-
squid authentication
hey! good day to all! i just wanted to ask if there is a way to make a squid authentication using the users in the local linux machine where squid was set up?
also, make squid filter web content depending on the users who authenticated themselves before browsing. for example, after user1 is authenticated, he is not allowed to browse for social networking sites. on the other hand, when user2 authenticates himself, he can browse for any websites. these two users exists in the same linux box.
thanks guys...
-
for your auth question
All Linux Squid Password Authentication Using PAM «
the second part
SquidGuard
squidguard is a nice addon for squid
-
thanks. :) i'll study those first and try to do the things needed to be done. i'll be posting other questions when i get stuck into something :D
-
hey guys! good day again! i'm doin my things step by step. first, i got my squid config right. it's working fine. next, i need the prompting for username and password. i got that going also. now, on the authentication part. whenever i use a linux user username and password to log on to squid, i get a "Page cannot be displayed" page. i followed the tutorial for the PAM authentication mr. jledhead gave. but i was stuck on the authentication process.
here's what i want to do. i want users to log on first using PAM authentication to be able to browse the web via my squid server. the usernames and passwords will come from the linux machine where squid is running.
here's my squid.conf:
#squid config
# TAG: http_port
http_port 8080
# TAG: icp_port
icp_port 3130
# TAG: hierarchy_stoplist
hierarchy_stoplist cgi-bin ?
# TAG: no_cache
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# TAG: cache_mem (bytes)
cache_mem 16 MB
# TAG: cache_swap_low (percent, 0-100)
# TAG: cache_swap_high (percent, 0-100)
cache_swap_low 90
cache_swap_high 95
# TAG: maximum_object_size (bytes)
maximum_object_size 4096 KB
# TAG: maximum_object_size_in_memory (bytes)
maximum_object_size_in_memory 20 KB
# TAG: ipcache_size (number of entries)
# TAG: ipcache_low (percent)
# TAG: ipcache_high (percent)
ipcache_size 1024
ipcache_low 90
ipcache_high 95
# TAG: fqdncache_size (number of entries)
fqdncache_size 1024
# TAG: cache_replacement_policy
cache_replacement_policy lru
# TAG: memory_replacement_policy
memory_replacement_policy lru
# TAG: cache_dir
cache_dir ufs /var/spool/squid 100 16 256
# TAG: cache_access_log
cache_access_log /var/log/squid/access.log
# TAG: cache_log
cache_log /var/log/squid/cache.log
# TAG: cache_swap_log
# TAG: emulate_httpd_log on|off
emulate_httpd_log on
# TAG: auth_param
auth_param basic program /usr/lib/squid/pam_auth /etc/squid/unames
auth_param basic children 5
auth_param basic realm Squid Proxy Authentication
auth_param basic credentialsttl 2 hours
# TAG: refresh_pattern
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
# TAG: acl
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl internal src 192.168.1.0/255.255.255.0
acl unames proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: http_access
http_access allow unames
http_access deny all
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all
# TAG: cache_mgr
cache_mgr IT_Department
# TAG: cache_effective_user
cache_effective_user squid
# TAG: cache_effective_group
cache_effective_group squid
# TAG: visible_hostname
visible_hostname BISS
# TAG: httpd_accel_host
# TAG: httpd_accel_port
httpd_accel_host virtual
httpd_accel_port 80
# TAG: httpd_accel_single_host on|off
httpd_accel_single_host off
# TAG: httpd_accel_with_proxy on|off
httpd_accel_with_proxy on
# TAG: httpd_accel_uses_host_header on|off
httpd_accel_uses_host_header on
here's a part of my squid cache log:
#cache log
2007/08/08 15:24:59| helperOpenServers: Starting 5 'pam_auth' processes
2007/08/08 15:24:59| WARNING: Cannot run '/usr/lib/squid/pam_auth' process.
2007/08/08 15:24:59| WARNING: Cannot run '/usr/lib/squid/pam_auth' process.
2007/08/08 15:24:59| WARNING: Cannot run '/usr/lib/squid/pam_auth' process.
2007/08/08 15:24:59| WARNING: Cannot run '/usr/lib/squid/pam_auth' process.
2007/08/08 15:24:59| WARNING: Cannot run '/usr/lib/squid/pam_auth' process.
2007/08/08 15:24:59| User-Agent logging is disabled.
2007/08/08 15:24:59| Referer logging is disabled.
2007/08/08 15:24:59| Unlinkd pipe opened on FD 10
2007/08/08 15:24:59| Swap maxSize 102400 KB, estimated 7876 objects
2007/08/08 15:24:59| Target number of buckets: 393
and here's my squid access log:
#access log
192.168.1.214 - - [08/Aug/2007:15:26:16 +0800] "GET Google HTTP/1.0" 407 1690 TCP_DENIED:NONE
am i missing something? thanks guys!
-
so if you take out the pam auth it works as normal and you can get to the internet?
are any type of errors showing up in the logs
WARNING: Cannot run '/usr/lib/squid/pam_auth' process
that looks pretty important
also, is there any reason you are using pam, like all of your users have logged onto the nix machine? just curious
-
hey! :) well, if i remove the authentication, it works fine and i can browse the web. but when i use pam auth, it only prompts for a username and password. if i use an existing linux user in the same squid server, i only get a "Page cannot be displayed" error.
the reason i'm using pam is that users who are going to use the squid proxy should be authenticated. i think the easiest way to do that is to use user accounts that are existing in the same linux box running squid. these users won't be logging in to the linux box. only to squid authentication. the reason why i am going to use linux user accounts in the same machine is to give them a capability to be able to change their passwords if they want to.
i'm kinda new to linux. and i thought that would be the easiest thing to do. any suggestions? or are there any other things i missed? thanks...
-
problem solved. it's an SELinux issue. it doesn't allow the squid daemon to access the network. authentication problem is solved. now i'm on the user-based restriction. i'll be using SquidGuard. i'll be posting if i get stuck on some things again. thanks guys. thanks mr. jledhead...