Authenticating Squid with Dovecot

Authenticating Squid

Squid provides the mechanism to require users to sign on before it will start proxying for them.

In the libexec directory (on my freeBSD system /usr/local/libexec/squid are a number of authentication scripts. Here is a list of some in mine.


ncsa_auth               smb_auth                squid_dbpg_auth
digest_pw_auth          logfile-daemon          ntlm_auth               
smb_auth.sh             squid_kerb_auth         yp_auth
msnt_auth               pam_auth                squid_db_auth

As I’m using Dovecot and Postfix.admin, I want to use the same password that I use for my mail system to use the proxy.

System Components

  • PostgreSQL
  • Postfix.admin
  • Dovecot
  • Squid

The mail system is up and running, so the tables with the user names and passwords is available.

The squid system does not need to update, delete or add any records – it is simply going to pass a user name and a password and see if these match.

The squid_db_auth File

There is a predefined file for using a database to authenticate.  This is a good place to start.  Rather than modify the build in file, I copied it to squid_pgdb_auth and made changes to this.

The Dovecot Password

Dovecot provides the mail services (IMAP) so any password checking needs to be done using the same method. This meant I needed to add a function to transform the password into the same format as Dovecot.

Thankfully a bit of google-fu dug up a useful function written by William K. Cole. Thanks! William

I was able to add his function into the squid_pgdb_auth script and it ran flawlessly.  Williams code is marked in blue and the extra line in the password checking function is also marked in blue.

You will need to complete the settings at the top in red to point to the correct database and set up the user and password settings

Click to see the squid_dbpg_auth script.

Activating the authentication in Squid

In order to tell Squid to use this method, the following lines need to be added to Squid.conf.

#  
# postgresqauthentification.
#  
auth_param basic program /usr/local/libexec/squid/squid_dbpg_auth
auth_param basic children 5
auth_param basic realm Home Squid postgres proxy-caching web server
auth_param basic credentialsttl 300 minutes
auth_param basic casesensitive off

Next time you attach to Squid, it will pop up a dialog requesting your user name and password. These will be the same as for your mail system.

Acknowledgements.

William Cole and his really helpful script at http://www.scconsult.com/bill/crampass.pl

 

 

Hi - Please leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.