Find the answer to your Linux question:
Results 1 to 7 of 7
hey! good day to all! i just wanted to ask if there is a way to make a squid authentication using the users in the local linux machine where squid ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! aenguillo's Avatar
    Join Date
    Dec 2006
    Location
    philippines
    Posts
    40

    squid authentication


    hey! good day to all! i just wanted to ask if there is a way to make a squid authentication using the users in the local linux machine where squid was set up?

    also, make squid filter web content depending on the users who authenticated themselves before browsing. for example, after user1 is authenticated, he is not allowed to browse for social networking sites. on the other hand, when user2 authenticates himself, he can browse for any websites. these two users exists in the same linux box.

    thanks guys...

  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    for your auth question
    All Linux Squid Password Authentication Using PAM

    the second part
    SquidGuard

    squidguard is a nice addon for squid

  3. #3
    Just Joined! aenguillo's Avatar
    Join Date
    Dec 2006
    Location
    philippines
    Posts
    40
    thanks. i'll study those first and try to do the things needed to be done. i'll be posting other questions when i get stuck into something

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined! aenguillo's Avatar
    Join Date
    Dec 2006
    Location
    philippines
    Posts
    40
    hey guys! good day again! i'm doin my things step by step. first, i got my squid config right. it's working fine. next, i need the prompting for username and password. i got that going also. now, on the authentication part. whenever i use a linux user username and password to log on to squid, i get a "Page cannot be displayed" page. i followed the tutorial for the PAM authentication mr. jledhead gave. but i was stuck on the authentication process.

    here's what i want to do. i want users to log on first using PAM authentication to be able to browse the web via my squid server. the usernames and passwords will come from the linux machine where squid is running.

    here's my squid.conf:
    #squid config
    # TAG: http_port
    http_port 8080

    # TAG: icp_port
    icp_port 3130

    # TAG: hierarchy_stoplist
    hierarchy_stoplist cgi-bin ?

    # TAG: no_cache
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY

    # TAG: cache_mem (bytes)
    cache_mem 16 MB

    # TAG: cache_swap_low (percent, 0-100)
    # TAG: cache_swap_high (percent, 0-100)
    cache_swap_low 90
    cache_swap_high 95

    # TAG: maximum_object_size (bytes)
    maximum_object_size 4096 KB

    # TAG: maximum_object_size_in_memory (bytes)
    maximum_object_size_in_memory 20 KB

    # TAG: ipcache_size (number of entries)
    # TAG: ipcache_low (percent)
    # TAG: ipcache_high (percent)
    ipcache_size 1024
    ipcache_low 90
    ipcache_high 95

    # TAG: fqdncache_size (number of entries)
    fqdncache_size 1024

    # TAG: cache_replacement_policy
    cache_replacement_policy lru

    # TAG: memory_replacement_policy
    memory_replacement_policy lru

    # TAG: cache_dir
    cache_dir ufs /var/spool/squid 100 16 256

    # TAG: cache_access_log
    cache_access_log /var/log/squid/access.log

    # TAG: cache_log
    cache_log /var/log/squid/cache.log

    # TAG: cache_swap_log

    # TAG: emulate_httpd_log on|off
    emulate_httpd_log on

    # TAG: auth_param
    auth_param basic program /usr/lib/squid/pam_auth /etc/squid/unames
    auth_param basic children 5
    auth_param basic realm Squid Proxy Authentication
    auth_param basic credentialsttl 2 hours


    # TAG: refresh_pattern
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320

    # TAG: acl
    #Recommended minimum configuration:
    acl all src 0.0.0.0/0.0.0.0
    acl internal src 192.168.1.0/255.255.255.0
    acl unames proxy_auth REQUIRED
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    # TAG: http_access
    http_access allow unames
    http_access deny all

    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager
    # Deny requests to unknown ports
    http_access deny !Safe_ports
    # Deny CONNECT to other than SSL ports
    http_access deny CONNECT !SSL_ports
    # And finally deny all other access to this proxy
    http_access allow localhost
    http_access deny all

    # TAG: cache_mgr
    cache_mgr IT_Department

    # TAG: cache_effective_user
    cache_effective_user squid

    # TAG: cache_effective_group
    cache_effective_group squid

    # TAG: visible_hostname
    visible_hostname BISS

    # TAG: httpd_accel_host
    # TAG: httpd_accel_port
    httpd_accel_host virtual
    httpd_accel_port 80

    # TAG: httpd_accel_single_host on|off
    httpd_accel_single_host off

    # TAG: httpd_accel_with_proxy on|off
    httpd_accel_with_proxy on

    # TAG: httpd_accel_uses_host_header on|off
    httpd_accel_uses_host_header on

    here's a part of my squid cache log:
    #cache log
    2007/08/08 15:24:59| helperOpenServers: Starting 5 'pam_auth' processes
    2007/08/08 15:24:59| WARNING: Cannot run '/usr/lib/squid/pam_auth' process.
    2007/08/08 15:24:59| WARNING: Cannot run '/usr/lib/squid/pam_auth' process.
    2007/08/08 15:24:59| WARNING: Cannot run '/usr/lib/squid/pam_auth' process.
    2007/08/08 15:24:59| WARNING: Cannot run '/usr/lib/squid/pam_auth' process.
    2007/08/08 15:24:59| WARNING: Cannot run '/usr/lib/squid/pam_auth' process.
    2007/08/08 15:24:59| User-Agent logging is disabled.
    2007/08/08 15:24:59| Referer logging is disabled.
    2007/08/08 15:24:59| Unlinkd pipe opened on FD 10
    2007/08/08 15:24:59| Swap maxSize 102400 KB, estimated 7876 objects
    2007/08/08 15:24:59| Target number of buckets: 393


    and here's my squid access log:
    #access log
    192.168.1.214 - - [08/Aug/2007:15:26:16 +0800] "GET Google HTTP/1.0" 407 1690 TCP_DENIED:NONE

    am i missing something? thanks guys!

  6. #5
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    so if you take out the pam auth it works as normal and you can get to the internet?

    are any type of errors showing up in the logs
    WARNING: Cannot run '/usr/lib/squid/pam_auth' process
    that looks pretty important

    also, is there any reason you are using pam, like all of your users have logged onto the nix machine? just curious

  7. #6
    Just Joined! aenguillo's Avatar
    Join Date
    Dec 2006
    Location
    philippines
    Posts
    40
    hey! well, if i remove the authentication, it works fine and i can browse the web. but when i use pam auth, it only prompts for a username and password. if i use an existing linux user in the same squid server, i only get a "Page cannot be displayed" error.

    the reason i'm using pam is that users who are going to use the squid proxy should be authenticated. i think the easiest way to do that is to use user accounts that are existing in the same linux box running squid. these users won't be logging in to the linux box. only to squid authentication. the reason why i am going to use linux user accounts in the same machine is to give them a capability to be able to change their passwords if they want to.

    i'm kinda new to linux. and i thought that would be the easiest thing to do. any suggestions? or are there any other things i missed? thanks...

  8. #7
    Just Joined! aenguillo's Avatar
    Join Date
    Dec 2006
    Location
    philippines
    Posts
    40
    problem solved. it's an SELinux issue. it doesn't allow the squid daemon to access the network. authentication problem is solved. now i'm on the user-based restriction. i'll be using SquidGuard. i'll be posting if i get stuck on some things again. thanks guys. thanks mr. jledhead...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •