In this post I will introduce the step by step configuration that allows for authenticated access to the Squid service using usernames and passwords. We are going to use "ncsa_auth" that allows Squid to read and authenticate user and password information from an NCSA httpd-style password file when using basic HTTP authentication.
First let's make sure we have Squid installed
# sudo yum install squid
We will need "htpasswd" utility to create passwords collection file and generate passwords. If you have apache installed then you should already have it if not try installing it using this command:
# sudo yum install httpd-tools
Now we are going to create a file to store passwords in it and change the ownership of it so Squid can access.
# sudo touch /etc/squid/passwd # sudo chown squid /etc/squid/passwd
Suppose that "john" is our username for accessing the Squid proxy server, we will use this command to generate password for that username. You will need to type the password and retype it again for confirmation.
the -d argument in this command will force the "htpasswd" to use CRYPT encryption of the password; Looks like ncsa_auth in CentOS 6.4+ no longer accepts the md5 form of passwords anymore but I don't know why.
# sudo htpasswd -d /etc/squid/passwd john New password: Re-type new password: Adding password for user john
To test if the username and password will work with Squid you can type this command and in the following file enter the username and password seprated by space. You should get a "OK". Otherwise there is a problem with your password or encryption type.
# /usr/lib64/squid/ncsa_auth /etc/squid/passwd john pass OK
Now open the Squid configuration file located in /etc/squid/squid.conf and add following lines to the top of file. and save it.
auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd:
Specify squid password file and helper program location
auth_param basic children 5:
The number of authenticator processes to spawn.
auth_param basic realm Squid proxy-caching web server:
Part of the text the user will see when prompted their username and password
auth_param basic credentialsttl 2 hours:
Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.
auth_param basic casesensitive off:
Specifies if usernames are case sensitive. It can be on or off onlyacl ncsa_users
The REQURIED term means that any authenticated user will match the ACL named ncsa_users
http_access allow ncsa_users:
Allow proxy access only if user is successfully authenticated.
Now lets start the squid and also make sure it will be started next time you reboot the server.
# sudo service squid restart # chkconfig squid on
And now you can configure your browser or any client to use the proxy server using the username and password you have specified above.
You can always update user password the same command that you used to created a password.
To remove a username you need to open the password file (/etc/squid/passwd) and remove the line that represent the user. it's something like this:
Remember to restart the Squid service after deleting the user line in the file.
In order to mask your IP address from servers you connect to, you will need to add the following lines to the Squid configuration file and restart the service.
forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all
I'm Arash Milani, hacker & happiness ninja.
@narmand is our teams's lab to experiment awesome things in it.
I write and talk about hacking, developing web apps, teamwork and designing for better user experience.
You can always contact me via me[at]arashmilani.com email address.