Login/Register
How to set up a squid Proxy with basic username and password authentication? [closed]
Asked Answered
http-proxysquid
T

1

94

I currently I use ip in acl, and I want to use username and password to do this.

Terpineol answered 21/7, 2010 at 7:47 Comment(2)
Here is another example how to setup Squid3 with a htdigest style authentication: dabase.com/blog/Minimal_squid3_proxy_configurationKonstance
here is a complete guide for Squid3 installation and configuration with authentication hevi.info/2015/09/…Sharecrop
S
235

Here's what I had to do to setup basic auth on Ubuntu 14.04 (didn't find a guide anywhere else)

Basic squid conf

/etc/squid3/squid.conf instead of the super bloated default config file

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

# Choose the port you want. Below we set it to default 3128.
http_port 3128

Please note the basic_ncsa_auth program instead of the old ncsa_auth

squid 2.x

For squid 2.x you need to edit /etc/squid/squid.conf file and place:

auth_param basic program /usr/lib/squid/digest_pw_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

Setting up a user

sudo htpasswd -c /etc/squid3/passwords username_you_like

and enter a password twice for the chosen username then

sudo service squid3 restart

squid 2.x

sudo htpasswd -c /etc/squid/passwords username_you_like

and enter a password twice for the chosen username then

sudo service squid restart

htdigest vs htpasswd

For the many people that asked me: the 2 tools produce different file formats:

  • htdigest stores the password in plain text.
  • htpasswd stores the password hashed (various hashing algos are available)

Despite this difference in format basic_ncsa_auth will still be able to parse a password file generated with htdigest. Hence you can alternatively use:

sudo htdigest -c /etc/squid3/passwords realm_you_like username_you_like

Beware that this approach is empirical, undocumented and may not be supported by future versions of Squid.

On Ubuntu 14.04 htdigest and htpasswd are both available in the [apache2-utils][1] package.

MacOS

Similar as above applies, but file paths are different.

Install squid

brew install squid

Start squid service

brew services start squid

Squid config file is stored at /usr/local/etc/squid.conf.

Comment or remove following line:

http_access allow localnet

Then similar to linux config (but with updated paths) add this:

auth_param basic program /usr/local/Cellar/squid/4.8/libexec/basic_ncsa_auth /usr/local/etc/squid_passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

Note that path to basic_ncsa_auth may be different since it depends on installed version when using brew, you can verify this with ls /usr/local/Cellar/squid/. Also note that you should add the above just bellow the following section:

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

Now generate yourself a user:password basic auth credential (note: htpasswd and htdigest are also both available on MacOS)

htpasswd -c /usr/local/etc/squid_passwords username_you_like

Restart the squid service

brew services restart squid
Slurp answered 22/7, 2014 at 2:22 Comment(17)
For me the htdigest command didn't work, however once I had substituted it for "sudo htpasswd -cd /etc/squid3/passwords admin" it did work as expected.Profiteer
That's what I thought even if it did work for me. There was a discussion linked to this post with 50% of people saying it works and 50% suggesting a change to htpasswd. I didn't have enough reputation to participate to the discussion though... :(Slurp
Thank you for downvoting my answer Joao Paulo Motta. SO is not a first level support type of system. If you need help you need to provide details around what didn't work, what you've tried exactly, error logs etcSlurp
worked for me, but I also had to use htpasswd instead of htdigest, I don't know why but in this way it worked.Endplay
@StefanoFratini You should update this answer to use htpasswd instead of htdigest. Squid manuals say it can be manipulated with htpasswd, not htdigest. squid-cache.org/Versions/v3/3.3/manuals/basic_ncsa_auth.htmlDisloyalty
This assumes that you use squid3. I am running Squid 2.7. If you do too, add acl all src all before the other acl in the conf. And the path being squid not squid3 and the auth binary being ncsa_auth, the first line is auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwords (remove the 3 for htpasswd too then). Hope this helps :)Polymyxin
@antoine129, Please suggest an edit to support both squid3 and squid2 and I will accept it. It's less error prone this way.Slurp
If your system does not have htpasswd please do sudo apt-get install apache2-utils.Sulfamerazine
I'm not even sure my answer is still actual @ospiderSlurp
@StefanoFratini It's still working, however, on 16.04, the directory has been changed from /etc/squid3 to /etc/squidWhistle
This answer has a big mistake. Don't advice to use -c argument! It truncates old htpasswd file if it exists with old users.Aardvark
Not surprisingly -c creates the file and if it does exist deletes it first. This is a common pattern with linux commands?Slurp
How do we generate the digest_pw_auth file?Meingoldas
after install, squid service ok, but I add proxy settings to firefox, it didnt work. alway asking authentication username and passwordLuggage
You may add below softlink along with above solution: sudo ln -s /usr/lib/squid3/ncsa_auth /usr/lib/squid3/basic_ncsa_authFeldspar
I know this question is closed, but I had the same question for MacOS so I edited the answer and added the details here. I confirm it works fine on iOS :)Arlettearley
digest_pw_auth is now renamed to digest_file_authCorson

© 2022 - 2024 — McMap. All rights reserved.