8/7/2019 Learn Squid
1/12
Squid - Proxy Authentication
8/7/2019 Learn Squid
2/12
WWW/Proxy Authentication
Primer...y Two fundamental types
WWW:
j
end-to-endj authorization for accessing web resources (realms)
defined by URI(s)
proxy
j hop-by-hop
j authorization to use a proxy service that will fetch theURI(s) requested by the user agent
8/7/2019 Learn Squid
3/12
...WWW/Proxy Authentication
Primery Two authentication schemes
Basicj simple
j implemented by all HTTP clients/servers/proxies
j offers no security (passwords are sent in clear-text)
Digestj implemented by few HTTP clients/servers/proxies
j
offers better security than the Basic scheme(passwords are protected (not encrypted!))
y More information: refer RFC2617 (and 2616)
8/7/2019 Learn Squid
4/12
WWW Authentication
GET /protected/ HTTP/1.1
Host: www.sztaki.hu...
HTTP/1.1 401 Authorization Required
WWW-Authenticate: Basic realm=Protected web"
...
GET /protected/ HTTP/1.1
Host: www.sztaki.hu
Authorization: Basic dXNlcjpwYXNzd29yZA==
...
HTTP/1.1 200 OK
Date: Tue, 15 Feb 2000 16:41:04 GMT
Server: Apache/1.3.9 (Unix)
...
Step 1. User
requests a page
Step 2. Server asks
UA to authenticateStep 3. UA sends
authentication credentials
Step 4. Authentication
accepted and page sent
Step 1.
Step 2.
Step 3.
Step 4.
8/7/2019 Learn Squid
5/12
Proxy Authentication...
GET http://www.terena.nl/ HTTP/1.0
...
HTTP/1.0 407 Proxy Authentication Required
Proxy-Authenticate: Basic realm="Squid proxy
...
GET http://www.terena.nl/ HTTP/1.0
Proxy-Authorization: Basic YmVydG9sZDp0ZXN6dA==
...
Step 1. User requests a
page through a proxy
Step 2. Proxy asks
UA to authenticate
Step 3. UA sends proxy
authentication credentials
Step 1.
Step 2.
Step 3.
Step 5.
Step 4.
Step 6.
GET / HTTP/1.0
Via: 1.0 cache.iif.hu:3128 (Squid/2.4.DEVEL2)
...Step 4. Proxy accepts
authentication and
requests the page fromthe server
8/7/2019 Learn Squid
6/12
...Proxy Authentication
Step 5. Server sends
the requested page
Step 6. Proxy passes the
result back to the UA
Step 1.
Step 2.
Step 3.
Step 5.
Step 4.
Step 6.
HTTP/1.1 200 OK
Date: Tue, 11 Feb 2000 18:41:04 GMTServer: Apache/1.3.9 (Unix)
...
8/7/2019 Learn Squid
7/12
Proxy Authentication in Squid
y Only Basic authentication scheme supported
y End-users: ACL rules
y
Peer cache: parameter in the cache_peerline
y external authenticator modules shipped withSquid:
LDAP-based NT domain based
NCSA httpd style password file
PAM module
getpwnam() based
8/7/2019 Learn Squid
8/12
Module Installation
y change directory to src/auth_modules/LDAP
y edit squid_ldap_auth.c
y
change SEARCHBASE to:#define SEARCHBASE "ou=proxyauth,dc=sztaki,dc=hu"
y add the following lines below SEARCHBASE:#undef LDAP_PORT
#define LDAP_PORT 1389
y type make
y type make install
8/7/2019 Learn Squid
9/12
End-user Proxy Authentication...
y add the following lines to the appropriatesection in squid.conf:
authenticate_program /squid_ldap_authn0.hpcc.sztaki.hu
acl myusers proxy_auth REQUIRED
http_access allow myusers
8/7/2019 Learn Squid
10/12
...End-user Proxy Authentication
y examine the following options insquid.conf as well: authenticate_children
authenticate_ttl
authenticate_ip_ttl
8/7/2019 Learn Squid
11/12
Adding an entry to the directory
y create LDIF file (authentry.ldif)containing:dn:uid=username,ou=proxyauth,dc=sztaki,dc=hu
userpassword:password
objectclass:cacheuser
y use the below command to add this entry to
the directory:ldapadd -Dcn=manager,ou=proxyauth,dc=sztaki,dc=hu -wd2cache -f authentry.ldif
8/7/2019 Learn Squid
12/12
How to TEST
y Run Squid
y Getting prompt,
use the configured username/password
y Examine Squid logs!
Top Related