auth_param
| < Day Day Up > |
| auth_param |
The auth_param directive controls almost every aspect of Squid's external user authentication interface. Squid currently supports three authentication schemes: Basic, Digest, and NTLM. Basic authentication support is compiled by default. For the others, you must use the enable-auth option with ./configure .
Since the auth_param directive is very complex, I'm presenting it here as a separate directive for each combination of parameters.
| Syntax | See the following subsections |
| Default | See the following subsections |
| Example | See the following subsections |
| Related | authenticate_cache_garbage_interval , authenticate_ttl , authenticate_ip_ttl |
auth_param basic program
The command for the HTTP Basic authentication helper. You need to specify the full pathname to the program, plus any command-line options.
| Syntax | auth_param basic program command ... |
| Default | No default |
| Example | auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/ ncsa_passwd |
| Related | auth_param basic children , auth_param basic realm , auth_param basic credentialsttl |
auth_param basic children
This is the number of Basic authentication helper processes Squid uses.
| Syntax | auth_param basic children count |
| Default | auth_param basic children 5 |
| Example | auth_param basic children 10 |
| Related | auth_param basic program , auth_param basic realm , auth_param basic credentialsttl |
auth_param basic realm
This is the Basic authentication realm Squid sends in 407 (Proxy Authentication Required) responses. User agents typically display the realm string to the user when requesting a username and password. Refer to RFC 2617, Section 2.
| Syntax | auth_param basic realm string |
| Default | No default |
| Example | auth_param basic realm Squid proxy-caching web server |
| Related | auth_param basic program , auth_param basic children , auth_param basic credentialsttl |
auth_param basic credentialsttl
To reduce load on the external authentication processes, Squid caches successful answers for this amount of time. In other words, once a user is authenticated, Squid doesn't query the helper program again until this TTL expires . If you change the external database (e.g., password file), Squid may not notice the change until the cached credentials time out.
| Syntax | auth_param basic credentialsttl time-specification |
| Default | auth_param basic credentialsttl 5 minutes |
| Example | auth_param basic credentialsttl 15 minutes |
| Related | auth_param basic program , auth_param basic children , auth_param basic realm |
auth_param digest program
As with Basic authentication, this specifies the command to execute for the external Digest authentication program.
| Syntax | auth_param digest program command ... |
| Default | No default |
| Example | auth_param digest program /usr/local/squid/libexec/digest_auth /usr/local/squid/etc/ digest_passwd |
| Related | auth_param digest children , auth_param digest realm , auth_param digest nonce_garbage_interval , auth_param digest nonce_max_duration , auth_param digest nonce_max_count |
auth_param digest children
This is the number of Digest authentication helper processes that Squid uses.
| Syntax | auth_param digest children count |
| Default | auth_param digest children 5 |
| Example | auth_param digest children 11 |
| Related | auth_param digest program , auth_param digest realm , auth_param digest nonce_garbage_interval , auth_param digest nonce_max_duration , auth_param digest nonce_max_count |
auth_param digest realm
This is the Digest authentication realm that Squid sends in 407 (Proxy Authentication Required) responses. User agents typically display the realm string to the user when requesting a username and password. Refer to RFC 2617, Section 3.2.1.
| Syntax | auth_param digest realm string |
| Default | No default |
| Example | auth_param digest realm Squid proxy-caching web server |
| Related | auth_param digest program , auth_param digest children , auth_param digest nonce_garbage_interval , auth_param digest nonce_max_duration , auth_param digest nonce_max_count |
auth_param digest nonce_garbage_interval
As I explained in Section 12.3, a nonce is a special string of data that changes from time to time. Its purpose is to prevent replay attacks with captured digest authentication data.
Squid maintains a cache of nonce values it has sent to clients requiring authentication. This cache must be pruned occasionally because nonce strings expire. This directive specifies how often Squid executes the garbage collection procedure for the nonce cache.
If Squid is very busy, you may want to clean the nonce cache more frequently to reduce the amount of time spent in the garbage collection function each time it runs.
| Syntax | auth_param digest nonce_garbage_interval time-specification |
| Default | auth_param digest nonce_garbage_interval 5 minutes |
| Example | auth_param digest nonce_garbage_interval 5 minutes |
| Related | auth_param digest program , auth_param digest children , auth_param digest realm , auth_param digest nonce_max_duration , auth_param digest nonce_max_count |
auth_param digest nonce_max_duration
This directive specifies how long a Digest nonce value remains valid. It is similar to the credentialsttl directive for Basic authentication.
If an attacker captures the client's digest authentication headers from an HTTP request, a simple replay attack provides authenticated access to Squid until the nonce value times out or until the maximum usage count is reached. Decrease this value to reduce that risk.
| Syntax | auth_param digest nonce_max_duration time-specification |
| Default | auth_param digest nonce_max_duration 5 minutes |
| Example | auth_param digest nonce_max_duration 30 minutes |
| Related | auth_param digest program , auth_param digest children , auth_param digest realm , auth_param digest nonce_garbage_interval , auth_param digest nonce_max_count , auth_param basic credentialsttl |
auth_param digest nonce_max_count
This directive specifies a limit on the number of requests for a Digest nonce value. If a client issues this many requests with the same nonce value, Squid invalidates it and causes a new one to be generated. See Section 4.3 of RFC 2617.
| Syntax | auth_param digest nonce_max_count count |
| Default | auth_param digest nonce_max_count 50 |
| Example | auth_param digest nonce_max_count 50 |
| Related | auth_param digest program , auth_param digest children , auth_param digest realm , auth_param digest nonce_garbage_interval , auth_param digest nonce_max_duration |
auth_param ntlm program
This directive specifies the command, including options, to execute for the external NTLM authentication program.
| Syntax | auth_param ntlm program command |
| Default | No default |
| Example | auth_param ntlm program /usr/local/squid/libexec/ntlm_auth /usr/local/ squid/etc/ntlm_db |
| Related | auth_param ntlm children , auth_param ntlm max_challenge_reuses , auth_param ntlm max_challenge_lifetime |
auth_param ntlm children
Specifies the number of NTLM authentication helper process that Squid uses.
| Syntax | auth_param ntlm children count |
| Default | auth_param ntlm children 5 |
| Example | auth_param ntlm children 14 |
| Related | auth_param ntlm program , auth_param ntlm max_challenge_reuses , auth_param ntlm max_challenge_lifetime |
auth_param ntlm max_challenge_reuses
In Squid's NTLM implementation, the NTLM challenge token comes from the external helper process, rather than Squid itself. Each helper process generates its own challenge token. This directive specifies how many times each token may be reused. By default, the tokens are never reused. Challenge reuse is also subject to the max_challenge_lifetime restriction.
| Syntax | auth_param ntlm max_challenge_reuses count |
| Default | auth_param ntlm max_challenge_reuses 0 |
| Example | auth_param ntlm max_challenge_reuses 5 |
| Related | auth_param ntlm program , auth_param ntlm children , auth_param ntlm max_challenge_lifetime |
auth_param ntlm max_challenge_lifetime
This directive also controls whether the external NTML helper processes can reuse their challenge tokens. It specifies the maximum amount of time a single challenge can be used.
| Syntax | auth_param ntlm max_challenge_lifetime time-specification |
| Default | auth_param ntlm max_challenge_lifetime 1 minute |
| Example | auth_param ntlm max_challenge_lifetime 2 minutes |
| Related | auth_param ntlm program , auth_param ntlm children , auth_param ntlm max_challenge_reuses |
| < Day Day Up > |
EAN: 2147483647
Pages: 401