Thursday, 18 January 2018

How to set up a squid Proxy with basic username and password authentication in Ubuntu

Background

Most of the big companies have their own proxies through which all the company data is routed through. This ensure malicious sites are blocked and all other traffic is audited via proper authentication. 



To give a little background on Squid proxy -
Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does not support the SOCKS protocol.

Squid was originally designed to run as a daemon on Unix-like systems. A Windows port was maintained up to version 2.7. New versions available on Windows use the Cygwin environment.[7] Squid is free software released under the GNU General Public License.

Source : Wiki



Installing Squid proxy on Ubuntu

To install squid server simply run following command in your terminal -
  • sudo apt install squid

Squid run as daemon service in Ubuntu. You can execute following command to see the status of this service -
  • service squid status
It will show you if squid service is running or not.

Some important file paths are -
  • /etc/sqid :  This is where your squid configuration resides
  • /var/log/squid : This is where your squid logs reside
  • /usr/lib/squid3,/usr/lib/squid : This is where your squid modules or libraries reside.
Now that we have Squid proxy installed. Let's configure it.

Squid configuration is located at -
  • /etc/squid/squid.conf
Before you make changed to this file make a copy of this and store it aside. Use following commands to do that -

  • sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original
  • sudo chmod a-w /etc/squid/squid.conf.original 
This essentially created a copy of  squid.conf called squid.conf.original and removed all write access to it so that no one can accidentally write it.


Default TCP port that Squid listens to is 3128. Go ahead and change it to 8888. I prefer using 8888 port since this is used by other proxies as well like Charles and Fiddler. To do this find a line called

  • http_port 3128
and change it to

  • http_port 8888

Next you need to provide rules to allow and disallow traffic. If you want to just allow trafic from your local machine you can add the following lines to the configuration -
  • acl localhost src 127.0.0.1/32
  • http_access allow localhost 
acl is nothing but access control list. it's a keyword that states acl is starting. Next localhost is the name that is used to indentify the acl. I have named it localhost but it can be anything. Next we have src which is used to identify local IP addresses. Other options are -
  1. srcdomain  : used for declaring local domain, 
  2. dst : used for public IP & 
  3. dstdomain : used for public domain name
Next  we have http_access that will basically take action provide in it's next word on the acl we define. In this we we are saying allow and for acl named localhost that we defined above. So Squid proxy is going to allow all http traffic from local machine (i.e with IP 127.0.0.1)

Last line you can add as  -
  • http_access deny all
which says you deny all other traffic. So the way acl's work is -

For each request that Squid receives it will look through all the http_access statements in order until it finds a line that matches. It then either accepts or denys depending on your setting. The remaining rules are ignored. 

This was basic settings for squid proxy. Now let's see how we can add an authentication to this scheme.

Post configuration you can just restart the squid service -
  • service squid restart
You can also view the service logs for this in file-
  • less /var/log/squid/cache.log
 And you can view the access logs in file -

  • less /var/log/squid/access.log

How to set up a squid Proxy with basic username and password authentication?

For this you can add following lines to your squid configuration file squid.conf -

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

ident_lookup_access deny all
http_access deny all


Above configuration will ensure all traffic is authenticated. The username/password that would be needed to provide access will be stored in a file - /etc/squid/passwords. We will now see how we can create this file.

To generate username/passwrod you need to use a command called htpasswd. You can install this using -
  • apt-get install apache2-utils
Next to generate username/password type in following command -
  • sudo htpasswd -c /etc/squid/passwords YOUR_USERNAME
Replace  YOUR_USERNAME with the user name you want. Eg admin. You will be prompted for password for this username twice. Once done your user is all setup. You can use this credentials to access your proxy.

NOTE : htpasswd stores the password hashed.

One done you can restart your squid service -
  • service squid restart
My conf file looks like below -

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


http_port 8888

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated


ident_lookup_access deny all
http_access deny all 



Now you can test this by adding a proxy in firefox and trying to go to a http URL.




Add username/password that you just created before and the URL should be accessible.

Related Links

t> UA-39527780-1 back to top