Proxy Authentication with Squid

1
Proxy Authentication with Squid
Bertold Kolics MTA-SzTAKI Bertold.Kolics_at_sztaki.hu
2
Agenda

• WWW/proxy authentication primer
• Proxy authentication in Squid
• Practical session
• configuring Squid to use proxy authentication for
  end users
• using the LDAP authenticator module

3
WWW/Proxy Authentication Primer...

• Two fundamental types
• WWW
• end-to-end
• authorization for accessing web resources
  (realms) defined by URI(s)
• proxy
• hop-by-hop
• authorization to use a proxy service that will
  fetch the URI(s) requested by the user agent

4
...WWW/Proxy Authentication Primer

• Two authentication schemes
• Basic
• simple
• implemented by all HTTP clients/servers/proxies
• offers no security (passwords are sent in
  clear-text)
• Digest
• implemented by few HTTP clients/servers/proxies
  only
• offers better security than the Basic scheme
  (passwords are protected (not encrypted!))
• More information RFC2617 (and 2616)

5
WWW Authentication
Step 1.
Step 2.
Step 3.
Step 4.
Step 1. User requests a page
GET /protected/ HTTP/1.1 Host www.sztaki.hu ...
HTTP/1.1 401 Authorization Required WWW-Authentica
te Basic realmProtected web" ...
Step 2. Server asks UA to authenticate
Step 3. UA sends authentication credentials
GET /protected/ HTTP/1.1 Host www.sztaki.hu Autho
rization Basic dXNlcjpwYXNzd29yZA ...
HTTP/1.1 200 OK Date Tue, 15 Feb 2000 164104
GMT Server Apache/1.3.9 (Unix) ...
Step 4. Authentication accepted and page sent
6
Proxy Authentication...
Step 1.
Step 2.
Step 3.
Step 4.
Step 5.
Step 6.
Step 1. User requests a page through a proxy
GET http//www.terena.nl/ HTTP/1.0 ...
HTTP/1.0 407 Proxy Authentication
Required Proxy-Authenticate Basic realm"Squid
proxy ...
Step 2. Proxy asks UA to authenticate
Step 3. UA sends proxy authentication credentials
GET http//www.terena.nl/ HTTP/1.0 Proxy-Authoriza
tion Basic YmVydG9sZDp0ZXN6dA ...
GET / HTTP/1.0 Via 1.0 cache.iif.hu3128
(Squid/2.4.DEVEL2) ...
Step 4. Proxy accepts authentication and requests
the page from the server
7
...Proxy Authentication
Step 1.
Step 2.
Step 3.
Step 4.
Step 5.
Step 6.
Step 5. Server sends the requested page
HTTP/1.1 200 OK Date Tue, 11 Feb 2000 184104
GMT Server Apache/1.3.9 (Unix) ...
Step 6. Proxy passes the result back to the UA
8
Proxy Authentication in Squid

• only Basic authentication scheme supported
• end-users ACL rules
• peer cache parameter in the cache_peer line
• external authenticator modules shipped with
  Squid
• LDAP-based
• NT domain based
• NCSA httpd style password file
• PAM module
• getpwnam() based

9
Module Installation

• change directory to src/auth_modules/LDAP
• edit squid_ldap_auth.c
• change SEARCHBASE to
• define SEARCHBASE "ouproxyauth,dcsztaki,dchu"
  
• add the following lines below SEARCHBASE
• undef LDAP_PORT
• define LDAP_PORT 1389
• type make
• type make install

10
End-user Proxy Authentication...

• add the following lines to the appropriate
  section in squid.conf
• authenticate_program ltpathgt/squid_ldap_auth
  n0.hpcc.sztaki.hu
• acl myusers proxy_auth REQUIRED
• http_access allow myusers

11
...End-user Proxy Authentication

• examine the following options in squid.conf as
  well
• authenticate_children
• authenticate_ttl
• authenticate_ip_ttl

12
Adding an entry to the directory

• create LDIF file (authentry.ldif) containing
• dnuidusername,ouproxyauth,dcsztaki,dchu
• userpasswordpassword
• objectclasscacheuser
• use the below command to add this entry to the
  directory
• ldapadd -D cnmanager,ouproxyauth,dcsztaki,dc
  hu -w d2cache -f authentry.ldif

13
Testing

• Start Squid
• When prompted, use the configured
  username/password
• Examine Squid logs!