Setting up an authenticating proxy server with squid3 and pam_auth

While the squid proxy server has quite a few different flavours of authentication available, one of the most basic ones, pam_auth, is also one of the most useful ones to get you started quickly. pam_auth let’s anyone who has a local account access the squid proxy. In large environments you probably want to use ldap authentication eventually, but pam_auth is great for testing purposes.

Let’s install squid3 first:

# yum install squid

A minimal squid configuration file for an authenticating proxy is not too different from the default configuration file that comes with the squid rpm package. The changed parts are hightlighted

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

auth_param basic program /usr/lib64/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl password proxy_auth REQUIRED
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access deny !localnet
http_access allow localhost
http_access allow password

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

visible_hostname squid3.yourdomain.com

Since the documentation on squid is quite comprehensive, there’s no need to go into detail. You can also look up individual configuration directives Configuration Reference Manual.

Configuration of the squid PAM authentication helper pam_auth is quite simple. It just needs a PAM service to be configured /etc/pam.d/

#%PAM-1.0
auth            include         password-auth
account         include         password-auth

pam_auth also need the correct permissions to access the user password database, which basically requires it to run as root (path is /usr/lib64/squid/pam_auth on CentOS 6 and /usr/lib64/squid/basic_pam_auth on recent versions of Fedora)

chmod u+s /usr/lib64/squid/basic_pam_auth

Please note, that it’s not recommended to use pam_auth for authenticating to a local unix shadow password database. You should at the very least make sure, that it’s in a directory, regular users can’t access.

That’s it. Now enable and start the squid proxy server:

# systemctl enable squid.service 
ln -s '/usr/lib/systemd/system/squid.service' '/etc/systemd/system/multi-user.target.wants/squid.service'
# systemctl start squid.service

The proxy is then reachable at squid3.yourdomain.com:3128

Resources:
http://zeldor.biz/2013/03/squid3-pam_auth/
See also pam_auth manpage

2 thoughts on “Setting up an authenticating proxy server with squid3 and pam_auth

  1. avatarAaron

    WHY??? Why take the time to post directions that don’t work? There are already thousands of them out there!!!!

    chmod u+s /usr/lib/squid3/pam_auth

    File doesn’t exist!!!!!

    And what is this????
    ln -s ‘/usr/lib/systemd/system/squid.service’ ‘/etc/systemd/system/multi-user.target.wants/squid.service’

    /usr/lib/systemd directory doesn’t exist let alone the rest of it!

  2. avataradmin Post author

    @Aaron
    I’ve updated the paths to the auth module. Sorry about that. I’m afraid I can’t see anything being wrong about the line that enables the service though. Are you sure, you are on a systemd distribution? If you still use SysVinit, try ‘chkconfig squid on’ and ‘service squid start’.

Leave a Reply

Your email address will not be published.