I previously spoke about proxy validation in 6.1.2.12 you Zhang Li. However, I only explained how to write access control rules for proxy authentication. Here, I will show you how to select and configure a partial validation helper.
Recall that squid supports three ways to collect authentication credits from the client:
Basic, abstract (Digest), and NTLM。 These methods specify how squid accepts user names and passwords from the client. From a security standpoint, basic validation is very fragile. Summary and ntml validation are clearly stronger. For each of these ways, squid provides some validation modules, or auxiliary processes, for the actual process of processing authentication.
All of the validation aids I mentioned are included in the Squid source code release. You can use the./configure option at compile time to specify their directory name. For example:
The helper program is normally installed in the $prefix/libexec directory.
Like the redirector, Squid uses a validation helper process pool. A validation request is sent to the first free helper. When all validator processes are busy, squid puts the unhandled requests into the queue. If the queue becomes too large, squid exits with a fatal error message. In most cases, squid caches validation results. This reduces the load on the helper process and improves response time.
12.1 Configuration Squid
The Auth_param command controls every aspect of the validation helper that configures squid. There are some commonalities in different ways (basic, abstract, NTLM), and there are some unique parameters. The first argument immediately following the Auth_param must be either basic, digest, or one of the NTLM. I will explain in detail the configuration details of each validation mechanism in the following chapters.
In addition to Auth_param, squid also has 2 instructions that affect proxy authentication. You can use the MAX_USER_IP ACL to prevent users from sharing user names and passwords with others. If squid detects that the same user name comes from too many different IP addresses, the ACL is matched and the request can be rejected. For example:
ACL FOO MAX_USER_IP 2
ACL BAR Proxy_auth REQUIRED
Http_access Deny FOO
Http_access Allow BAR
In this case, if a user submits a request from 3 or more different IP addresses, squid rejects the request. Authenticate_ip_ttl Command Control Squid remembers how long each user's source IP address is. For users who often change their IP addresses, a smaller TTL might be better. In an environment where the IP address of a user is unchanged for a long time, a larger TTL can be used.
12.2 HTTP Basic Authentication
Basic authentication is the simplest, yet least secure. It essentially transmits user passwords in plaintext, although passwords are encoded into printable characters. For example, if a user typed his username Fannie and password furpantsclub, the user agent first combined the 2 into a single string, separating the username and password with a colon:
Fannie:furpantsclub
It then encodes the string using the Base64 method (defined in RFC 2045). It looks like this in the HTTP head:
Authorization:basic rmfubmllokz1unbbblrzq2xvygo=
If someone happens to catch the user's HTTP request, he can easily get the username and password:
Following the requirements of the http/1.1 RFC, squid does not forward authenticated credits to other servers. In other words, if the credit term is used to access squid, the authorization head will be removed from the outgoing request.
You will notice that some basic validators can be configured to check the system password file. Because the basic letter initializes is not encrypted, it is a bad idea to include the login password in the cache access password. If you choose to use the Getpwnam validator, you should fully understand the meaning of allowing the user password to be transmitted through the network in clear text.
HTTP Basic authentication supports the following Auth_param parameters:
The program parameter specifies the command to validate the helper and its parameters. In most cases, this is the pathname to a validation helper. They are installed by default under/usr/local/squid/libexec.
The children parameter tells squid how many helper processes to use. The default value is 5, which is a good starting point if you don't know how many processes are required to process the request. If specified too little, squid will be in the cache.log alarm.
The realm parameter is the authentication domain string that the user agent displays to the user when prompted for a username and password. You can use a few simple sentences, such as "access to Squid's cache proxy."
The Credentialsttl parameter specifies the amount of time that squid intrinsic cache validation results. A larger value reduces the load on the external validator process, but the refresh period is lengthened until squid detects a change to the validation database. Note that this only affects positive results (such as successful validation), and negative results are not cached by squid. The default TTL value is 2 hours.
I'll discuss the basic validation helper program with squid.
12.2.1 NCSA
./CONFIGURE-ENABLE-BASIC-AUTH-HELPERS=NCSA
The NCSA Validation Helper is relatively popular, due to its simplicity and historical reasons. It stores the username and password in a separate text file, similar to the UNIX/etc/passwd file. This password file format was originally developed as part of the NCSA HTTP Server project. In squid.conf, you only need to specify the path of the password file as a single command-line argument for the program.
You can use Apache's own HTPASSWD program to create and update password files. can also be downloaded here in http://www.squid-cache.org/htpasswd/. On this page, you can also download the chpasswd CGI script, which allows users to change their passwords (if necessary).
12.2.2 LDAP
./configure-enable-basic-auth-helpers=ldap
The LDAP helper is an interface to a Lightweight Directory Access Protocol (LDAP) server. Before compiling the Squid_ldap_auth helper, the OpenLDAP library and header files must be installed in the system. You can find openldap:http://www.openldap.org/here.
The Squid_ldap_auth program requires at least 2 parameters: the basic open Name (DN) and the LDAP server host name. For example:
The LDAP helper has a UNIX man page that describes all of its options and parameters. However, the man page for squid is not usually installed when you run make install. Go to the source tree and run Nroff manually, you can read this man page. For example:
% CD Helpers/basic_auth/ldap
% Nroff-man squid_ldap_auth.8 | Less
12.2.3 msnt
./configure-enable-basic-auth-helpers=msnt
The MSNT validator is an interface to the Microsoft NT domain database through the service message Block (SMB) protocol. It uses a small configuration file called msntauth.conf, which must be placed in the $PREFIX/ETC or--SYSCONFIDR directory. In this configuration file, you can specify up to 5 NT domain controllers. For example:
Server Pdc1_host bdc1_host My_nt_domain
Server Pdc2_host bdc2_host Another_nt_domain
By default, the MSNT validator allows the server to authenticate any user. However, it can also allow or deny the specified user name. If you create a allowusers file, only users listed in the file can allow access to squid.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
