Squid_ The Definitive Guide - Duane Wessels [109]
Here is a complete example:
auth_param basic program /usr/local/squid/libexec/pam_auth
auth_param basic children 10
auth_param basic realm My Awesome Squid Cache
auth_param basic credentialsttl 1 hour
acl KnownUsers proxy_auth REQUIRED
http_access allow KnownUsers
Next I will discuss the Basic authentication helper programs that come with Squid.
NCSA
./configure —enable-basic-auth-helpers=NCSA
The NCSA authentication helper is relatively popular due to its simplicity and history. It stores usernames and passwords in a single text file, similar to the Unix /etc/passwd file. This password file format was originally developed as a part of the NCSA HTTP server project.
You pass the path to the password file as the program's single command-line argument in squid.conf:
auth_param basic program /usr/local/squid/libexec/ncsa_auth
/usr/local/squid/etc/passwd
You can use the htpasswd program that comes with Apache to create and update the password file. Also, you can download it from http://www.squid-cache.org/htpasswd/. From that page, you can also download the chpasswd CGI script, which allows users to change their own passwords if necessary.
LDAP
./configure —enable-basic-auth-helpers=LDAP
The LDAP helper interfaces to a Lightweight Directory Access Protocol server. The OpenLDAP libraries and header files must be installed before you can compile the squid_ldap_auth helper. You can find OpenLDAP at http://www.openldap.org/.
The squid_ldap_auth program requires at least two arguments: the base distinguished name (DN) and the LDAP server hostname. For example:
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth
-b "ou=people,dc=example,dc=com" ldap.example.com
The LDAP helper has a Unix manual page that describes all of its options and parameters. However, Squid's manual pages aren't normally installed when you run make install. You can read the manual page by locating it in the source tree and manually running nroff. For example:
% cd helpers/basic_auth/LDAP
% nroff -man squid_ldap_auth.8 | less
MSNT
./configure —enable-basic-auth-helpers=MSNT
The MSNT authenticator interfaces to a Microsoft NT domain database via the Server Message Block (SMB) protocol. It uses a small configuration file, named msntauth.conf, which must be placed in the $prefix/etc or —sysconfidr directory. You can specify up to five NT domain controllers in the configuration file. For example:
server pdc1_host bdc1_host my_nt_domain
server pdc2_host bdc2_host another_nt_domain
By default, the MSNT authenticator allows any user validated by the server. However, it also has the ability to allow or deny specific usernames. If you create an allowusers file, only the users listed there are allowed access to Squid. You might want to use this feature if you have a large number of users on the NT server, but only a small number who are allowed to use the cache. Alternatively, you can create a denyusers file. Any user listed in that file is automatically denied access, even before checking the allowusers file.
Alternatively, you can allow or deny specific usernames by placing them in the proxy_auth ACL as described in Section 6.1.2.12.
For additional documentation, see the README.html file in the helpers/basic_auth/MSNT directory.
Multi-domain-NTLM
./configure —enable-basic-auth-helpers=multi-domain-NTLM
The multi-domain-NTLM authenticator is similar to MSNT. Both send queries to a Windows NT domain database. Whereas MSNT queries up to five domain controllers, the multi-domain-NTLM authenticator requires users to insert the NT domain name before their username, like this:
ntdomain\username
The multi-domain-NTLM helper program is a relatively short Perl script. It relies on the Authen::SMB