# squid autherntication  and access control query

## thecooptoo

im setting up a machine for my sister + kids. they want content  filtering +  Access control ( for the kids - squidguard or dansguardian , im going to have a play around with both) 

can i transparently use their linux login for authentication  for squid , or will they havc to log into the proxy as a separate process ? 

I also want some time-based access control - but just for the kids. Looking it Squid  it seems to be IP bases - but of course all the requests will be coming from localhost .

Whats the best way to achieve this ?

----------

## think4urs11

ACLs can be time based as well.

see http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-0f722810cee0817bdefe0a1f5b573542e4761123

----------

## thecooptoo

Ive been having a trawl around the internet.

I found this http://justlinux.com/forum/showthread.php?t=131153 , which has a config 

```
auth_param basic program /usr/lib/squid/getpwnam_auth /etc/passwd
```

so i assume this uses my /etc/passwd  file for authentication . 

but i dont seem to have the getpwnam_auth program on my machine ?

where would  the emerge have put it   - or how do i configure the emerge to include it ? 

Do i have to compile squid myself to include it  ?

----------

## thecooptoo

so ive downloaded squid and compiled it myself  with the getpwnam authentication helper 

```
hepworth andrew # grep ^[A-Za-z] /usr/local/squid/etc/squid.conf

auth_param basic program /usr/local/squid/libexec/getpwname_auth /etc/passwd

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

acl people  proxy_auth andrew

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow  people

http_access deny all

icp_access allow all

http_port 3128

hierarchy_stoplist cgi-bin ?

access_log /usr/local/squid/var/logs/access.log squid

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

cache_effective_user squid

visible_hostname hepworth

coredump_dir /usr/local/squid/var/cache

hepworth andrew #

```

i start squid with 

```
2008/03/11 19:14:04| Starting Squid Cache version 2.6.STABLE18 for i686-pc-linux-gnu...

2008/03/11 19:14:04| Process ID 14805

2008/03/11 19:14:04| With 1024 file descriptors available

2008/03/11 19:14:04| Using epoll for the IO loop

2008/03/11 19:14:04| Performing DNS Tests...

2008/03/11 19:14:04| Successful DNS name lookup tests...

2008/03/11 19:14:04| DNS Socket created at 0.0.0.0, port 32803, FD 6

2008/03/11 19:14:04| Adding domain home.nw from /etc/resolv.conf

2008/03/11 19:14:04| Adding nameserver 192.168.0.254 from /etc/resolv.conf

2008/03/11 19:14:04| helperOpenServers: Starting 5 'getpwname_auth' processes

2008/03/11 19:14:04| Unlinkd pipe opened on FD 16

2008/03/11 19:14:04| Swap maxSize 102400 KB, estimated 7876 objects

2008/03/11 19:14:04| Target number of buckets: 393

2008/03/11 19:14:04| Using 8192 Store buckets

2008/03/11 19:14:04| Max Mem  size: 8192 KB

2008/03/11 19:14:04| Max Swap size: 102400 KB

2008/03/11 19:14:04| Rebuilding storage in /usr/local/squid/var/cache (CLEAN)

2008/03/11 19:14:04| Using Least Load store dir selection

2008/03/11 19:14:04| Set Current Directory to /usr/local/squid/var/cache

2008/03/11 19:14:04| Loaded Icons.

2008/03/11 19:14:04| Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 18.

2008/03/11 19:14:04| Accepting ICP messages at 0.0.0.0, port 3130, FD 19.

2008/03/11 19:14:04| WCCP Disabled.

2008/03/11 19:14:04| Ready to serve requests.

2008/03/11 19:14:04| Done reading /usr/local/squid/var/cache swaplog (0 entries)

2008/03/11 19:14:04| Finished rebuilding storage from disk.

2008/03/11 19:14:04|         0 Entries scanned

2008/03/11 19:14:04|         0 Invalid entries.

2008/03/11 19:14:04|         0 With invalid flags.

2008/03/11 19:14:04|         0 Objects loaded.

2008/03/11 19:14:04|         0 Objects expired.

2008/03/11 19:14:04|         0 Objects cancelled.

2008/03/11 19:14:04|         0 Duplicate URLs purged.

2008/03/11 19:14:04|         0 Swapfile clashes avoided.

2008/03/11 19:14:04|   Took 0.3 seconds (   0.0 objects/sec).

2008/03/11 19:14:04| Beginning Validation Procedure

2008/03/11 19:14:04|   Completed Validation Procedure

2008/03/11 19:14:04|   Validated 0 Entries

2008/03/11 19:14:04|   store_swap_size = 0k

2008/03/11 19:14:05| storeLateRelease: released 0 objects

 
```

when i access a website with a browser  pointing at the proxy (127.0.0.1:3128)

i get an 'autherntication required for squid proxy  dialog, but it doesnt let me past ,with the currently logged in username . Nothing appears in the terminal from the squid process and this is in the access log 

```
1205262880.566      0 127.0.0.1 TCP_DENIED/407 1698 GET http://www.gentoo.org/ - NONE/- text/html

1205262890.305      6 127.0.0.1 TCP_DENIED/407 1698 GET http://www.gentoo.org/ andrew NONE/- text/html

1205262895.020      0 127.0.0.1 TCP_DENIED/407 1731 GET http://www.gentoo.org/favicon.ico - NONE/- text/html

1205263013.439      0 127.0.0.1 TCP_DENIED/407 1755 GET http://sb.google.com/safebrowsing/update? - NONE/- text/html

1205263073.469      0 127.0.0.1 TCP_DENIED/407 1755 GET http://sb.google.com/safebrowsing/update? - NONE/- text/html
```

so what now ?

