# (Mini HOWTO) Squid transparent proxy auth with LDAP

## maiku

As we all know you can't use proxy auth with transparent proxies.  So, an alternate method needs to be used to authenticate.  Luckily, Squid allows you to use custom authentication programs.  This setup gives you blocked sites.  But on the access denied page the user gets a link to allow web access to any website for a given amount of time.  It was made to mimic the behaviour of Sonicwall and like routers.  And of course in a domain setting with LDAP, LDAP already has all of the user names and passwords.

The first script (squidpasswd) is a Perl CGI script that brings up a login page.  That user can then log in through the browser for a specific period of time to be allowed an unlimited amount of internet access (or whatever your Squid ACLs allow).  When a username and password is entered it binds to LDAP using the username and password entered and then checks to see if the user is part of a specific group (which is changeable).  If he is, the IP then gets logged to a MySQL table.  Then when a website is requested with Squid it checks with the squidauth Perl script and the script checks the MySQL database to see if the user's IP is in it.

Prerequisites:

This article assumes that you have MySQL setup, the machine is the router with iptables installed and configured, squid is already installed with it mostly configured and working, LDAP is installed and configured, and Apache is also installed and configured.

Let's first install the scripts necessary

The auth script for Squid: http://www.mikealeonetti.com/files/squidauth

The website for temporary auth: http://www.mikealeonetti.com/files/squidpasswd

The SQL file to set up the tables for the auth script: http://www.mikealeonetti.com/files/squidauth.sql

The Squid auth script I'd recommend putting in /usr/local/bin and chmod it to 755.

The website for temporary auth I'd put in your cgi-bin of your website (EG /var/www/localhost/cgi-bin) and also chmod it to 755.

Make sure to modify the squidpasswd script to reflect your LDAP directory structure. *Quote:*   

> my $host = "localhost";
> 
> my $suffix = "dc=directory,dc=server";
> 
> my $usersdn = "ou=People,$suffix";
> ...

 

Set up the MySQL table.  Make sure squidauth.sql is in the current directory. *Quote:*   

> # mysql
> 
> mysql> CREATE DATABASE squidauth;
> 
> mysql> GRANT ALL PRIVILEGES ON squidauth.* TO squidauth@localhost IDENTIFIED BY 'squidauth';
> ...

 Note that if you want to use another table name or username/pass you have to change the auth entries in the scripts.

Now make these changes in the /etc/squid/squid.conf: *Quote:*   

> 
> 
> external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth
> 
> acl interval_auth external time_squid_auth # Put these with your ACLs
> ...

 To change the "Access Denied" webpage and add a link to the squidpasswd script either modify the Access Denied page in /usr/share/squid/errors/ (I found mine in /usr/share/squid/errors/templates/ERR_ACCESS_DENIED for English) or create a custom error script and tell Squid to use it for that ACL.

Since the script uses the IP of the machine to tell whether or not it's authenticated, make sure your transparent proxy REDIRECT in iptables excludes access to machines on the local network (mainly the server that has the squidpasswd script running) *Quote:*   

> # iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -m iprange ! --dst-range 192.168.1.1-192.168.1.254 -j REDIRECT --to-port 3128

 Of course replace eth1 with the interface associated with the local network and 192.168.1.1-192.168.1.254 with your network.

Update 11/10/2010

The updates for this howto I am maintaining on http://www.mikealeonetti.com/wiki/index.php/Squid_LDAP_transparent_proxy_authentication_script

----------

## nativemad

Hi, 

Thanks for sharing!!!   :Razz: 

i've already played with such a "sonicwall" setup, and if i remeber right, it also worked on a terminal-server..... Therefore i think an ip-based solution isn't really enough!

I don't know if maybe a combination with the source-port could be used?!?

Thanks, cheers!

----------

## maiku

Good point.  Using the source port might work and if it is truly random the user would have a very good chance of not crossing over with somebody's auth session.  But then when does the source port change?  Is it just when the user closes the browser?

What is also possible is an enclosing webpage (albeit annoying) sort of like google images that always has the image on the top unless you choose to go to that page.

----------

