There are cases where you want to control the access to your proxy server. This could be via IP-restrictions and/or authentication via user name and password.
I recently configured my Squid to support user authentication. There are different options for authorization via authorization helpers:
- LDAP: Authenticates against LDAP databases.
- MSNT: Microsoft NT domain authentication.
- NCSA: Authenticates against the same type of password file as many NCSA-compliant web servers (e.g. Apache htpasswd)
- PAM: Authenticates against Pluggable Authentication Module (common Linux authentication).
- SMB: Authenticates against an SMB server (e.g. Samba).
- getpwnam: Authenticates using Unix password or shadow password file
Edit squid.conf (usually at
/etc/squid/squid.conf) and edit the auth_param part for basic authentication.
1 2 3 4 5 auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/htpasswd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off
- “`credentialsttl 2 hours”`: Credentials are valid for 2 hours
- “`casesensitive off”`: Username is not case-sensitive
If you’re uncertain about the path to the ncsaauth helper you can run “`dpkg -L squid |grep ncsaauth”` on a Debian-based system or
rpm -ql squid | grep ncsa_auth on an RPM-based system to find out where this helper is.
The password file is created via
1 # htpasswd -c <password file> username
or you can add another user with
1 # htpasswd <password file> username
To actually enable the authentication you have to add
1 2 acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users
to you ACL section of squid.conf> and restart Squid of course.
- “`acl ncsa_users proxy_auth REQUIRED”`: All rules matching ncsa_users require authentication to the proxy
- “`http_access allow ncsa_users”`: Allow proxy access only to users of ncsa_users group, which in fact means authenticated users.
Remark: As far as I know it’s technically not possible to use this for a transparent proxy setup.