Setup Squid Proxy Authentication on Ubuntu 18.04/Fedora 29/28/CentOS 7

0
6896

Welcome to our guide on how to setup basic Squid Proxy authentication on Ubuntu 18.04/Fedora 29/28/CentOS 7 with username and password. You may also want to check our previous article on how to install and configure Squid Proxy on Fedora 29/Fedora 28/CentOS 7.

Setup Squid Proxy Authentication on Ubuntu 18.04/Fedora 29/28/CentOS 7

In order to setup Squid proxy authentication on Ubuntu 18.04/Fedora 29/28/CentOS 7 with a basic username and password, you need to make a few adjustments on the squid configuration file as follows;

Generate Squid Proxy Authentication Passwords

htpasswd and htdigest are two tools that can be used to generate proxy user authentication passwords. While htpasswd encrypts the passwords and store them in a hashed format, htdigest stores the passwords in plain text hence insecure. In this guide, we are going to use htpasswd utility.

In order to use htpasswd, you need to have httpd/apache2-utils installed. To install it;

sudo apt-get install apache2-utils
sudo yum install httpd-tools

Once it is installed, run the commands below to generate the password for users to authenticate.

htpasswd -c /etc/squid/.squid_users amos
New password: 
Re-type new password: 
Adding password for user amos

This creates a password for user amos and store it under /etc/squid/.squid_users.

To add more users, you need to remove option -c from the htpasswd command for example;

htpasswd /etc/squid/.squid_users john
New password: 
Re-type new password: 
Adding password for user john

When you check the password file, there are now two users with their encrypted passwords;

less /etc/squid/.squid_users
amos:$apr1$IyfTZICg$2fPImX5o14XC2KPF1kZWv/
john:$apr1$5o0XKeto$m6c5B5KK5ZAK/7A/VIgYB/

The squid user should be able to read this file. Therefore run the command below to set proper permissions;

chown squid /etc/squid/.squid_users

Verify that the usernames and passwords provide works fine with Squid proxy. For every correct entry, you should see OK displayed as shown below;

/usr/lib64/squid/basic_ncsa_auth /etc/squid/.squid_users 
amos password
OK
john password
OK

Configure Squid Proxy Authentication

Since all seems fine, proceed to setup squid proxy basic authentication. Open the squid configuration file for editing and add the following lines.

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.squid_users
auth_param basic children 5
auth_param basic realm Proxy Authentication Required
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl auth_users proxy_auth amos john
http_access allow auth_users

As a brief overview of the lines set above;

  • The first line tells the Squid to use the basic_ncsa_auth helper program and find the usernames and password in /etc/squid/.squid_users file.
  • The line auth_param basic children 5 specifies the maximum number of squid authenticator processes to spawn.
  • auth_param basic realm specifies the protection scope which is to be reported to the client for the authentication scheme.
  • auth_param basic credentialsttl 2 hours specifies how long squid assumes an externally validated username:password pair is valid for
  • auth_param basic casesensitive off specifies if usernames are case sensitive.
  • acl auth_users proxy_auth amos john defines Squid authentication ACL for users that are allowed to authenticate.

Once you are done with configurations, save the file and restart squid.

systemctl restart squid

Configure your client to use authenticate vai squid proxy server as described in our previous article.

From the client side, if you try to access the internet via browser, you will be prompted to authenticate. See screenshot below;

Squid proxy basic authentication

When you authenticate properly, you will be able to access the internet on browser.

If you try to download a file using wget, you will be prompted to authenticate;

wget google.com               
--2018-12-19 00:38:21--  http://google.com/
Connecting to 192.168.43.69:3128... connected.
Proxy request sent, awaiting response... 407 Proxy Authentication Required
2018-12-19 00:38:21 ERROR 407: Proxy Authentication Required.

Hence;

wget --proxy-user=amos --proxy-password=password google.com
--2018-12-19 00:39:36--  http://google.com/
Connecting to 192.168.43.69:3128... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2018-12-19 00:39:37--  http://www.google.com/
Reusing existing connection to 192.168.43.69:3128.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.8’

index.html.8            [ <=>                ]  11.72K  --.-KB/s    in 0.1s    

2018-12-19 00:39:38 (97.6 KB/s) - ‘index.html.8’ saved [12001]

Well, there you go. You have successfully setup Squid proxy authentication on Ubuntu 18.04/Fedora29/28/CentOS 7 with username and password. In our next tutorial, we are going to learn how to integrate Squid proxy with LDAP servers for centralized authentication. Thank you for passing by. We hope this was informative.

Hey, want to learn how to set system wide proxy settings on Ubuntu 18.04? You can catch that by following the link below;