There are cases where you want to control the access to your proxy server. This could be via IP-restrictions and/or authentication via user name and password.
I recently configured my Squid to support user authentication. There are different options for authorization via authorization helpers:
- LDAP: Authenticates against LDAP databases.
- MSNT: Microsoft NT domain authentication.
- NCSA: Authenticates against the same type of password file as many NCSA-compliant web servers (e.g. Apache htpasswd)
- PAM: Authenticates against Pluggable Authentication Module (common Linux authentication).
- SMB: Authenticates against an SMB server (e.g. Samba).
- getpwnam: Authenticates using Unix password or shadow password file
Edit squid.conf (usually at
/etc/squid/squid.conf) and edit the auth_param part for basic authentication.
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/htpasswd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off
- ```credentialsttl 2 hours```: Credentials are valid for 2 hours
- ```casesensitive off```: Username is not case-sensitive
If you’re uncertain about the path to the ncsa_auth helper you can run
dpkg -L squid |grep ncsa_auth on a Debian-based system or
rpm -ql squid | grep ncsa_auth on an RPM-based system to find out where this helper is.
The password file is created via
# htpasswd -c <password file> username
or you can add another user with
# htpasswd <password file> username
To actually enable the authentication you have to add
acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users
to you ACL section of squid.conf> and restart Squid of course.
- ```acl ncsa_users proxy_auth REQUIRED```: All rules matching ncsa_users require authentication to the proxy
- ```http_access allow ncsa_users```: Allow proxy access only to users of ncsa_users group, which in fact means authenticated users.
Remark: As far as I know it’s technically not possible to use this for a transparent proxy setup.