SquidProxy is based on MySQL user and password verification

Source: Internet
Author: User
Tags squid proxy
Overview: This document is written for SquidProxy Based on MySQL user and password authentication. Reference: Author Email: jimcheng@gmail.com this document is released under GPLv2. I. This document has passed the test under Federacore3. Other UnixLinux platforms can be used for similar reference. The main required software packages are: Squid2.5 and above.

Overview: This document is written for Squid Proxy Based on MySQL user and password authentication. Reference: Author Email: jimcheng@gmail.com this document is published under GPL v2. I. This document has passed the test under Federa core 3. Other Unix/Linux platforms can be used for the same reference. The main required software packages are: Squid 2.5 or above.

Overview:

This document is written for Squid Proxy Based on MySQL user and password authentication.

Refer:
Author Email: jimcheng@gmail.com
This document is published under GPL v2.


I.
This document passes the test under Federa core 3. Other Unix/Linux platforms can be referenced in the same way.
Major software packages are required:
Squid 2.5 or above

Make sure squid has been installed
Code:
# Rpm-q squid
Squid-2.5.STABLExxxx-xxxxIII.
(Squid-2.5.STABLE6-3 on my system) // by jerry

MySQL 3.0 or 4.x
(Mysql-3.23.58-13 on my system) // by jerry
Make sure mysql has been installed
Code:
# Rpm-q mysql

MySQL_auth
MySQL_Auth is used to verify the user name and password.

II.
Obtain MySQL_Auth
MySQL_auth Homepage: http://people.arxnet.hu/airween/mysql.auth/
Http://www.sourcefiles.org/Databases/Utilities/
Enter this page and download mysql_auth-0.8.tar.gz

III.
Compile and debug MySQL_Auth and MySQL
A. Compile MySQL_Auth

Code:
$ Tar-xzvf mysql_auth-0.8.tar.gz
$ Mysql_auth-0.8 cd
$ Make
This step usually has an error. The error message is as follows:
Code:
/Usr/bin/ld: cannot find-lmysqlclient
Collect2: ld returned 1 exit status
Make: *** [mysql_auth] Error 1

This error occurs because the path of libmysqlclient is usually/usr/lib/mysql rather than/usr/local/lib, which is not taken into account in Makefile. Therefore, open Makefile, modify the CFLAGS parameter and add the/usr/lib/mysql path:
The modified CFLAGS is:
Code:
CFLAGS =-I/usr/local/include-L/usr/local/lib-L/usr/lib/mysql

Save the modified Makefile and exit vi (or emacs or nano or joe or whatever)
Run make again to compile

Code:
$ Make
Compiled successfully.
$ Su-<-switch to root (this step is not required if it is a root user // by jerry)
# Make install <-run make install to install mysql_auth to the corresponding directory

There are usually two errors in this step. The first error is make reporting that the group nogroup does not exist. You can solve this problem through groupadd nogroup.

Code:
$ Su-c "groupadd nogroup"

If you run make install again, the second error will occur:
Code:
/Usr/bin/install: cannot create regular file '/usr/local/squid/libexec/mysql_auth': No such file or directory

The cause of the error is that the original author did not consider that the/usr/local/squid/directory and the following sub-directories may not exist in advance. You need to modify the Makefile again to fix this problem.
Modify the Install near the end of the Makefile: This part is used to grant all $ (INSTALL)-o nobody-o nogroup... add the-D parameter to the line to force install to create a directory before the cp file.

The format of the modified install content in Make is similar to the following:
Code:
$ (INSTALL)-D-o nobody-o nogroup-m 600 ...... after confirming that the above steps are complete, run make install again

Code:
# Make install

If no error message is reported, mysql_auth is installed successfully.

This step is used. Instead of executing su-c "groupadd nogroup", I changed the nobody and nogroup IN THE (INSTALL) Section of Makefile to squid. That is, the owner and user are both squid. // By jerry

Note 1: If squid is not running as nobody in the system, change the ownership of the/usr/local/squid/etc/mysql_auth.conf file to the corresponding user/group, in Red Hat Enterprise 4, squid is its own identity squid. to run squid, you need to change the conf file:
Code:
Chown squid. squid/usr/local/squid/etc/mysql_auth.conf

The identity in this step involves the use and permission of the file. If nobody and nogroup in the (INSTALL) Section of mysql_auth Makefile are changed to squid at the beginning, you do not need to pay attention to note 1 above. // By jerry.


B. Configure the connection between MySQL and MySQL_Auth.

First, confirm that MySQL 3.0 or later has been correctly installed.
Code:
# Rpm-q mysql

Check whether the MySQL configuration in mysql_auth is correct. The configuration information is described in/usr/local/squid/etc/mysql_auth.conf. For details about the configuration file, see the document ,.
Note the following points in the configuration file:
1. Check whether the hostname is correct. If the local MySQL server is connected by default, the original parameter localhost is not modified.
2. By default, mysql_auth uses username: squid, password: squid to connect to MySQL, and creates the proxy username and password required for squid verification in the data table of mysql_auth database.
(Mysql_auth provides an initialization script to complete a series of operations such as mysql database creation and table creation, which will be mentioned later ).
3. mysql_auth.conf: mysqld_socket is the most important parameter. By default, this parameter points
/Tmp/mysqld. sock
Currently, in most mainstream Linux systems, mysql unix socket has been moved to/var/lib/mysql. sock, So modify this behavior:
Mysqld_socket/var/lib/mysql. sock
In other cases, you can refer to mysql configuration file my. cnf to determine the specific storage location of sock.

