How to Set Up User Authentication on Your Squid Proxy Server
Setting up a Squid proxy is an excellent way to manage and filter network traffic, but an open proxy can be a significant security risk. To secure your network and control who can use your proxy, implementing user authentication is a critical step. This guide will walk you through the process of configuring basic user authentication for your Squid proxy on popular Linux distributions like Ubuntu, Fedora, and CentOS.
By requiring a username and password, you gain granular control over proxy access, prevent unauthorized use, and create an audit trail for traffic.
Prerequisites
Before you begin, ensure you have the following:
- A working Squid proxy server installed.
- Root or sudo privileges on the server.
- The necessary tools for password management.
You will need the htpasswd utility to create and manage the user password file. This tool is typically included in the apache2-utils (on Debian/Ubuntu) or httpd-tools (on RHEL/CentOS/Fedora) package.
You can install it with one of the following commands:
- On Ubuntu/Debian:
bash
sudo apt update && sudo apt install apache2-utils
- On CentOS/RHEL/Fedora:
bash
sudo dnf install httpd-tools
Step 1: Create Your User Password File with htpasswd
The first step is to create a file that will store the usernames and their encrypted passwords. We will use the htpasswd command for this.
Create the file and add the first user. Use the
-cflag to create a new password file. For security, it’s best practice to store this file within Squid’s configuration directory, such as/etc/squid/passwd.sudo htpasswd -c /etc/squid/passwd your_first_userYou will be prompted to enter and then confirm a password for
your_first_user.Add additional users. To add more users to the same file, do not use the
-cflag again, as it will overwrite the existing file. Simply run the command without it.sudo htpasswd /etc/squid/passwd another_user
After creating the password file, it’s crucial to secure its permissions. You should ensure that only the user running Squid (often proxy) can read this file.
sudo chown proxy:proxy /etc/squid/passwd
sudo chmod 640 /etc/squid/passwd
Step 2: Configure Squid to Require Authentication
Now that you have a user file, you need to tell Squid to use it for authentication. This involves editing the main Squid configuration file, located at /etc/squid/squid.conf.
Open the file with your preferred text editor, like nano or vim:
sudo nano /etc/squid/squid.conf
You will need to add or uncomment three key types of directives. It’s best to add these near the top of the http_access rules section for clarity.
1. Define the Authentication Helper
First, you must specify the authentication program Squid will use to verify user credentials. For basic htpasswd authentication, we use basic_ncsa_auth.
Find the auth_param section or add the following lines:
# Define the authentication program and password file location
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
auth_param basic program...: This is the most important line. It tells Squid to use thebasic_ncsa_authhelper and specifies the path to your password file (/etc/squid/passwd). The path tobasic_ncsa_authmay vary, so confirm it on your system if needed.auth_param basic realm...: This defines the text that will appear in the user’s login prompt.
2. Create an Access Control List (ACL) for Authenticated Users
Next, create an Access Control List (ACL) that identifies any user who has successfully authenticated. This ACL will be used to grant access.
Add the following line just below your auth_param directives:
# Create an ACL for authenticated users
acl authenticated proxy_auth REQUIRED
This line creates an ACL named authenticated. The rule proxy_auth REQUIRED matches any request where the user has provided valid credentials.
3. Grant Access to Authenticated Users
Finally, you need to create an http_access rule to allow traffic from users who match the authenticated ACL. The order of http_access rules is extremely important. This allow rule must be placed before any general deny rules, like http_access deny all.
Add this line above http_access deny all:
# Allow access for authenticated users
http_access allow authenticated
# This rule should already exist and be at the end
http_access deny all
Your configuration now tells Squid to allow requests from any successfully logged-in user and deny all others.
Step 3: Apply and Test Your New Configuration
Once you have saved your changes to squid.conf, you need to apply them.
Check the configuration for syntax errors. This is a highly recommended step to avoid issues.
sudo squid -k parseIf there are no errors, you can proceed.
Restart the Squid service to load the new configuration.
sudo systemctl restart squidTest the authentication. You can test your proxy from a client machine using a tool like
curl.curl -x http://proxy-user:proxy-password@proxy-server-ip:3128 http://example.comReplace
proxy-user,proxy-password,proxy-server-ip, and the port (3128is the default) with your actual values. If the configuration is correct, you will receive the HTML content ofexample.com.If you try to connect without credentials, you should receive a
407 Proxy Authentication Requirederror, confirming that your proxy is now secure.
Security Best Practices and Final Thoughts
Implementing basic authentication is a fundamental security improvement for any Squid proxy. To further enhance your setup:
- Enforce Strong Passwords: Ensure users create complex passwords to protect their credentials.
- Use Encrypted Connections: For higher security, consider configuring Squid with SSL/TLS to encrypt the authentication process and client traffic.
- Regularly Audit Users: Periodically review the user list in your password file and remove accounts that are no longer needed.
By implementing user authentication, you transform your Squid proxy from an open relay into a secure, managed gateway, giving you complete control over your network’s web access.
Source: https://kifarunix.com/how-to-setup-squid-proxy-basic-authentication-with-username-and-password/
