{"id":1908,"date":"2014-09-01T22:24:20","date_gmt":"2014-09-01T20:24:20","guid":{"rendered":"http:\/\/possiblelossofprecision.net\/?p=1908"},"modified":"2021-05-15T11:46:37","modified_gmt":"2021-05-15T09:46:37","slug":"setting-up-an-authenticating-proxy-server-with-squid3-and-pam_auth","status":"publish","type":"post","link":"https:\/\/possiblelossofprecision.net\/?p=1908","title":{"rendered":"Setting up an authenticating proxy server with squid3 and pam_auth"},"content":{"rendered":"

While the squid proxy server<\/a> has quite a few different flavours of authentication<\/a> available, one of the most basic ones, pam_auth, is also one of the most useful ones to get you started quickly. pam_auth let’s anyone who has a local account access the squid proxy. In large environments you probably want to use ldap<\/a> authentication eventually, but pam_auth is great for testing purposes.<\/p>\n

Let’s install<\/strong> squid3 first:<\/p>\n

\r\n# yum install squid\r\n<\/pre>\n
A minimal squid configuration file<\/strong> for an authenticating proxy is not too different from the default configuration file that comes with the squid rpm package. The changed parts are hightlighted<\/p>\n
\r\n#\r\n# Recommended minimum configuration:\r\n#\r\nacl manager proto cache_object\r\nacl localhost src 127.0.0.1\/32 ::1\r\nacl to_localhost dst 127.0.0.0\/8 0.0.0.0\/32 ::1\r\n\r\nauth_param basic program \/usr\/lib64\/squid\/pam_auth\r\nauth_param basic children 5\r\nauth_param basic realm Squid proxy-caching web server\r\nauth_param basic credentialsttl 2 hours\r\nauth_param basic casesensitive off\r\n\r\n# Example rule allowing access from your local networks.\r\n# Adapt to list your (internal) IP networks from where browsing\r\n# should be allowed\r\nacl localnet src 10.0.0.0\/8     # RFC1918 possible internal network\r\n\r\nacl SSL_ports port 443\r\nacl Safe_ports port 80          # http\r\nacl Safe_ports port 21          # ftp\r\nacl Safe_ports port 443         # https\r\nacl Safe_ports port 70          # gopher\r\nacl Safe_ports port 210         # wais\r\nacl Safe_ports port 1025-65535  # unregistered ports\r\nacl Safe_ports port 280         # http-mgmt\r\nacl Safe_ports port 488         # gss-http\r\nacl Safe_ports port 591         # filemaker\r\nacl Safe_ports port 777         # multiling http\r\nacl password proxy_auth REQUIRED\r\nacl CONNECT method CONNECT\r\n\r\n#\r\n# Recommended minimum Access Permission configuration:\r\n#\r\n# Only allow cachemgr access from localhost\r\nhttp_access allow manager localhost\r\nhttp_access deny manager\r\n\r\n# Deny requests to certain unsafe ports\r\nhttp_access deny !Safe_ports\r\n\r\n# Deny CONNECT to other than secure SSL ports\r\nhttp_access deny CONNECT !SSL_ports\r\n\r\n# We strongly recommend the following be uncommented to protect innocent\r\n# web applications running on the proxy server who think the only\r\n# one who can access services on "localhost" is a local user\r\nhttp_access deny to_localhost\r\n\r\n#\r\n# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS\r\n#\r\n\r\n# Example rule allowing access from your local networks.\r\n# Adapt localnet in the ACL section to list your (internal) IP networks\r\n# from where browsing should be allowed\r\nhttp_access deny !localnet\r\nhttp_access allow localhost\r\nhttp_access allow password\r\n\r\n# And finally deny all other access to this proxy\r\nhttp_access deny all\r\n\r\n# Squid normally listens to port 3128\r\nhttp_port 3128\r\n\r\n# We recommend you to use at least the following line.\r\nhierarchy_stoplist cgi-bin ?\r\n\r\n# Uncomment and adjust the following to add a disk cache directory.\r\n#cache_dir ufs \/var\/spool\/squid 100 16 256\r\n\r\n# Leave coredumps in the first cache dir\r\ncoredump_dir \/var\/spool\/squid\r\n\r\n# Add any of your own refresh_pattern entries above these.\r\nrefresh_pattern ^ftp:           1440    20%     10080\r\nrefresh_pattern ^gopher:        1440    0%      1440\r\nrefresh_pattern -i (\/cgi-bin\/|\\?) 0     0%      0\r\nrefresh_pattern .               0       20%     4320\r\n\r\nvisible_hostname squid3.yourdomain.com\r\n<\/pre>\n
Since the documentation on squid<\/a> is quite comprehensive, there’s no need to go into detail. You can also look up individual configuration directives Configuration Reference Manual<\/a>.<\/p>\n
Configuration of the squid PAM authentication helper<\/strong> pam_auth<\/a> is quite simple. It just needs a PAM service to be configured \/etc\/pam.d\/<\/p>\n
\r\n#%PAM-1.0\r\nauth            include         password-auth\r\naccount         include         password-auth\r\n<\/pre>\n
pam_auth also need the correct permissions<\/strong> to access the user password database, which basically requires it to run as root (path is \/usr\/lib64\/squid\/pam_auth<\/code> on CentOS 6 and \/usr\/lib64\/squid\/basic_pam_auth<\/code> on recent versions of Fedora)<\/p>\n
\r\nchmod u+s \/usr\/lib64\/squid\/basic_pam_auth\r\n<\/pre>\n
Please note, that it’s not recommended to use pam_auth for authenticating to a local unix shadow password database. You should at the very least make sure, that it’s in  a directory, regular users can’t access.<\/p>\n
That’s it. Now enable<\/strong> and start<\/strong> the squid proxy server:<\/p>\n
\r\n# systemctl enable squid.service \r\nln -s '\/usr\/lib\/systemd\/system\/squid.service' '\/etc\/systemd\/system\/multi-user.target.wants\/squid.service'\r\n# systemctl start squid.service\r\n<\/pre>\n
The proxy is then reachable at squid3.yourdomain.com:3128<\/strong><\/p>\n
Resources:
\nhttp:\/\/zeldor.biz\/2013\/03\/squid3-pam_auth\/<\/a>
\nSee also pam_auth manpage<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
While the squid proxy server has quite a few different flavours of authentication available, one of the most basic ones, pam_auth, is also one of the most useful ones to get you started quickly. pam_auth let’s anyone who has a local account access the squid proxy. In large environments you probably want to use ldap authentication eventually, but pam_auth is… Read more »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[7,67],"class_list":["post-1908","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-fedora","tag-squid"],"_links":{"self":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/1908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1908"}],"version-history":[{"count":22,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/1908\/revisions"}],"predecessor-version":[{"id":2174,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/1908\/revisions\/2174"}],"wp:attachment":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}