----------

## thecooptoo

so i can connect through squid , haivng logged in as a user, but its not identifying the user ( so I can add more ACLs  for different users 

```
andrew@hepworth ~ $ grep ^[A-Za-z] /usr/local/squid/etc/squid.conf

auth_param basic program /usr/local/squid/libexec/getpwname_auth /etc/passwd

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

acl passwd proxy_auth

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access allow  passwd

http_access deny all

icp_access allow all

http_port 3128

logformat squid  %tl  %Ss/%03Hs  %rm %ru %ul   %mt

access_log /var/log/squid/access.log squid

log_access deny passwd

cache_effective_user squid

logfile_rotate 10

emulate_httpd_log off

log_ip_on_direct on

mime_table /usr/local/squid/etc/mime.conf

log_mime_hdrs off

log_fqdn off

client_netmask 255.255.255.255

strip_query_terms off

ftp_passive on

ftp_sanitycheck on

andrew@hepworth ~ $     
```

the log file  isnt  logging a user 

```
 15/Mar/2008:17:00:52 +0000  TCP_MISS/200  GET http://www.bbc.co.uk/home/beta/8.0/img/gradients/bg_sky.gif -   image/gif

 15/Mar/2008:17:00:52 +0000  TCP_MISS/200  GET http://www.bbc.co.uk/home/beta/8.0/img/gradients/bg_pink.gif -   image/gif

 15/Mar/2008:17:00:52 +0000  TCP_MISS/200  GET http://www.bbc.co.uk/home/beta/8.0/img/gradients/bg_aqua.gif -   image/gif

 15/Mar/2008:17:00:52 +0000  TCP_MISS/200  GET http://www.bbc.co.uk/home/beta/8.0/img/iplayer_logo.png -   image/png

 15/Mar/2008:17:00:52 +0000  TCP_MISS/200  GET http://www.bbc.co.uk/home/beta/8.0/img/cbbc.png -   image/png

 15/Mar/2008:17:00:52 +0000  TCP_MISS/200  GET http://www.bbc.co.uk/home/beta/8.0/img/cbeebies.png -   image/png

 15/Mar/2008:17:00:52 +0000  TCP_MISS/200  GET http://www.bbc.co.uk/home/beta/8.0/img/sprite.png -   image/png

 15/Mar/2008:17:00:54 +0000  TCP_MISS/200  GET http://www.bbc.co.uk/home/beta/object/clock/tiny.swf -   application/x-shockwave-flash

 15/Mar/2008:17:00:54 +0000  TCP_MISS/200  GET http://www.bbc.co.uk/home/beta/8.0/img/logofooter.png?+acv+ba+e*+c1+f1+d*-i+g12 -   image/png

 15/Mar/2008:17:00:54 +0000  TCP_MISS/200  GET http://www.bbc.co.uk/home/beta/8.0/script/vs.js -   application/x-javascript

andrew@hepworth ~ $                
```

EDIT : 

but it does if I comment out the acl localhost  and http_access localhost lines 

so I now get a login for the proxy , but it wont let me in 

```

 16/Mar/2008:12:08:34 +0000  TCP_DENIED/407  GET http://en-us.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official andrew   text/html

 16/Mar/2008:12:08:44 +0000  TCP_DENIED/407  GET http://en-us.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official andrew   text/html

 16/Mar/2008:12:08:57 +0000  TCP_DENIED/407  GET http://en-us.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official andrew   text/html

 16/Mar/2008:12:09:00 +0000  TCP_DENIED/407  GET http://en-us.start2.mozilla.com/favicon.ico -   text/html

```

----------

## thecooptoo

so ive given up with that an am trying ip_user authentication 

```
/etc/squid/ip_user.conf

127.0.0.1        ALL
```

/etc/squid/squid.conf

```

hepworth andrew # grep ^[a-z] /etc/squid/squid.conf

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 1 hours

auth_param basic casesensitive off

external_acl_type ip_user_helper %SRC %LOGIN

/usr/libexec/squid/ip_user_check  -f /etc/squid/ip_user.conf

acl all src 0.0.0.0/0.0.0.0

acl hepworth external ip_user_helper

http_access allow hepworth

http_access deny all

icp_access allow all

http_port 3128

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

debug_options ALL,1  33,2 28,9

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

visible_hostname AnnesHouse

forwarded_for off

coredump_dir /var/cache/squid

hepworth andrew #

```

and i use a browser to get http://www.bbc.co.uk which -> cache access denied

and this in cache.log

```

2008/03/19 21:37:16| aclCheckFast: list: 0x82a76f0

2008/03/19 21:37:16| aclMatchAclList: checking all

2008/03/19 21:37:16| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'

2008/03/19 21:37:16| aclMatchIp: '127.0.0.1' found

2008/03/19 21:37:16| aclMatchAclList: returning 1

2008/03/19 21:37:16| aclCheck: checking 'http_access allow hepworth'

2008/03/19 21:37:16| aclMatchAclList: checking hepworth

2008/03/19 21:37:16| aclMatchAcl: checking 'acl hepworth external

ip_user_helper'

2008/03/19 21:37:16| aclMatchAcl: returning 0 sending authentication

challenge.

2008/03/19 21:37:16| aclMatchAclList: no match, returning 0

2008/03/19 21:37:16| aclCheck: requiring Proxy Auth header.

2008/03/19 21:37:16| aclCheck: match found, returning 2

2008/03/19 21:37:16| aclCheckCallback: answer=2

2008/03/19 21:37:16| The request GET http://www.bbc.co.uk/ is DENIED,

because it matched 'hepworth'

2008/03/19 21:37:16| The reply for GET http://www.bbc.co.uk/ is ALLOWED,

because it matched 'hepworth'

```

it would appear to be authenticating the user ( ie ALL from 127.0.0.1)

so  where is it denying the request ?

----------

