Now that we know how to set up our cache and allow (and deny) access to it, the next step is to consider authentication . The major advantages to requiring authentication to your cache are logging and access restriction. With authentication required, every HTTP request from evey user will be logged with a timestamp and the username. You can then easily run a report on this logfile to find out what web sites users are visiting. Squid supports many different kinds of external authentication (similarly to Apache). You can have Squid authenticate against your LDAP server, your RADIUS server, or your Microsoft Windows Active Directory server. For our purposes, we're going to demonstrate how to configure Squid to authenticate against a standard Apache authentication file created with the htpasswd program.
First, you must ensure that the ncsa_auth command came with your version of Squid. If you have a binary package from your vendor, ncsa_auth is probably in either /usr/sbin or /usr/lib/squid. If you compiled Squid from source, you have to go back to the Squid source tree and follow these steps:
#cd auth_modules/NCSA
#make
#make install
The next step is to create an authentication file with the htpasswd program. We already have htpasswd on our system at /opt/apache/bin/htpasswd from our Apache install, so we can run this command:
# /opt/apache/bin/htpasswd -c /opt/squidusers.htpasswd demouser
Enter the password twice for demouser and we have our authentication file. Now we configure Squid to require all users to authenticate against this file. First we add these two lines:
auth_param basic program /usr/sbin/ncsa_auth /opt/squidusers.htpasswd acl passwd proxy_auth REQUIRED
The auth_param
line defines the program that will be used to read our password file. The ACL line creates an ACL called passwd
that requires authentication. Finally, we modify our http_access line to look like this:
http_access allow intranet passwd
This provides access to the intranet
ACL as long as the passwd
ACL is satisfied. After restarting Squid, we try to go to www.google.com and we get a username and password dialog box. If we are unable to authenticate here, we'll see a screen that looks like Figure 38-5.
Once we successfully authenticate, we don't need to reauthenticate until we restart our web browser. The Squid access.log file now has a line that looks like this:
1136492351.742 162 192.168.1.33 TCP_MISS/200 1642 GET http://www.google.com/ demouser DIRECT/64.233.167.147 text/html
As you can see, the username demouser is now logged with every request.