the authorization doesn’t come up.
plz reply on ihsan@nibge.org
Hello guys, I just want to say: THANK YOU! :-)
I tried to configure squid since two days, with your tutorial it works. Thanks a lot and a happy new year ;-)
Regards, Christian
You guys rock, thanks very much!
Hi
i’ve configured my squid as above, but squid cannot start anyway, can you trace where my fault is?
here is my conf :
#ACL’s
acl login_user proxy_auth REQUIRED
http_access allow login_user
#proxy_auth program
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/password
auth_param basic children 5
auth_param basic realm Proxy Badilag
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
and here is the error comment :
> service squid restart
Stopping squid: [OK]
Starting squid: [FAILED]
2009/01/30 02:16:07| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2009/01/30 02:16:07| Starting Authentication on port 0.0.0.0:14348
2009/01/30 02:16:07| Disabling Authentication on port 0.0.0.0:14348 (interception enabled)
2009/01/30 02:16:07| Can’t use proxy auth because no authentication schemes are fully configured.
FATAL: ERROR: Invalid ACL: acl login_user proxy_auth REQUIRED
Squid Cache (Version 3.0.STABLE10): Terminated abnormally.
CPU Usage: 0.007 seconds = 0.003 user + 0.004 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
thanks before….
Thank you so much.
As a newbie to linux/ubuntu/squid it was an excellent help.
How do you control auth user for blocking some host, i try to limit with acl but it won’t work.
eg. auth user cannot access google.com but other site are ok
Hi,
When i am trying to open any ineternet sites, the browser is asking for user authentication. When I enter my authentication, I am being able to access the internet. I am using red hat linux. Kindly tell a solution so that the browser will never ask for authentication means the browser will take my user id and password automatically and should not ask me. I am opearated behind a proxy server.
If you guys having this error:
Invalid Proxy Auth ACL 'acl ncsa_users proxy_auth REQUIRED' because no authentication schemes are fully configured.Just make sure that the code below is set after all the auth_param
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
Hope this helps.
Yes Dear,
It is help full but in the same authuntication can’t get complete user details like from time to time uses for the need use other tools for compile the logs.
Regards
Linux Admin
Hello,
I’ve the same problem than Hedwig, i followed the instruction (and it succeed).
however, when i try to browse sites through internet explorer, the authorization doesn’t come up.
why?
thanks in advance
HellO guys,
I have to configure a Squid along with an antivirus Gateway (computer Associates). Traffic flows as in the following
End-Users -> Antivirus Gateway -> Squid -> Internet.
I have done almost all works. I could do authentication well. but one more scenery.
1. I want all end-users should be authenticated via Squid (already achieved :-) )
2. Antivirus (CA gateway security) gateway need no authentication from Squid. Its traffic should pass Squid tranperantly. ie, for only one sysytem (ie for gateway server) squid should not pose authentication windows.
Any idea.
Is there a Keyword “NOTREQUIRED” (to use along with proxy_auth).
Please reply
:-)
Thanks
Upasana
I have a Linux server & under that i have 150+ client, i want set authentication user name & password of a website in proxy. Just example my http://www.abc.com website login user name :test & password :test123 , when any client brows www,abc.com then it automatically login that site no required to put user & password.
i want a server that i can use to connect workstations to the internet so that whenever any user tries to connect even with a computer not part of the workstations (such as a laptop via wireless), the user inputs a username and password earlier assigned to the person. please can squid proxy server do that?
There is a way to get only htpasswd program.
You can just run
make -C /usr/ports/www/apache22then copy the binary and lib files from the work directory like this:
mkdir /usr/local/sbin/.libs
cp /usr/ports/www/apache22/work/httpd-2.2.11/support/htpasswd /usr/local/sbin/
cp /usr/ports/www/apache22/work/httpd-2.2.11/support/.libs/htpasswd /usr/local/sbin/.libs/
Also you can run
make -C /usr/ports/www/apache22 cleanfor cleaning all compiled files. (But you can’t use htpasswd again)
That’s all.
Another great simple to the point guide.
Thanks,
Jon
Regarding
`Hello,
I’ve the same problem than Hedwig, i followed the instruction (and it succeed).
however, when i try to browse sites through internet explorer, the authorization doesn’t come up.
why?`
put:
http_access allow ncsa_users
above any other similar lines like:
http_access allow localnet
http_access allow localhost
Thanks, Awesome manual!!! all went fine,
For those following tutorial and having problems with basic ncsa_auth
check your permissions on /etc/squid/passwd file – proxy or squid should be able to read it, and if you are not running squid as root authentication is going to fail.
How to configure dns in linux
search for bind. this is DNS server for Linux..
hope this helps
http://www.yssdragil.com
Thx for u’re article.
Thats work (^o^)/
Dear all,
How to do WPAD(Web Proxy Auto Discovery)
Pls tell me about
Thanks
This only Authenticate user account. But what about ACL on different user/admin?
U can’t combine ACL with ncsa_auth, I mean what if user login with his password then change his IP to IP admin? .ncsa_auth can’t authenticate user account + IP machine + ACL user. Sorry for my bad English
Any Idea?
yeah i got it running! but how can i restrict user account to use only once. because the username i created can use multiple times… like if the account is already in use.. the next user with the same account well be denied..