File: FAQ-23.html

package info (click to toggle)
squid 2.4.6-2woody8
  • links: PTS
  • area: main
  • in suites: woody
  • size: 8,724 kB
  • ctags: 9,570
  • sloc: ansic: 75,398; sh: 2,213; makefile: 1,839; perl: 1,099; awk: 35
file content (125 lines) | stat: -rw-r--r-- 4,644 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Draft//EN">
<HTML>
<HEAD>
<TITLE>SQUID Frequently Asked Questions: Authentication</TITLE>
</HEAD>
<BODY>
<A HREF="FAQ-24.html">Next</A>
<A HREF="FAQ-22.html">Previous</A>
<A HREF="FAQ.html#toc23">Contents</A>
<HR>
<H2><A NAME="s23">23. Authentication</A></H2>

<H2><A NAME="ss23.1">23.1 How does Proxy Authentication work in Squid?</A>
</H2>

<P><EM>Note: The information here is current for version 2.4.</EM>
<P>Users will be authenticated if squid is configured to use <EM>proxy_auth</EM>
ACLs (see next question).
<P>Browsers send the user's authentication credentials in the
<EM>Authorization</EM> request header.
<P>If Squid gets a request and the <EM>http_access</EM> rule list
gets to a <EM>proxy_auth</EM> ACL, Squid looks for the <EM>Authorization</EM>
header.  If the header is present, Squid decodes it and extracts
a username and password.
<P>If the header is missing, Squid returns
an HTTP reply with status 407 (Proxy Authentication Required).
The user agent (browser) receives the 407 reply and then prompts
the user to enter a name and password.  The name and password are
encoded, and sent in the <EM>Authorization</EM> header for subsequent
requests to the proxy.
<P>
<P>Authentication is actually performed outside of main Squid process.
When Squid starts, it spawns a number of authentication subprocesses.
These processes read usernames and passwords on stdin, and reply
with "OK" or "ERR" on stdout.  This technique allows you to use
a number of different authentication schemes, although currently
you can only use one scheme at a time.
<P>The Squid source code comes with a few authentcation processes.
These include:
<UL>
<LI>LDAP: Uses the Lightweight Directory Access Protocol</LI>
<LI>NCSA: Uses an NCSA-style username and password file.</LI>
<LI>MSNT: Uses a Windows NT authentication domain.</LI>
<LI>PAM: Uses the Linux Pluggable Authentication Modules scheme.</LI>
<LI>SMB: Uses a SMB server like Windows NT or Samba. </LI>
<LI>getpwam: Uses the old-fashioned Unix password file.</LI>
</UL>
<P>
<P>In order to authenticate users, you need to compile and install
one of the supplied authentication modules, one of 
<A HREF="http://www.squid-cache.org/related-software.html#auth">the others</A>,
or supply your own.
<P>
<P>You tell Squid which authentcation program to use with the
<EM>authenticate_program</EM> option in squid.conf.  You specify 
the name of the program, plus any command line options if
necessary.  For example:
<PRE>
authenticate_program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd
</PRE>
<P>
<P>
<H2><A NAME="ss23.2">23.2 How do I use authentication in access controls?</A>
</H2>

<P>Make sure that your authentication program is installed
and working correctly.  You can test it by hand.
<P>Add some <EM>proxy_auth</EM> ACL entries to your squid configuration.
For example:
<PRE>
acl foo proxy_auth REQUIRED
acl all src 0/0
http_access allow foo
http_access deny all
</PRE>

The REQURIED term means that any authenticated user will match the
ACL named <EM>foo</EM>.
<P>Squid allows you to provide fine-grained controls
by specifying individual user names.  For example:
<PRE>
acl foo proxy_auth REQUIRED
acl bar proxy_auth lisa sarah frank joe
acl daytime time 08:00-17:00
acl all src 0/0
http_access allow bar
http_access allow foo daytime
http_access deny all
</PRE>

In this example, users named lisa, sarah, joe, and frank
are allowed to use the proxy at all times.  Other users
are allowed only during daytime hours.
<P>
<H2><A NAME="ss23.3">23.3 Does Squid cache authentication lookups?</A>
</H2>

<P>Yes.  Successful authentication lookups are cached for
one hour by default.  That means (in the worst case) its possible
for someone to keep using your cache up to an hour after he
has been removed from the authentication database.
<P>You can control the expiration
time with the <EM>authenticate_ttl</EM> option.
<P>
<P>
<H2><A NAME="ss23.4">23.4 Are passwords stored in clear text or ecrypted?</A>
</H2>

<P>Squid stores cleartext passwords in itsmemory cache.
<P>Squid writes cleartext usernames and passwords when talking to
the external authentication processes.  Note, however, that this 
interprocess communication occors over TCP connections bound to
the loopback interface.  Thus, its not possile for processes on
other comuters to "snoop" on the authentication traffic.
<P>
<P>Each authentication program must select its own scheme for persistent
storage of passwords and usernames.
<P>
<P>
<HR>
<A HREF="FAQ-24.html">Next</A>
<A HREF="FAQ-22.html">Previous</A>
<A HREF="FAQ.html#toc23">Contents</A>
</BODY>
</HTML>