Skip to main content

SQUID on Ubuntu Setup with Authentication

Today, My buddy wanted to setup a proxy server for his project.
So I volunteered to get it done. Here goes nothing.

First lets install SQUID (on Ubuntu)
ahmed@ahmed-work-horse:~$ sudo apt-get install squid
  • By Default proxy will be running on port 3128
  • And will deny all connections :)
  • you can change this by changing the line below in /etc/squid/squid.conf file.
  • # is a comment in conf file 
#http_access deny !Safe_ports
  • Replace the above line with line below
http_access allow Safe_ports
or
http_access allow all

Creating a user
  • First create a user password file using htpasswd command. 
  • htpasswd is used to create username and password for basic authentication of squid users.
ahmed@ahmed-work-horse:~$ sudo htpasswd -c /etc/squid/passwd proxy_user
New password: 
Re-type new password: 
Adding password for user proxy_user
  • Make sure squid can read passwd file:
ahmed@ahmed-work-horse:~$ sudo chmod o+r /etc/squid/passwd
  • Locate nsca_auth authentication helper
  • Usually nsca_auth is located at /usr/lib/squid/ncsa_auth.
  • Configure nsca_auth for squid proxy authentication
  • Now open /etc/squid/squid.conf file
ahmed@ahmed-work-horse:~$ sudo vi /etc/squid/squid.conf
  • Append (or modify) following configration directive:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
  • Also find out your ACL section and append/modify
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
  • Save and close the file.
  • Then restart squid
ahmed@ahmed-work-horse:~$ sudo service squid restart
[sudo] password for ahmed: 
squid start/running, process 2166

Below are the details 
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd: Specify squid password file and helper program location
auth_param basic children 5: The number of authenticator processes to spawn.
auth_param basic realm Squid proxy-caching web server: Part of the text the user will see when prompted their username and password
auth_param basic credentialsttl 2 hours: Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.
auth_param basic casesensitive off: Specifies if usernames are case sensitive. It can be on or off only
acl ncsa_users proxy_auth REQUIRED: The REQURIED term means that any authenticated user will match the ACL named ncsa_users
http_access allow ncsa_users: Allow proxy access only if user is successfully authenticated.

Comments

Popular posts from this blog

Zabbix History Table Clean Up

Zabbix history table gets really big, and if you are in a situation where you want to clean it up. Then we can do so, using the below steps. Stop zabbix server. Take table backup - just in case. Create a temporary table. Update the temporary table with data required, upto a specific date using epoch . Move old table to a different table name. Move updated (new temporary) table to original table which needs to be cleaned-up. Drop the old table. (Optional) Restart Zabbix Since this is not offical procedure, but it has worked for me so use it at your own risk. Here is another post which will help is reducing the size of history tables - http://zabbixzone.com/zabbix/history-and-trends/ Zabbix Version : Zabbix v2.4 Make sure MySql 5.1 is set with InnoDB as innodb_file_per_table=ON Step 1 Stop the Zabbix server sudo service zabbix-server stop Script. echo "------------------------------------------" echo " 1. Stopping Zabbix Server ...

Installing Zabbix Version 2.4 Offline (Zabbix Server without Internet).

There might be situations where you have a remote/zabbix server which does not have internet connectivity, due to security or other reasons. So we create a custom repo on the remote/zabbix server so that we can install zabbix using rpms Here is how we are planning to do this. Download all the dependency rpms on a machine which has internet connection, using yum-downloadonly or repotrack . Transfer all the rpms to the remote server. Create a repo on the remote server. Update yum configuration. Install. NOTE: This method can be used to install any application, but here we have used zabbix as we had this requirement for a zabbix server. Download dependent rpms . On a machine which has internet connection install the package below. And download all the rpms . Make sure the system are similar (not required to be identical - At-least the OS should be of same version) mkdir /zabbix_rpms yum install yum-downloadonly Downloading all the rpms to location /zabbix_rpms/ ,...

Access Filter in SSSD `ldap_access_filter` [SSSD Access denied / Permission denied ]

Access Filter Setup with SSSD ldap_access_filter (string) If using access_provider = ldap , this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If access_provider = ldap and this option is not set, it will result in all users being denied access. Use access_provider = allow to change this default behaviour. Example: access_provider = ldap ldap_access_filter = memberOf=cn=allowed_user_groups,ou=Groups,dc=example,dc=com Prerequisites yum install sssd Single LDAP Group Under domain/default in /etc/sssd/sssd.conf add: access_provider = ldap ldap_access_filter = memberOf=cn=Group Name,ou=Groups,dc=example,dc=com Multiple LDAP Groups Under domain/default in /etc/sssd/sssd.conf add: access_provider = ldap ldap_access_filter = (|(memberOf=cn=System Adminstrators,ou=Groups,dc=example,dc=com)(memberOf=cn=Database Users,ou=Groups,dc=example,dc=com)) ldap_access_filter accepts standa...