Category Archives: squid

Authenticating Squid with Dovecot

Authenticating Squid

Squid provides the mechanism to require users to sign on before it will start proxying for them.

In the libexec directory (on my freeBSD system /usr/local/libexec/squid are a number of authentication scripts. Here is a list of some in mine.

ncsa_auth               smb_auth                squid_dbpg_auth
digest_pw_auth          logfile-daemon          ntlm_auth                   squid_kerb_auth         yp_auth
msnt_auth               pam_auth                squid_db_auth

As I’m using Dovecot and Postfix.admin, I want to use the same password that I use for my mail system to use the proxy.

System Components

  • PostgreSQL
  • Postfix.admin
  • Dovecot
  • Squid

The mail system is up and running, so the tables with the user names and passwords is available.

The squid system does not need to update, delete or add any records – it is simply going to pass a user name and a password and see if these match.

The squid_db_auth File

There is a predefined file for using a database to authenticate.  This is a good place to start.  Rather than modify the build in file, I copied it to squid_pgdb_auth and made changes to this.

The Dovecot Password

Dovecot provides the mail services (IMAP) so any password checking needs to be done using the same method. This meant I needed to add a function to transform the password into the same format as Dovecot.

Thankfully a bit of google-fu dug up a useful function written by William K. Cole. Thanks! William

I was able to add his function into the squid_pgdb_auth script and it ran flawlessly.  Williams code is marked in blue and the extra line in the password checking function is also marked in blue.

You will need to complete the settings at the top in red to point to the correct database and set up the user and password settings

Click to see the squid_dbpg_auth script.

Activating the authentication in Squid

In order to tell Squid to use this method, the following lines need to be added to Squid.conf.

# postgresqauthentification.
auth_param basic program /usr/local/libexec/squid/squid_dbpg_auth
auth_param basic children 5
auth_param basic realm Home Squid postgres proxy-caching web server
auth_param basic credentialsttl 300 minutes
auth_param basic casesensitive off

Next time you attach to Squid, it will pop up a dialog requesting your user name and password. These will be the same as for your mail system.


William Cole and his really helpful script at



Automatically updating squidGuard black and white lists

Why am I using SquidGuard?

Having children in the house, I would like them to be able to browse the internet as safely as possible, and block as many offensive sites as possible. After a bit of looking around, I decided on the combination of squid ( and SquidGuard (

I’ve used squid before and it is really easy to set up and use.  There are a huge number of options, but the default settings work well enough without doing too much.  There are also lots of recipes available that other people have taken the time to write, so help is always at hand.

Again most (if not all) Linux distributions provide a ready packaged Squid distribution, so the amount of effort required to install it rally is minimal.

If you are running a small home network, then you only need to install this on one machine and tell every other machine to use it.  This can be done automatically – more on this in another post.

To provide protection against unsuitable sites, I pair Squid with SquidGuard. The way this works is that Squid passes every link to every page requested to SquidGuard.  SquidGuard examines this link  and compares it to its database (more on this later) of unsuitable sites. If it finds a match it returns a replacement URL which Squid then returns to the user.

Continue reading Automatically updating squidGuard black and white lists