Learn Squid

8/7/2019 Learn Squid

1/12

Squid - Proxy Authentication


2/12

WWW/Proxy Authentication

Primer...y Two fundamental types

WWW:

j

end-to-endj authorization for accessing web resources (realms)

defined by URI(s)

proxy

j hop-by-hop

j authorization to use a proxy service that will fetch theURI(s) requested by the user agent


3/12

...WWW/Proxy Authentication

Primery Two authentication schemes

Basicj simple

j implemented by all HTTP clients/servers/proxies

j offers no security (passwords are sent in clear-text)

Digestj implemented by few HTTP clients/servers/proxies

j

offers better security than the Basic scheme(passwords are protected (not encrypted!))

y More information: refer RFC2617 (and 2616)


4/12

WWW Authentication

GET /protected/ HTTP/1.1

Host: www.sztaki.hu...

HTTP/1.1 401 Authorization Required

WWW-Authenticate: Basic realm=Protected web"

...

GET /protected/ HTTP/1.1

Host: www.sztaki.hu

Authorization: Basic dXNlcjpwYXNzd29yZA==

...

HTTP/1.1 200 OK

Date: Tue, 15 Feb 2000 16:41:04 GMT

Server: Apache/1.3.9 (Unix)

...

Step 1. User

requests a page

Step 2. Server asks

UA to authenticateStep 3. UA sends

authentication credentials

Step 4. Authentication

accepted and page sent

Step 1.

Step 2.

Step 3.

Step 4.


5/12

Proxy Authentication...

GET http://www.terena.nl/ HTTP/1.0

...

HTTP/1.0 407 Proxy Authentication Required

Proxy-Authenticate: Basic realm="Squid proxy

...

GET http://www.terena.nl/ HTTP/1.0

Proxy-Authorization: Basic YmVydG9sZDp0ZXN6dA==

...

Step 1. User requests a

page through a proxy

Step 2. Proxy asks

UA to authenticate

Step 3. UA sends proxy

authentication credentials

Step 1.

Step 2.

Step 3.

Step 5.

Step 4.

Step 6.

GET / HTTP/1.0

Via: 1.0 cache.iif.hu:3128 (Squid/2.4.DEVEL2)

...Step 4. Proxy accepts

authentication and

requests the page fromthe server


6/12

...Proxy Authentication

Step 5. Server sends

the requested page

Step 6. Proxy passes the

result back to the UA

Step 1.

Step 2.

Step 3.

Step 5.

Step 4.

Step 6.

HTTP/1.1 200 OK

Date: Tue, 11 Feb 2000 18:41:04 GMTServer: Apache/1.3.9 (Unix)

...


7/12

Proxy Authentication in Squid

y Only Basic authentication scheme supported

y End-users: ACL rules

y

Peer cache: parameter in the cache_peerline

y external authenticator modules shipped withSquid:

LDAP-based NT domain based

NCSA httpd style password file

PAM module

getpwnam() based


8/12

Module Installation

y change directory to src/auth_modules/LDAP

y edit squid_ldap_auth.c

y

change SEARCHBASE to:#define SEARCHBASE "ou=proxyauth,dc=sztaki,dc=hu"

y add the following lines below SEARCHBASE:#undef LDAP_PORT

#define LDAP_PORT 1389

y type make

y type make install


9/12

End-user Proxy Authentication...

y add the following lines to the appropriatesection in squid.conf:

authenticate_program /squid_ldap_authn0.hpcc.sztaki.hu

acl myusers proxy_auth REQUIRED

http_access allow myusers


10/12

...End-user Proxy Authentication

y examine the following options insquid.conf as well: authenticate_children

authenticate_ttl

authenticate_ip_ttl


11/12

Adding an entry to the directory

y create LDIF file (authentry.ldif)containing:dn:uid=username,ou=proxyauth,dc=sztaki,dc=hu

userpassword:password

objectclass:cacheuser

y use the below command to add this entry to

the directory:ldapadd -Dcn=manager,ou=proxyauth,dc=sztaki,dc=hu -wd2cache -f authentry.ldif


12/12

How to TEST

y Run Squid

y Getting prompt,

use the configured username/password

y Examine Squid logs!

Learn Squid

Documents

Transcript of Learn Squid