Setting up proxy authentication[editar]

Even though it is possible to configure Squid to allow access only from certain IP addresses,
you may want to force clients to authenticate themselves to the proxy as well. This might make
sense if you want to give only certain people access to the web, and cannot use IP address
validation due to the use of dynamically assigned addresses on your network. It is also handy
for keeping track of who has requested what through the proxy, as usernames are recorded in
the Squid logs.
All browsers and programs that can make use of a proxy also support proxy authentication.
Browsers will pop up a login window for entering a username and password to be sent to the
proxy the first time it requests them, and automatically send the same information for all
subsequent requests. Other programs (such as wget or rpm) require the username and
password to be specified on the command line.
Each login and password received by Squid is passed to an external authentication program
which either approves or denies it. Typically this program checks against a separate users file,
but it is possible to write your own programs that use all sorts of methods of validating users for example, they might be looked up in a database, or an LDAP server, or the Unix user list.
Webmin comes with a simple program that reads users from a text file in the same format as is
used by Apache, and this module allows you to edit users in such a file.
The steps to turn on authentication for your Squid proxy are :
1. On the module's main page, click on the Access Control icon to bring up the form
shown in Figure 44-4.
2. Select External Auth from the menu below the ACL table and hit the Create new
ACL button.
3. In the form that appears, enter auth for the ACL name and select All users in
the External auth users field. Then, hit the Save button.
4. Click on Add proxy restriction below proxy restrictions table.
5. Select Deny in the Action field and choose your new auth ACL from the Dont match
ACLs list. This will block any proxy requests that are not authenticated, thus forcing
clients to log in.
Selecting Allow and then choosing auth from the Match ACLs field can be used for a
slightly different purpose. This creates a proxy restriction that allows access to all

authenticated clients, which can be positioned to force clients outside your network to
log in while not requiring it for those inside the network.
6. Click the Save button to return to the access control page again.
7. Use the up arrow next to the new restriction to move it above any entry in the table that
allows all access from your own network. If it is below this entry, clients from the
network will be able to use the proxy without needing to log in at all. Of course, this
may be what you want in some cases.
8. Click on the Authentication Programs icon back on the main page.
9. From the Authentication program field, select Webmin default. This tells the module
to use the simple text-file authenticator that comes with the module so that you dont
have to write your own. Of course, you can specify your own custom program by
selecting the last radio button and entering the full path to a script with some
parameters in the adjacent text box. This program must continually read lines
containing a username and password (separated by a space) as input, and for each
output either the line OK or ERR for success or failure, respectively. Squid will run
several instances of the program as permanent daemon processes when it is started.
10. The login window that appears in browsers includes a description of the proxy server
that the user is logging into. By default, this is Squid proxy-caching web server, but you
can enter your own (such as Example Corporation Proxy) by filling in the Proxy
authentication realm field.
11. Normally, Squid will cache valid logins for one hour to avoid calling on the
authentication program for every single request. This means that password changes
may take up to an hour to take effect, which can be confusing. To lower this limit, at the
cost of increased system load and slightly slower request processing, edit the Time to
cache passwords for field.
12. Hit the Save button and then click on Apply Changes on the main page.
Now that authentication is enabled, any attempts to use your proxy from a web browser will
cause a login window to appear. Because no valid users have been defined yet, no logins will
be accepted, which is not particularly useful! To create some users for authentication, follow
these steps:

1. Click on the Proxy Authentication icon on the modules main page to bring up a table
listing proxy users. At first, this will be empty.
2. Click on the Add a new proxy user link above or below the table to display the user
creation form. Configuring Logging 595
3. Enter a login name into the Username field and a password for the user in the
Password field.
4. To temporarily disable this user without deleting him, change the Enabled? field to No.
5. Hit the Create button to add the user and then click the Apply Changes link. This last
step is necessary after creating a user for the changes to take effect, as Webmins
Squid authentication program only reads the user file when first started.
A user can be edited by clicking on its name in the proxy users list, changing the username,
password, or enabled status, and hitting the Save button. You can also completely remove a
user with the Delete button on its editing form. Again, Apply Changes must be clicked to make
any modifications or deletions active. Squid will also cache valid passwords (as explained
above) to reduce the load on the authentication program, so a password change may take
some time to take effect.
The modules user management feature will only work if you choose Webmin default in
the Authentication program field or if your own custom program takes the full path to an
Apache-style users file as a parameter. If your program validates users against some other
database or server, or if the module cannot figure out which file contains users from the
command, the Proxy Authentication icon will not appear. Sometimes you may want to allow
normal UNIX users to log in to your program with the same passwords that they use for telnet
and FTP. Even though it is possible to write a program that does proxy authentication against
the UNIX user database, there is another solutionconfiguring the module to add, delete, and
update proxy users whenever a UNIX user is created, removed, or renamed. This is most
useful for keeping usernames and passwords in sync without needing to grant access to every
single UNIX user. Once you have normal authentication set up as explained above,
synchronization can be turned on by following these steps:
1. On the modules main page, click on the Module Config link in the top-left corner.
2. As their names suggest, the Create proxy users when creating system users, Update
proxy users when updating system users, and Delete proxy users when deleting

system users fields control the automatic creation, modification, and deletion of proxy
users when the same thing happens to a UNIX user. For each one, you can either
select Yes or No. You should probably turn on synchronization for updates and
deletions, but leave it off for creations so that you can explicitly control who gets
access to the proxy.
3. Hit the Save button at the bottom of the form to activate the new settings. From now
on, actions performed in Webmins Users and Groups module will also affect the Squid
user list in the ways you have chosen. Adding a user at the command line with
useradd or changing a password with the passwd command, however, will not.

http://doxfer.webmin.com/Webmin/Squid_Proxy_Server