Squid ACL Proxy Authentication (obsoleted)

Last update: 1998/03/08 22:28h CET

1. Introduction
2. Syntax
3. Patches for various Squid versions
4. Pointers
5. Notes
6. Thanks to...

1. Introduction

This ACL Proxy Authentication patch implements proxy authentication as a normal ACL. It is a generalization of the original proxy_auth code provided by Jon Thackray <jrmt@uk.gdscorp.com> on which it is based.

With the patch applied you can do things like:

acl our_lan src x.x.x.x/24
acl isp_dialin_pool src x.x.x.x/24
acl passwd proxy_auth /usr/local/squid/etc/passwd

http_access allow our_lan
http_access allow isp_dialin_pool passwd
http_access deny  all

This gives proxy access to people from our lan without a password and also from an ISP's dialin pool if a usercode/password combination is used.

Other example:

acl password proxy_auth /usr/local/etc/passwd
acl netherlands dstdomain nl
http_access allow netherlands
http_access allow !netherlands password
http_access deny  all

Pages within the *.nl domain can be reached without authentication, all other pages require a valid usercode/password combination.

2. Syntax

	acl aclname proxy_auth passwd_file [ refresh ]

'passwd_file' is an Apache-style file of passwords for authenticated proxy access. Each line contains a user:password combination, with the password being standard crypt() format. 'refresh' is the time in seconds between checks for changes in the file (default = 300 secs).

3. Patches for various Squid versions

The patch is available for the following versions of Squid. For more details about the different versions of the patches and the fixes they contain, read the ChangeLog file. If the patch is not yet available for a newer version of Squid, please try the most recent patch first. Patches are in unified diff format so use a recent version of patch.

The patch has already been included in Squid 1.2 (beta).

4. Pointers

Andrew Leahy has a modified version of this patch so that it can authenticate against a Digital Unix Enhanced Security (local or NIS) database. Contact him for more details.

5. Notes

When using a proxy_auth ACL in an ACL list, make sure it is the last one in the list and the only proxy_auth type ACL in the list:
```
	http_access allow my_users special_sites passwords
    
```
When a Proxy-Authentication header is sent but it is not needed during ACL checking, the username is NOT logged in access.log.
proxy_auth support is not compiled into Squid by default. To use this feature you must enable the USE_PROXY_AUTH option near the top of src/Makefile. I believe we can remove the #ifdef's when this patch gets integrated into the official Squid release because proxy authentication can now be turned off by not using proxy_auth type ACL's.

6. Thanks to...

Thanks to the following people for suggestions, patches and/or remarks:

Chris Pascoe
David Richards
Chris Tilbury
David Luyer

Last modified: 1998/03/08 22:28h CET, Arjan de Vet, Arjan.deVet@adv.IAEhv.nl