How to configure Squid basic authentication on CentOs 6.5 1393/05/10

In this post I will introduce the step by step configuration that allows for authenticated access to the Squid service using usernames and passwords. We are going to use "ncsa_auth" that allows Squid to read and authenticate user and password information from an NCSA httpd-style password file when using basic HTTP authentication.

First let's make sure we have Squid installed

# sudo yum install squid

We will need "htpasswd" utility to create passwords collection file and generate passwords. If you have apache installed then you should already have it if not try installing it using this command:

# sudo yum install httpd-tools

Now we are going to create a file to store passwords in it and change the ownership of it so Squid can access. 

# sudo touch /etc/squid/passwd
# sudo chown squid /etc/squid/passwd

Suppose that "john" is our username for accessing the Squid proxy server, we will use this command to generate password for that username. You will need to type the password and retype it again for confirmation.
the -d argument in this command will force the "htpasswd" to use CRYPT encryption of the password; Looks like ncsa_auth in CentOS 6.4+ no longer accepts the md5 form of passwords anymore but I don't know why.

# sudo htpasswd -d /etc/squid/passwd john
New password:
Re-type new password:
Adding password for user john

To test if the username and password will work with Squid you can type this command and in the following file enter the username and password seprated by space. You should get a "OK". Otherwise there is a problem with your password or encryption type.

# /usr/lib64/squid/ncsa_auth /etc/squid/passwd
john pass
OK

Now open the Squid configuration file located in /etc/squid/squid.conf and add following lines to the top of file. and save it.

auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd:
Specify squid password file and helper program location

auth_param basic children 5:
The number of authenticator processes to spawn.

auth_param basic realm Squid proxy-caching web server:
Part of the text the user will see when prompted their username and password

auth_param basic credentialsttl 2 hours:
Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.

auth_param basic casesensitive off:
Specifies if usernames are case sensitive. It can be on or off onlyacl ncsa_users

proxy_auth REQUIRED:
The REQURIED term means that any authenticated user will match the ACL named ncsa_users

http_access allow ncsa_users:
Allow proxy access only if user is successfully authenticated.

Now lets start the squid and also make sure it will be started next time you reboot the server. 

# sudo service squid restart
# chkconfig squid on

And now you can configure your browser or any client to use the proxy server using the username and password you have specified above. 

You can always update user password the same command that you used to created a password. 
To remove a username you need to open the password file (/etc/squid/passwd) and remove the line that represent the user. it's something like this:

john:ehHDxD10B5KAu

Remember to restart the Squid service after deleting the user line in the file.

Anonymizing Traffic

In order to mask your IP address from servers you connect to, you will need to add the following lines to the Squid configuration file and restart the service.

forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

Comments

Amarnath — 2015-09-28
Thanks a lot. It helped me setting up basic authentication with ease.
Dan — 2015-10-08
Thanks a lot for the comprehensive guide.
I was stuck at, the command
/usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd
dose not give any output. I think it means squid can not get the authentication info. But I have no idea what to do next.

Could you please tell what's wrong with this.
Any help will be highly appreciated!
jmc — 2015-10-20
Should the 1st quid_passwd to be just passwd on your list?

sudo htpasswd -d /etc/squid/squid_passwd john
/usr/lib64/squid/ncsa_auth /etc/squid/passwd
Arash Milani — 2016-06-06
@jmc Yeah you were right. I changed that line so the post now has the right commands.

Any thoughts? Please leave a reply

I'll use your email to show your picture using gravatar. I hate spam too.
Back to home

I'm Arash Milani, hacker & happiness ninja.
@narmand is our teams's lab to experiment awesome things in it.

I write and talk about hacking, developing web apps, teamwork and designing for better user experience.

You can always contact me via me[at]arashmilani.com email address.