Web Proxy Authentication
In my last article, I wrote about the installation of squid as a caching server that can be used to locally cache pages for faster access and too saving bandwidth. In this article, I will add authentication since anonymous access is not good as one of our primary goals is to have control over the bandwidth we spend money on. If a user knows the passphrase to connect to your wireless access point or statically assign an Internet Protocol Address to their wired laptop or PC then they can use the internet data that is available without your knowledge.
To increase control, we have the option of configuring squid to ask for authentication whenever users try to access the internet.
At the top of the squid.conf file add;
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b "dc=raliku,dc=local" -D [email protected] -w "passw0rd" -f "(|(userPrincipalName=%s)(sAMAccountName=%s))" -h 192.168.14.158
Notes: basic_ldap_auth is a helper utility that enables squid to connect to an external MS Active Directory(AD) Domain Controller via the LDAP protocol. All the lines that follow are the specified domain(raliku.local), the user (squid) that will be used to connect to the AD, the password for squid user, the search filter and lastly, the address of the AD_DC server. It is worth mentioning that 192.168.14.158 here is a samba-ac-dc(samba Active Directory-Domain Controller) that I configured using Ubuntu and using Samba provisioned as MS Server 2008 Domain Controller without using Windows Microsoft Server 2008 or higher.(I will try to write an article on that later).
The white laptop is the active directory domain controller, the black one is the squid proxy and also the gateway(linux as a router) and my internet connection is via the Telikom wireless route on the shelf.
After the above lines,below is the created access control list called "auth". If you are a programmer then here what we are doing is like creating a variable called auth that can be used anywhere in the configuration file.
领英推荐
acl auth proxy_auth REQUIRED
And just before the catchall rule,
http_access allow auth ## calling the variable auth and saying allow all access to only authenticated users
http_access deny all ##catch all rule that denies all access
After a restart of squid and the web browser configured with the proxy address, and when a users tries to access internet, a popup window should be displayed asking for a username and password which you have to supply your AD password/username combination.
Head of Web Development @SNS TECH Pty Ltd | Aspiring CTO
3 年very insightful! thank you Alois Napitalai
ICT Lab Manager at Surveying and Land Studies Dept(UNITECH)
3 年The trickiest part to this system is add the squish quota system.I have added it.https://www.mcgill.org.za/software/squish/FAQ