Authenticating Squid
Squid provides the mechanism to require users to sign on before it will start proxying for them.
In the libexec directory (on my freeBSD system /usr/local/libexec/squid are a number of authentication scripts. Here is a list of some in mine.
ncsa_auth smb_auth squid_dbpg_auth
digest_pw_auth logfile-daemon ntlm_auth
smb_auth.sh squid_kerb_auth yp_auth
msnt_auth pam_auth squid_db_auth
As I’m using Dovecot and Postfix.admin, I want to use the same password that I use for my mail system to use the proxy.
System Components
- PostgreSQL
- Postfix.admin
- Dovecot
- Squid
The mail system is up and running, so the tables with the user names and passwords is available.
The squid system does not need to update, delete or add any records – it is simply going to pass a user name and a password and see if these match.
The squid_db_auth
File
There is a predefined file for using a database to authenticate. This is a good place to start. Rather than modify the build in file, I copied it to squid_pgdb_auth
and made changes to this.
The Dovecot Password
Dovecot provides the mail services (IMAP) so any password checking needs to be done using the same method. This meant I needed to add a function to transform the password into the same format as Dovecot.
Thankfully a bit of google-fu dug up a useful function written by William K. Cole. Thanks! William
I was able to add his function into the squid_pgdb_auth
script and it ran flawlessly. Williams code is marked in blue and the extra line in the password checking function is also marked in blue.
You will need to complete the settings at the top in red to point to the correct database and set up the user and password settings
Click to see the squid_dbpg_auth script.
Activating the authentication in Squid
In order to tell Squid to use this method, the following lines need to be added to Squid.conf
.
#
# postgresqauthentification.
#
auth_param basic program /usr/local/libexec/squid/squid_dbpg_auth
auth_param basic children 5
auth_param basic realm Home Squid postgres proxy-caching web server
auth_param basic credentialsttl 300 minutes
auth_param basic casesensitive off
Next time you attach to Squid, it will pop up a dialog requesting your user name and password. These will be the same as for your mail system.
Acknowledgements.
William Cole and his really helpful script at http://www.scconsult.com/bill/crampass.pl