44.9. Setting Up Proxy Authentication
Even though it is possible to configure Squid to allow access only from certain IP addresses, you may want to force clients to authenticate themselves to the proxy as well. This might make sense if you want to give only certain people access to the web and cannot use IP address validation due to the use of dynamically assigned addresses on your network. It is also handy for keeping track of who has requested what through the proxy as usernames are recorded in the Squid logs.
All browsers and programs that can make use of a proxy also support proxy authentication. Browsers will pop up a login window for entering a username and password that are to be sent to the proxy the first time it requests them, and automatically send the same information for all subsequent requests. Other programs (such as wget or rpm) require the username and password to be specified on the command line.
Each login and password received by Squid is passed to an external authentication program that either approves or denies it. Typically this program checks against a separate users file, but it is possible to write your own programs that use all sorts of methods of validating users. For example, they might be looked up in a database, an LDAP server, or the UNIX user list. Webmin comes with a simple program that reads users from a text file in the same format as is used by Apache and this module allows you to edit users in such a file.
To turn on authentication for your Squid proxy, follow these steps:
1. | On the module's main page, click on the Access Control icon to bring up the form shown in Figure 44.4. |
2. | Select External Auth from the menu below the ACL table and hit the Create new ACL button. |
3. | In the form that appears, enter auth for the ACL
name and select All users in the External auth users field. Then, hit the Save button. |
4. | Click on Add proxy restriction below proxy restrictions table. |
5. | Select Deny in the Action field and choose your new auth
ACL from the Don't match ACLs list. This will block any proxy requests that are not authenticated, thus forcing clients to log in. Selecting Allow and then choosing auth from the Match ACLs field can be used for a slightly different purpose. This creates a proxy restriction that allows access to all authenticated clients, which can be positioned to force clients outside your network to log in while not requiring it for those inside the network. |
6. | Click the Save button to return to the access control page again. |
7. | Use the up arrow next to the new restriction to move it above any entry in the table that allows all access from your own network. If it is below this entry, clients from the network will be able to use the proxy without needing to log in at all. Of course, this may be what you want in some cases. |
8. | Click on the Authentication Programs icon back on the main page. |
9. | From the Authentication program field, select Webmin default. This tells the module to use the simple text-file authenticator that comes with the module so that you don't have to write your own. Of course, you can specify your own custom program by selecting the last radio button and entering the full path to a script with some parameters in the adjacent text box. This program must continually read lines containing a username and password (separated by a space) as input, and for each output either the line OK or ERR for success or failure, respectively. Squid will run several instances of the program as permanent daemon processes when it is started. |
10. | |
11. | Normally, Squid will cache valid logins for one hour to avoid calling on the authentication program for every single request. This means that password changes may take up to an hour to take effect, which can be confusing. To lower this limit, at the cost of increased system load and slightly slower request processing, edit the Time to cache passwords for field. |
12. | Hit the Save button and then click on Apply Changes on the main page. |
Now that authentication is enabled, any attempts to use your proxy from a web browser will cause a login window to appear. Because no valid users have been defined yet, no logins will be accepted, which is not particularly useful! To create some users for authentication, follow these steps:
1. | |
2. | Click on the Add a new proxy user link above or below the table to display the user creation form. |
3. | Enter a login name into the Username field and a password for the user in the Password field. |
4. | To temporarily disable this user without deleting him, change the Enabled? field to No. |
5. |
A user can be edited by clicking on its name in the proxy users list, changing the username, password, or enabled status, and hitting the Save button. You can also completely remove a user with the Delete button on its editing form. Again, Apply Changes must be clicked to make any modifications or deletions active. Squid will also cache valid passwords (as explained above) to reduce the load on the authentication program, so a password change may take some time to take effect.
The module's user management feature will only work if you choose Webmin default in the Authentication program field or if your own custom program takes the full path to an Apache-style users file as a parameter. If your program validates users against some other database or server, or if the module cannot figure out which file contains users from the command, the Proxy Authentication icon will not appear.
Sometimes you may want to allow normal UNIX users to log in to your program with the same passwords that they use for telnet and FTP. Even though it is possible to write a program that does proxy authentication against the UNIX user database, there is another solution—configuring the module to add, delete, and update proxy users whenever a UNIX user is created, removed, or renamed. This is most useful for keeping usernames and passwords in sync without needing to grant access to every single UNIX user. Once you have normal authentication set up as explained above, synchronization can be turned on by following these steps:
See Chapter 4 for more details on how synchronization with other modules works and how to turn it on.