93

I currently I use ip in acl, and I want to use username and password to do this.

tshepang
  • 12,111
  • 21
  • 91
  • 136
www
  • 4,065
  • 7
  • 30
  • 27
  • Here is another example how to setup Squid3 with a htdigest style authentication: http://dabase.com/blog/Minimal_squid3_proxy_configuration/ – hendry Jul 11 '12 at 14:44
  • here is a complete guide for Squid3 installation and configuration with authentication http://www.hevi.info/2015/09/install-and-setup-squid3-on-ubuntu-14-04-with-authentication/ – hevi Oct 12 '15 at 21:32

1 Answers1

233

Here's what I had to do to setup basic auth on Ubuntu 14.04 (didn't find a guide anywhere else)

Basic squid conf

/etc/squid3/squid.conf instead of the super bloated default config file

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

# Choose the port you want. Below we set it to default 3128.
http_port 3128

Please note the basic_ncsa_auth program instead of the old ncsa_auth

squid 2.x

For squid 2.x you need to edit /etc/squid/squid.conf file and place:

auth_param basic program /usr/lib/squid/digest_pw_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

Setting up a user

sudo htpasswd -c /etc/squid3/passwords username_you_like

and enter a password twice for the chosen username then

sudo service squid3 restart

squid 2.x

sudo htpasswd -c /etc/squid/passwords username_you_like

and enter a password twice for the chosen username then

sudo service squid restart

htdigest vs htpasswd

For the many people that asked me: the 2 tools produce different file formats:

  • htdigest stores the password in plain text.
  • htpasswd stores the password hashed (various hashing algos are available)

Despite this difference in format basic_ncsa_auth will still be able to parse a password file generated with htdigest. Hence you can alternatively use:

sudo htdigest -c /etc/squid3/passwords realm_you_like username_you_like

Beware that this approach is empirical, undocumented and may not be supported by future versions of Squid.

On Ubuntu 14.04 htdigest and htpasswd are both available in the [apache2-utils][1] package.

MacOS

Similar as above applies, but file paths are different.

Install squid

brew install squid

Start squid service

brew services start squid

Squid config file is stored at /usr/local/etc/squid.conf.

Comment or remove following line:

http_access allow localnet

Then similar to linux config (but with updated paths) add this:

auth_param basic program /usr/local/Cellar/squid/4.8/libexec/basic_ncsa_auth /usr/local/etc/squid_passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

Note that path to basic_ncsa_auth may be different since it depends on installed version when using brew, you can verify this with ls /usr/local/Cellar/squid/. Also note that you should add the above just bellow the following section:

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

Now generate yourself a user:password basic auth credential (note: htpasswd and htdigest are also both available on MacOS)

htpasswd -c /usr/local/etc/squid_passwords username_you_like

Restart the squid service

brew services restart squid
GabLeRoux
  • 16,715
  • 16
  • 63
  • 81
Stefano Fratini
  • 3,741
  • 2
  • 18
  • 14
  • 11
    For me the htdigest command didn't work, however once I had substituted it for "sudo htpasswd -cd /etc/squid3/passwords admin" it did work as expected. – Phil Hannent Sep 22 '14 at 09:29
  • 2
    That's what I thought even if it did work for me. There was a discussion linked to this post with 50% of people saying it works and 50% suggesting a change to htpasswd. I didn't have enough reputation to participate to the discussion though... :( – Stefano Fratini Sep 23 '14 at 11:29
  • Thank you for downvoting my answer Joao Paulo Motta. SO is not a first level support type of system. If you need help you need to provide details around what didn't work, what you've tried exactly, error logs etc – Stefano Fratini May 19 '15 at 23:53
  • 2
    worked for me, but I also had to use htpasswd instead of htdigest, I don't know why but in this way it worked. – Stefano Jul 13 '15 at 16:15
  • @StefanoFratini You should update this answer to use htpasswd instead of htdigest. Squid manuals say it can be manipulated with htpasswd, not htdigest. http://www.squid-cache.org/Versions/v3/3.3/manuals/basic_ncsa_auth.html – Manuel Oct 01 '15 at 21:12
  • This assumes that you use squid3. I am running Squid 2.7. If you do too, add `acl all src all` before the other acl in the conf. And the path being `squid` not `squid3` and the auth binary being `ncsa_auth`, the first line is `auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwords` (remove the `3` for `htpasswd` too then). Hope this helps :) – Antoine Jan 28 '16 at 18:54
  • @antoine129, Please suggest an edit to support both squid3 and squid2 and I will accept it. It's less error prone this way. – Stefano Fratini Jan 29 '16 at 02:20
  • 23
    If your system does not have `htpasswd` please do `sudo apt-get install apache2-utils`. – exebook Sep 28 '16 at 19:11
  • I'm not even sure my answer is still actual @ospider – Stefano Fratini Apr 24 '17 at 11:51
  • @StefanoFratini It's still working, however, on 16.04, the directory has been changed from /etc/squid3 to /etc/squid – ospider Jun 28 '17 at 02:46
  • 1
    This answer has a big mistake. Don't advice to use `-c` argument! It truncates old htpasswd file if it exists with old users. – Sergey Nevmerzhitsky Mar 02 '18 at 11:23
  • Not surprisingly `-c` [creates the file and if it does exist deletes it first](https://httpd.apache.org/docs/2.4/programs/htdigest.html). This is a common pattern with linux commands? – Stefano Fratini Mar 04 '18 at 22:01
  • How do we generate the `digest_pw_auth` file? – User Nov 23 '18 at 19:24
  • after install, squid service ok, but I add proxy settings to firefox, it didnt work. alway asking authentication username and password – MinhNV Dec 27 '18 at 03:41
  • You may add below softlink along with above solution: sudo ln -s /usr/lib/squid3/ncsa_auth /usr/lib/squid3/basic_ncsa_auth – Andy Apr 01 '19 at 08:29
  • I know this question is closed, but I had the same question for MacOS so I edited the answer and added the details here. I confirm it works fine on iOS :) – GabLeRoux Jul 29 '19 at 14:34
  • 1
    `digest_pw_auth` is now renamed to `digest_file_auth` – Konrad Talik Dec 28 '22 at 22:24