1 minute read

There are cases where you want to control the access to your proxy server. This could be via IP-restrictions and/or authentication via user name and password.

I recently configured my Squid to support user authentication. There are different options for authorization via authorization helpers:

  • LDAP: Authenticates against LDAP databases.
  • MSNT: Microsoft NT domain authentication.
  • NCSA: Authenticates against the same type of password file as many NCSA-compliant web servers (e.g. Apache htpasswd)
  • PAM: Authenticates against Pluggable Authentication Module (common Linux authentication).
  • SMB: Authenticates against an SMB server (e.g. Samba).
  • getpwnam: Authenticates using Unix password or shadow password file

Setup authentication

Edit squid.conf (usually at /etc/squid/squid.conf) and edit the auth_param part for basic authentication.

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/htpasswd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
  • ```credentialsttl 2 hours```: Credentials are valid for 2 hours
  • ```casesensitive off```: Username is not case-sensitive

If you’re uncertain about the path to the ncsa_auth helper you can run dpkg -L squid |grep ncsa_auth on a Debian-based system or rpm -ql squid | grep ncsa\_auth on an RPM-based system to find out where this helper is.

The password file is created via

# htpasswd -c <password file> username

or you can add another user with

# htpasswd <password file> username

To actually enable the authentication you have to add

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

to you ACL section of squid.conf> and restart Squid of course.

  • ```acl ncsa_users proxy_auth REQUIRED```: All rules matching ncsa_users require authentication to the proxy
  • ```http_access allow ncsa_users```: Allow proxy access only to users of ncsa_users group, which in fact means authenticated users.

Remark: As far as I know it’s technically not possible to use this for a transparent proxy setup.