4. After completing the preceding steps, run the script provided by mysql_auth to complete the initialization work mentioned in step 2. The script is set to the scripts directory in the directory after mysql_auth-0.8.tar.gz is unlocked.

/****************** By jerry
First, you need to open mysql
Otherwise, the error message "can't connect to local MYSQL server through socket"/var/lib/mysql. sock "(2) appears.
The command to start mysql is:/etc/rc. d/init. d/mysqld start (it is difficult to omit the preceding directory)

If it is started for the first time after installation
The following message is displayed: Initialize the MySQL database: [OK].
Start MySQL: [OK]
.
If it is not the first time, only:
Start MySQL: [OK]

After startup
By default, the user is root and the password is blank (that is, there is no password ).
# Mysql directly enters the press ENTER
Also available # mysql-uroot-p press ENTER
Tip: Enter password: Press Enter.
Of course, if the password is changed, or the current user is not the root user. The user name and password cannot be omitted.
Mysql can be used directly in any directory.
**************** // By jerry

Code:
# Cd scripts
# Mysql-u root-p <create_script
Enter password: The system prompts you to Enter the password of mysql root.

If no error message is displayed, this step is completed. mysql now has a new database named mysql_auth, which only contains one table data. You can access this table through the mysql user squid, password squid to access

5. MySQL_auth also comes with a user management tool mypasswd, which is usually stored in/usr/local/bin/mypasswd.

/****************** By jerry
(To use mypasswd, start mysql first)
1. Add a test user (the squid can be used when it is stopped)
# Mypasswd jerry 54321 <-added a user named jerry whose password is 654321.
Password record ADDED successfully.
(Password record UPDATED succesfully is displayed if the user name is changed)
2. Verify the user you just created and test MYSQL_AUTH (mysql needs to be started first)
#/Usr/local/squid/libexec/mysql_auth
Yang 654321
0 K (if no user is changed or the password is incorrect, ERR is displayed)
3. You can also find the following in the mysql database:
# Mysql-usquid-psquid
# Use mysql_auth
# Select * from data
We will see the user and password created with mypasswd above.
# Quit (or exit is available)
4. Delete the test user
#/Usr/local/bin/mypasswd-d Jersey 654321
Password record DELETED succesfully. <-delete a user named jim. If an error occurs during mypasswd running, check whether the mysql_auth.conf configuration mentioned in step 3 is correct.
**************** // By jerry

V. Configure squid
1. The common location of the squid configuration file is/etc/squid. conf.
2. For more information about squid settings, see the squid configuration document.
3. Find the auth_param section in squid. conf and add the following content:
Code:
Auth_param basic children 5
Auth_param basic realm Squid proxy-caching web server
Auth_param basic credentialsttl 2 hours
Auth_param basic casesensitive off
Auth_param basic program/usr/local/squid/libexec/mysql_auth

(If yes, you do not need to add another // by jerry)
The preceding content specifies that squid can be verified by an external program.

4. Find the acl Configuration section and add the following content:

Code:
Acl YMCT proxy_auth REQUIRED
Http_access allow YMCT ipuseracl

The preceding content stipulates that squid can only be used by users who pass YMCT (mysql user/password) verification.

VI: SELinux problems.
SeLinux of Federo core 3 is enabled by default. selinux will interfere with the startup of mysql_auth. After selinuxdisable, start squid again. The method of disable selinux is
Code:
# Cd/etc/selinux/
# Vi config
Change selinux = enforcing to disabled

Note: In theory, selinux should be able to set the running of allow mysql_auth through policy. For details, refer to the selinux document.
This step must be restarted (logout is difficult), because selinux is enabled now.
VII: Test
Start mysql:
/Etc/rc. d/init. d/mysqld start
Start squid:
/Etc/init. d/squid start (directory cannot be omitted) // by jerry
The normal running squid can be seen from the memory as follows:
Code:
# Pstree

Squid --- 5 * [ip_user_check]
|-5 * [mysql_auth]
|-Unlinkd
Set the proxy settings of the browser on the corresponding client for testing.
**************************************** **************************************** **************************************** **************************************** *****************

Some encounters:
1. auth_param basic realm Squid proxy-caching web server // It is a part of the dialog box that appears if password verification is required when the client is connected.
2.
Set
Acl YMCT proxy_auth REQUIRED
Http_access allow YMCT ipuseracl
Change
Acl our_networks src 202.118.26.186
Http_access allow our_networks
Then, you can change the proxy to access the Internet.
3.
Cache. log.
16:52:51 | WARNING: basicauthenticator #1 (FD 6) exited
16:52:51 | WARNING: basicauthenticator #2 (FD 7) exited
16:52:51 | WARNING: basicauthenticator #3 (FD 8) exited
16:52:51 | Too few basicauthenticator processes are running
This is mainly about permissions. You can use:
Chown squid. squid/usr/local/squid/etc/mysql_auth.conf
Fix it!
4.
To analyze the running status of squid, you can view the log:
/Var/log/message
/Var/log/squid. The following describes cache. log.
5.
Match the ACL. When squid finds the first match, it stops searching.
Http_access uses the "and" logic.
Do not add any statements after http_access deny allow.
5.
Format of acl access control elements:
Acl name type value1 value2

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.