Scribd
Upload
40 views13 pages

Proxy Authentication With Squid

This document discusses proxy authentication with Squid. It provides an overview of WWW and proxy authentication, how proxy authentication works in Squid using external authenticator modules like LDAP, and how to configure Squid to use proxy authentication for end users including adding user entries to the directory and testing the authentication.

Uploaded by

[email protected]
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
40 views13 pages

Proxy Authentication With Squid

This document discusses proxy authentication with Squid. It provides an overview of WWW and proxy authentication, how proxy authentication works in Squid using external authenticator modules like LDAP, and how to configure Squid to use proxy authentication for end users including adding user entries to the directory and testing the authentication.

Uploaded by

[email protected]
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 13

Proxy Authentication with

Squid
Agenda
 WWW/proxy authentication primer
 Proxy authentication in Squid
 Practical session:
 configuring Squid to use proxy authentication for
end users
 using the LDAP authenticator module
WWW/Proxy Authentication
Primer...
 Two fundamental types
 WWW:
 end-to-end
 authorization for accessing web resources (realms)
defined by URI(s)
 proxy
 hop-by-hop
 authorization to use a proxy service that will fetch the
URI(s) requested by the user agent
...WWW/Proxy Authentication
Primer
 Two authentication schemes
 Basic
 simple
 implemented by all HTTP clients/servers/proxies
 offers no security (passwords are sent in “clear-text”)
 Digest
 implemented by few HTTP clients/servers/proxies
only
 offers better security than the Basic scheme
(passwords are protected (not encrypted!))
 More information: RFC2617 (and 2616)
WWW Authentication
Step 1.
Step 2.
Step 3.
Step 4.

Step 1. User
GET /protected/ HTTP/1.1 requests a page
Host: www.sztaki.hu
...
HTTP/1.1 401 Authorization Required
Step 2. Server asks WWW-Authenticate: Basic realm=”Protected web"
UA to authenticate ...
Step 3. UA sends
GET /protected/ HTTP/1.1
authentication credentials
Host: www.sztaki.hu
Authorization: Basic dXNlcjpwYXNzd29yZA==
...
HTTP/1.1 200 OK
Step 4. Authentication Date: Tue, 15 Feb 2000 16:41:04 GMT
accepted and page sent Server: Apache/1.3.9 (Unix)
...
Proxy Authentication...
Step 1.
Step 2.
Step 3. Step 4.
Step 6. Step 5.

GET http://www.terena.nl/ HTTP/1.0 Step 1. User requests a


... page through a proxy

Step 2. Proxy asks HTTP/1.0 407 Proxy Authentication Required


Proxy-Authenticate: Basic realm="Squid proxy”
UA to authenticate Step 3. UA sends proxy
...
GET http://www.terena.nl/ HTTP/1.0 authentication credentials
Proxy-Authorization: Basic YmVydG9sZDp0ZXN6dA==
...
GET / HTTP/1.0
Step 4. Proxy accepts Via: 1.0 cache.iif.hu:3128 (Squid/2.4.DEVEL2)
...
authentication and
requests the page from
the server
...Proxy Authentication
Step 1.
Step 2.
Step 3. Step 4.
Step 6. Step 5.

Step 5. Server sends HTTP/1.1 200 OK


the requested page Date: Tue, 11 Feb 2000 18:41:04 GMT
Server: Apache/1.3.9 (Unix)
...

Step 6. Proxy passes the


result back to the UA
Proxy Authentication in Squid
 only Basic authentication scheme supported
 end-users: ACL rules
 peer cache: parameter in the cache_peer line
 external authenticator modules shipped with
Squid:
 LDAP-based
 NT domain based
 NCSA httpd style password file
 PAM module
 getpwnam() based
Module Installation
 change directory to src/auth_modules/LDAP
 edit squid_ldap_auth.c
 change SEARCHBASE to:
#define SEARCHBASE "ou=proxyauth,dc=sztaki,dc=hu"
 add the following lines below SEARCHBASE:
#undef LDAP_PORT
#define LDAP_PORT 1389
 type make
 type make install
End-user Proxy Authentication...
 add the following lines to the appropriate
section in squid.conf:
authenticate_program <path>/squid_ldap_auth
n0.hpcc.sztaki.hu

acl myusers proxy_auth REQUIRED

http_access allow myusers


...End-user Proxy Authentication
 examine the following options in
squid.conf as well:
 authenticate_children
 authenticate_ttl
 authenticate_ip_ttl
Adding an entry to the directory
 create LDIF file (authentry.ldif)
containing:
dn:uid=username,ou=proxyauth,dc=sztaki,dc=hu
userpassword:password
objectclass:cacheuser

 use the below command to add this entry to


the directory:
ldapadd -D
’cn=manager,ou=proxyauth,dc=sztaki,dc=hu’ -w
’d2cache’ -f authentry.ldif
Testing
 Start Squid
 When prompted, use the configured
username/password
 Examine Squid logs!

You might also like