There are cases where you want to control the access to your proxy server. This could be via IP-restrictions and/or authentication via user name and password.

I recently configured my Squid to support user authentication. There are different options for authorization via authorization helpers:

  • LDAP: Authenticates against LDAP databases.
  • MSNT: Microsoft NT domain authentication.
  • NCSA: Authenticates against the same type of password file as many NCSA-compliant web servers (e.g. Apache htpasswd)
  • PAM: Authenticates against Pluggable Authentication Module (common Linux authentication).
  • SMB: Authenticates against an SMB server (e.g. Samba).
  • getpwnam: Authenticates using Unix password or shadow password file

Setup authentication

Edit squid.conf (usually at /etc/squid/squid.conf) and edit the auth_param part for basic authentication.

1
2
3
4
5
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/htpasswd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
  • “`credentialsttl 2 hours”`: Credentials are valid for 2 hours
  • “`casesensitive off”`: Username is not case-sensitive

If you’re uncertain about the path to the ncsaauth helper you can run “`dpkg -L squid |grep ncsaauth”` on a Debian-based system or rpm -ql squid | grep ncsa_auth on an RPM-based system to find out where this helper is.

The password file is created via

1
# htpasswd -c <password file> username

or you can add another user with

1
# htpasswd <password file> username

To actually enable the authentication you have to add

1
2
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

to you ACL section of squid.conf> and restart Squid of course.

  • “`acl ncsa_users proxy_auth REQUIRED”`: All rules matching ncsa_users require authentication to the proxy
  • “`http_access allow ncsa_users”`: Allow proxy access only to users of ncsa_users group, which in fact means authenticated users.

Remark: As far as I know it’s technically not possible to use this for a transparent proxy setup.