How does one configure squid3 proxy to support http auth – quick and dirty

httphttp-authenticationPROXYsquid

I am interested in the the easiest solution, authentication doesn't actually have to even test user/pass pairs… it just has to do the http auth challenge. I am trying to test http auth on a proxy for a library that I am working on.

I have implemented a script that returns "ok" to use as my program, as in:

auth_param basic realm Squid proxy-caching web server auth_param basic
program /usr/local/bin/ok

squid dies, this is what shows up in my log:

2012/03/13 13:09:24| WARNING: basicauthenticator #1 (FD 12) exited
2012/03/13 13:09:24| WARNING: basicauthenticator #2 (FD 14) exited
2012/03/13 13:09:24| WARNING: basicauthenticator #3 (FD 16) exited
2012/03/13 13:09:24| WARNING: basicauthenticator #4 (FD 18) exited
2012/03/13 13:09:24| Too few basicauthenticator processes are running
2012/03/13 13:09:24| storeDirWriteCleanLogs: Starting...
2012/03/13 13:09:24|   Finished.  Wrote 0 entries.
2012/03/13 13:09:24|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The basicauthenticator helpers are crashing too rapidly, need help!

Squid Cache (Version 3.1.19): Terminated abnormally.
CPU Usage: 0.014 seconds = 0.008 user + 0.006 sys
Maximum Resident Size: 5709824 KB
Page faults with physical i/o: 0

there is a reference in the documentation that may be related, but I am not sure how to implement:

#   If you use an authenticator, make sure you have 1 acl of type
#   proxy_auth.

currently trying this:

http://www.cyberciti.biz/tips/linux-unix-squid-proxy-server-authentication.html

Best Answer

Something like this should work:

acl example proxy_auth REQUIRED
http_access allow example

For consistency's sake this is a configuration you can use with LDAP:

auth_param basic program /usr/lib/squid/ldap_auth -ZZ -b "dc=example,dc=com" -f "(&(uid=%s)(!(gn=noaccess))(!(cn=noaccess)))" -h ldap.example.org -v 3
acl ldap proxy_auth REQUIRED
http_access allow ldap
http_access deny all

What it does is it will try to authenticate the user with uid against LDAP server ldap.example.org (preferably use an IP address), and it will not allow access when gn equals "noaccess" OR cn equals "noaccess".

It will deny access to everything else.

Related Solutions

Centos – Failed to run Squid on CentOS 5

2 Problems I think.

The file /usr/lib/squid/ncsa_auth does not exist according to the error. You can check this by running the following command:

file  /usr/lib/squid/ncsa_auth

If you wan't to get Squid running without authentication, have a look at your squid-config and comment lines that have to do with authentication.

Your file wil probably contain the following lines:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Bla bla what you show your users
auth_param basic credentialsttl 2 hours
auth_param basic case sensitive off

If you want to locate ncsa_auth on your system, use the following command:

rpm -qa | grep ncsa_auth

or, alternatively:

updatedb && locate ncsa_auth

You can then change the location in your config file. Make sure the squid-user had appropriate rights to the binary.

You made a typo in your configuration.

childred should be children. See the config-exerpt above.

Iis – Does IIS support HTTP basic auth and form auth at the same time

Basic Authentication is a term that generally refers to authentication within the HTTP protocol.

Forms based authentication is handled within context of a web-based application. This usually involves a form which sets some kind of session identifier with a cookie, and then when the form is processed information is associated with that session on the server side about the users state.

There really isn't any direct relationship between form based authentication which is basically tracked via the session cookie, and the HTTP-based authentication which is actually directly within the HTTP headers.

how can it be possible that IIS would prevent the use of Basic Auth on a site that uses a custom form auth for its users?

It has nothing to do with IIS preventing basic auth, it has to do with the two not being compatible. If you do your initial authentication with a form, then the associated login state will be stored in a session. But the software handling basic authentication doesn't normally know anything about cookies or sessions, all it knows about is HTTP authentication. When you let IIS perform the authentication stem, the authentication happens before your application is even touched.

If you use the built-in facilities of IIS for Basic authentication then you basically have to use that only.

But, it should be possible to implement HTTP authentication within your application by having your application send and parse the correct HTTP headers. For this you would leave IIS set to forms-based authentication, and then you simply do everything within your application. In that way it should be possible to have your application send out the proper headers depending on the session state.

currently trying this:

Best Answer

Related Solutions

Centos – Failed to run Squid on CentOS 5

Iis – Does IIS support HTTP basic auth and form auth at the same time

Related Topic