Section 38.4. Squid Authentication

Previous page
Table of content
Next page

38.4. Squid Authentication

Now that we know how to set up our cache and allow (and deny) access to it, the next step is to consider authentication . The major advantages to requiring authentication to your cache are logging and access restriction. With authentication required, every HTTP request from evey user will be logged with a timestamp and the username. You can then easily run a report on this logfile to find out what web sites users are visiting. Squid supports many different kinds of external authentication (similarly to Apache). You can have Squid authenticate against your LDAP server, your RADIUS server, or your Microsoft Windows Active Directory server. For our purposes, we're going to demonstrate how to configure Squid to authenticate against a standard Apache authentication file created with the htpasswd program.

First, you must ensure that the ncsa_auth command came with your version of Squid. If you have a binary package from your vendor, ncsa_auth is probably in either /usr/sbin or /usr/lib/squid. If you compiled Squid from source, you have to go back to the Squid source tree and follow these steps:

 # cd auth_modules/NCSA # make # make install

The next step is to create an authentication file with the htpasswd program. We already have htpasswd on our system at /opt/apache/bin/htpasswd from our Apache install, so we can run this command:

 # /opt/apache/bin/htpasswd -c /opt/squidusers.htpasswd demouser

Enter the password twice for demouser and we have our authentication file. Now we configure Squid to require all users to authenticate against this file. First we add these two lines:

 auth_param basic program /usr/sbin/ncsa_auth /opt/squidusers.htpasswd acl passwd proxy_auth REQUIRED

The auth_param line defines the program that will be used to read our password file. The ACL line creates an ACL called passwd that requires authentication. Finally, we modify our http_access line to look like this:

 http_access allow intranet passwd

This provides access to the intranet ACL as long as the passwd ACL is satisfied. After restarting Squid, we try to go to www.google.com and we get a username and password dialog box. If we are unable to authenticate here, we'll see a screen that looks like Figure 38-5.

Figure 38-5. Access denied by Squid on user/password basis


Once we successfully authenticate, we don't need to reauthenticate until we restart our web browser. The Squid access.log file now has a line that looks like this:

 1136492351.742    162 192.168.1.33 TCP_MISS/200 1642 GET http://www.google.com/ demouser DIRECT/64.233.167.147 text/html

As you can see, the username demouser is now logged with every request.



Previous page
Table of content
Next page
LPI Linux Certification in a Nutshell
LPI Linux Certification in a Nutshell (In a Nutshell (OReilly))
ISBN: 0596005288
EAN: 2147483647
Year: 2004
Pages: 257
Authors: Steven Pritchard, Bruno Gomes Pessanha, Nicolai Langfeldt, James Stanger, Jeff Dean
BUY ON AMAZON
Strategies for Information Technology Governance
High-Speed Signal Propagation[c] Advanced Black Magic
Image Processing with LabVIEW and IMAQ Vision
Documenting Software Architectures: Views and Beyond
Java How to Program (6th Edition) (How to Program (Deitel))
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy