23. Authentication

23.1 How does Proxy Authentication work in Squid?

Note: The information here is current for version 2.4.

Users will be authenticated if squid is configured to use proxy_auth ACLs (see next question).

Browsers send the user's authentication credentials in the Authorization request header.

If Squid gets a request and the http_access rule list gets to a proxy_auth ACL, Squid looks for the Authorization header. If the header is present, Squid decodes it and extracts a username and password.

If the header is missing, Squid returns an HTTP reply with status 407 (Proxy Authentication Required). The user agent (browser) receives the 407 reply and then prompts the user to enter a name and password. The name and password are encoded, and sent in the Authorization header for subsequent requests to the proxy.

Authentication is actually performed outside of main Squid process. When Squid starts, it spawns a number of authentication subprocesses. These processes read usernames and passwords on stdin, and reply with "OK" or "ERR" on stdout. This technique allows you to use a number of different authentication schemes, although currently you can only use one scheme at a time.

The Squid source code comes with a few authentcation processes. These include:

• LDAP: Uses the Lightweight Directory Access Protocol
• NCSA: Uses an NCSA-style username and password file.
• MSNT: Uses a ackage from Iain Lea to allow Intranet (restricted) or Internet (full) access with URL deny and redirection for sites that are not deemed acceptable for a userbase all via a single proxy port.

  Junkbusters

  Junkbusters Corp has a copyleft privacy-enhancing, ad-blocking proxy server which you can use in conjunction with Squid.

  Squirm

  Squirm is a configurable, efficient redirector for Squid by Chris Foote. Features:

  • Very fast
  • Virtually no memory usage
  • It can re-read it's config files while running by sending it a HUP signal
  • Interactive test mode for checking new configs
  • Full regular expression matching and replacement
  • Config files for patterns and IP addresses.
  • If you mess up the config file, Squirm runs in Dodo Mode so your squid keeps working :-)

  chpasswd.cgi

  Pedro L Orso has adapated the Apache's htpasswd into a CGI program called chpasswd.cgi.

  jesred

  jesred by Jens Elkner.

  squidGuard

  squidGuard is a free (GPL), flexible and efficient filter and redirector program for squid. It lets you define multiple access rules with different restrictions for different user groups on a squid cache. squidGuard uses squid standard redirector interface.

  Central Squid Server

  The Smart Neighbour (or 'Central Squid Server' - CSS) is a cut-down version of Squid without HTTP or object caching functionality. The CSS deals only with ICP messages. Instead of caching objects, the CSS records the availability of objects in each of its neighbour caches. Caches that have smart neighbours update each smart neighbour with the status of their cache by sending ICP_STORE_NOTIFY/ICP_RELEASE_NOTIFY messages upon storing/releasing an object from their cache. The CSS maintains an up to date 'object map' recording the availability of objects in its neighbouring caches.

  21.5 Ident Servers

  For Windows NT, Windows 95/98, and Unix.

  ---

  Next Prev