NEW: as of July 1st, 2001 you can hire me for Squid related consultancy via my company Madison Gurkha.
The proxy_auth code has been improved in Squid 2.X, please refer to the comments in the Squid 2.X squid.conf file for instructions on how to use it. These pages are currently a little out-of-date.
With the patch applied you can do things like:
authenticate_program /usr/local/squid/bin/ncsa_auth authenticate_options /usr/local/squid/etc/passwd authenticate_children 5 acl our_lan src x.x.x.x/24 acl isp_dialin_pool src x.x.x.x/24 acl passwd proxy_auth http_access allow our_lan http_access allow isp_dialin_pool passwd http_access deny allThis gives proxy access to people from our_lan without a password and also from an ISP's dialin pool if a username/password combination is used. All others are denied.
acl password proxy_auth acl netherlands dstdomain nl http_access allow netherlands http_access allow password http_access deny allPages within the *.nl domain can be reached without authentication, all other pages require a valid username/password combination.
acl aclname proxy_auth [ timeout ]timeout is the optional timeout for username/password caching (default = 3600 secs). A correct username/password is cached by Squid until reconfigure, shutdown (of course :-), a failed proxy authentication or the timeout period.
authenticate_program program_name authenticate_options program_options authenticate_children numberprogram_name should be an authentication program. It can be given up to 32 program_options. number is the number of authentication processes to run (maximum is 32).
To tune the number of authenticate_children, use the cachemgr.cgi CGI script and see how many authentication processes get used. If all get used, increase authenticate_children until you have some unused authentication processes.
On STDIN it receives lines containing
usernamemust be non-empty and contain no spaces. The username is followed by exactly one space character. The space character is followed by
cleartextpasswordwhich is the password in clear text (not encrypted) and which can be empty.
On STDOUT it must output lines which start with one of these keywords:
OK ERROK should be given in case the username/password combination was correct. ERR should be give in case the username/password combination was incorrect or when the correctness could not be determined (due to, e.g., a timeout).
Note: make sure the program flushes STDOUT after every write! In Perl this can be accomplished by using '$| = 1;' at the start of the program.
ncsa_auth passwd_filepasswd_file is an NCSA/Apache-style file of passwords for authenticated proxy access. Each line contains a user:password combination, with the password being standard crypt() format. It should be readable by the userid the ncsa_auth program is running as.
To use it from Squid add
authenticate_program /usr/local/squid/bin/ncsa_auth authenticate_options /usr/local/squid/etc/passwd authenticate_children 5to squid.conf and some appropriate acl and http_access rules.
Note: newer versions of ncsa_auth support password files with comment lines (starting with '#'), empty or blank lines, and extra fields after the usercode and password fields separated by colons (':', i.e. a normal Unix password file).
Apply the patch in the following way:
tar zxf squid-1.2.XX-src.tar.gz cd squid-1.2.XX patch -p1 -l < /tmp/patchfileIf any *.rej files show up, try to merge the changes described in those files manually.
If you apply the patch to an already unpacked and compiled source tree, please run the 'configure' script again.
If you wrote an authentication program usable with this proxy_auth patch yourself, please send me the URL and I'll add it to the list. If you do not have a place to publish it, I can store it for you in my contrib directory.
sed \ -e 's/redirector/authenticator/g' \ -e 's/Redirector/Authenticator/g' \ -e 's/REDIRECT/AUTHENTICATE/g' \ -e 's/Redirect/Authenticate/g' \ -e 's/redirect/authenticate/g'and some extra code.
http_access allow my_users special_sites passwords