--- category: '' date: 2003/09/15 19:58 description: '' link: '' priority: '' slug: '6' tags: linux title: Squid authentication via POP or IMAP type: text updated: 2003/09/15 19:58 url_type: '' --- .. raw:: html

Why do this?

It is often obviously needed to restrict web access based on usernames and passwords, rather than IP numbers, specially if users switch computers often (example, a computer lab in a school).

The usual ways to handle this are:

PAM authentication for Squid
This makes Squid use the system's list of users to identify the clients. The problem is, of course, that then you need to have all the users defined in the Squid system, or something involving remote PAM authentication, which is non-trivial sometimes.
NTLM authentication for Squid
This uses the windows session credentials to check identity against a Windows Domain Controller. The issues here for Linux clients are obvious. Besides, sometimes people don't start sessions, or have generic sessions shared between many users.
Apache style password files
The same problems as PAM, and you don't have the chance to authenticate remotely.

So, here's another solution: make Squid check the user and password against a POP or IMAP account. As long as everyone has a mail account on some server (all users in the same server, if you want this to be simple), this should work.

External Authentication Programs

Squid uses external programs to handle the authentication. Here are simple versions written in Python. feel free to write better ones in other languages and send them to me.

POP3 external authentication program for Squid
#!/usr/bin/env python
    
    from poplib import POP3
    import sys
    
    
    #POP server against which we authenticate
    server="127.0.0.1"
    #Port number for POP server. Usually 110
    port=110
    
    
    #Below here you shouldn't need to edit anything
    
    while 1:
    
    	#Read user and password from stdin, remove the newline, split at the space
    	#and assign to the user and password variables
    
    	line=sys.stdin.readline()[:-1]
    	[user,password]=line.split(' ')
    
    	#Connect to the POP server
    
    	p=POP3(server,port)
    
    	#Try to authenticate. If it doesn't work, it throws an exception
    
    	try:
    		p.user(user)
    		p.pass_(password)
    	except:
    
    		#If it threw an exception, log in cache.log the ayth booboo
    		sys.stderr.write("ERR authenticating %s\n"%user)
    		#Then deny access
    		sys.stdout.write("ERR\n")
    		#IMPORTANT!!!!!!!!!!!! Flush stdout
    		sys.stdout.flush()
    		continue
    
    	#If it didn't throw exceptions, that means it authenticated
    
    	#Log success to cache.log
    	sys.stderr.write("OK authenticated %s\n"%user)
    	#Then allow access
    	sys.stdout.write("OK\n")
    	sys.stdout.flush()
    

The IMAP version is better because POP access often locks the mailbox, so you could have authentication failures in the proxy is the user is reading his mail at the same time. As you can see, the programs are pretty much the same.

Of course, it is possible to write versions that use secure POP, or TLS, or APOP. Since I don't need them, I won't write them, but it is possible if you write them ;-)

IMAP external authentication program for Squid
#!/usr/bin/env python
    
    from imaplib import IMAP4
    import sys
    
    
    #IMAP server against which we authenticate
    server="127.0.0.1"
    #Port number for IMAP server. Usually 143
    port=143
    
    
    #Below here you shouldn't need to edit anything
    
    while 1:
    
    	#Read user and password from stdin, remove the newline, split at the space
    	#and assign to the user and password variables
    
    	line=sys.stdin.readline()[:-1]
    	[user,password]=line.split(' ')
    
    	#Connect to the IMAP server
    
    	p=IMAP4(server,port)
    
    	#Try to authenticate. If it doesn't work, it throws an exception
    
    	try:
    		p.login(user,password)
    	except:
    
    		#If it threw an exception, log in cache.log the auth booboo
    		sys.stderr.write("ERR authenticating %s\n"%user)
    		#Then deny access
    		sys.stdout.write("ERR\n")
    		#IMPORTANT!!!!!!!!!!!! Flush stdout
    		sys.stdout.flush()
    		continue
    
    	#If it didn't throw exceptions, that means it authenticated
    
    	#Log success to cache.log
    	sys.stderr.write("OK authenticated %s\n"%user)
    	#Then allow access
    	sys.stdout.write("OK\n")
    	sys.stdout.flush()
    

Making Squid use this

Save the script you want to use somewhere, like /usr/bin/squidauth.py and make sure it has execution permission for the squid user.

Then you have to add, in your squid.conf, a line like this:

authenticate_program /usr/bin/squidauth.py

That allows squid to use our authentication proggy. Now, you can start adding ACLs of type proxy_auth, and you can use them in http_access commands.

For example, this creates an ACL called users and allows only users with a valid POP account to access the web:

Squid Configuration File Snippet (Squid 2.4)
    authenticate_program /usr/bin/squidauth.py
    acl users proxy_auth REQUIRED
    http_access allow users
    http_access deny all
    
Squid Configuration File Snippet (Squid 2.5)
    auth_param basic program /usr/bin/squidauth.py
    auth_param basic realm Proxy Server
    acl users proxy_auth REQUIRED
    http_access allow users
    http_access deny all
    

You can find a much better description of how to configure this in the Squid guide. Specially here and here

Important URLs