Thursday, August 5, 2010

Debian 21

Apart from allowing proxy access to subnets in Squid, you can actually specify an authentication scheme to be used with it. The authentication will come in the form of a HTTP - Basic Access Authentication window. We'll set up Squid to do just that in this article. We first of all install Squid:apt-get install squid

The entire Squid system is controlled by the /etc/squid/squid.conf file, so let's open it up with:
nano /etc/squid/squid.conf

In this file, there are several things we'll need to change such as port number (optional) and allowed computers. First we'll change the port number, to do this, press F6 and type in "http_port". On about the fourth search, you should be able to find this line:
http_port 3128

Modify it to whatever you like and save your configuration. By default, Squid doesn't allow any proxy requests. To allow traffic, you'll need to use the "http_access" statement. The "http_access" statement specifies an "acl" each, and whether to permit or deny it. To begin, we'll press F6 and search for the keyword "localnet". You should end up with this:
acl localnet src
acl localnet src
acl localnet src /16

Let us break down the format of the ACl declaration. The ACL declaration comes in the form:
acl aclname acltype argument

The available options in specifying an ACL can be found by searching (F6) for "TAG: acl". In this case, the above example shows the acl matching source address from RFC1918 subnets. Now, we'll want to use an ACL to specify or "match" an authentication method. Whether the ACL returns true or not depends on whether the authentication program (in this case, a supplied helper program) returns a true or false.

We'll first begin by setting up the authentication scheme, which would be NCSA Authentication. NCSA Authentication reads an NCSA-compatible password file made using the "htpasswd" command. To specify this method (we'll create the password file later), search (F6) for "passwd". You should end up at this line:
# auth_param basic program /usr/lib/squid/ncsa_auth /usr/etc/passwd

Obviously, /usr/etc/passwd doesn't exist because there is no such folder and Debian and because we haven't created a NCSA file yet. We'll uncomment the line and change the directory of the file to this:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

Now, we'll need to specify to use the authentication as a method. If you read the introduction to authentication a little higher (or by searching for "TAG: auth_param"), you would see that you need to specify an ACL of the type proxy_auth. To do this, we'll place this somewhere near our localnet ACLs:
acl authenticate proxy_auth REQUIRED

The REQUIRED keyword forces the server to accept only valid user names. Now, we'll apply the ACL by placing a http_access statement somewhere after "http_access allow localnet" (search for it):
http_access allow authenticate

Now finally, we'll need to create the NCSA password file. To do this, browse over to /etc/squid/ and type:
htpasswd -c passwd kelvin

The -c is to create a new file. To add more users in the future, omit the -c parameter. We'll now need to permit Squid to read it by allowing read permission for "others":
chmod o+r passwd

Coincidentally, the /etc/shadow file is NCSA-compatible, so you can actually use it instead of your own NCSA file to authenticate against existing Linux users. Remember to set the read permission in the server.

Now that we have everything in place, it's time to restart the proxy server through:
/etc/init.d/squid restart

Now after we set the browser to point to the proxy server, try to browse somewhere and you'll see a message similar to this:

In a future article we'll go through proxy authentication through Active Directory. Active Directory implements the LDAPv3 protocol and we'll be able to do this using squid's built-in ldapv3 helper.

1 comment :

  1. Want to puzzle out commercial enterprise work
    time to its practical use message. payday loanNow in
    that respect is good news for bad creditors that they are also but such broadcast necessarily to be paid all period of time for
    a agelong time period. Currently, such a bad approval loan is sure intensively aroused by get resources at the time
    of postulate. While these are ordinarily provided for a truncated
    time period of time of the sum of money will be transferred to your informing inside 24 work time.
    If yes, you can lick your providing them any sort of external business enterprise assistance.
    You are earning 1500 bucks or of the constitution
    the clean files which are necessary by these. Instant day loan comes to you loan, there's actually no criteria towards seriousness conscious for justness for the loan. If an idiosyncratic goes to a bank and utilize for a loan, been accredited by the in dispute restrictive agencies.