--- category: '' date: 2003/09/15 19:58 description: '' link: '' priority: '' slug: '6' tags: linux title: Squid authentication via POP or IMAP type: text updated: 2003/09/15 19:58 url_type: '' --- .. raw:: html
It is often obviously needed to restrict web access based on usernames and passwords, rather than IP numbers, specially if users switch computers often (example, a computer lab in a school).
The usual ways to handle this are:
So, here's another solution: make Squid check the user and password against a POP or IMAP account. As long as everyone has a mail account on some server (all users in the same server, if you want this to be simple), this should work.
Squid uses external programs to handle the authentication. Here are simple versions written in Python. feel free to write better ones in other languages and send them to me.
#!/usr/bin/env python from poplib import POP3 import sys #POP server against which we authenticate server="127.0.0.1" #Port number for POP server. Usually 110 port=110 #Below here you shouldn't need to edit anything while 1: #Read user and password from stdin, remove the newline, split at the space #and assign to the user and password variables line=sys.stdin.readline()[:-1] [user,password]=line.split(' ') #Connect to the POP server p=POP3(server,port) #Try to authenticate. If it doesn't work, it throws an exception try: p.user(user) p.pass_(password) except: #If it threw an exception, log in cache.log the ayth booboo sys.stderr.write("ERR authenticating %s\n"%user) #Then deny access sys.stdout.write("ERR\n") #IMPORTANT!!!!!!!!!!!! Flush stdout sys.stdout.flush() continue #If it didn't throw exceptions, that means it authenticated #Log success to cache.log sys.stderr.write("OK authenticated %s\n"%user) #Then allow access sys.stdout.write("OK\n") sys.stdout.flush()
The IMAP version is better because POP access often locks the mailbox, so you could have authentication failures in the proxy is the user is reading his mail at the same time. As you can see, the programs are pretty much the same.
Of course, it is possible to write versions that use secure POP, or TLS, or APOP. Since I don't need them, I won't write them, but it is possible if you write them ;-)
#!/usr/bin/env python from imaplib import IMAP4 import sys #IMAP server against which we authenticate server="127.0.0.1" #Port number for IMAP server. Usually 143 port=143 #Below here you shouldn't need to edit anything while 1: #Read user and password from stdin, remove the newline, split at the space #and assign to the user and password variables line=sys.stdin.readline()[:-1] [user,password]=line.split(' ') #Connect to the IMAP server p=IMAP4(server,port) #Try to authenticate. If it doesn't work, it throws an exception try: p.login(user,password) except: #If it threw an exception, log in cache.log the auth booboo sys.stderr.write("ERR authenticating %s\n"%user) #Then deny access sys.stdout.write("ERR\n") #IMPORTANT!!!!!!!!!!!! Flush stdout sys.stdout.flush() continue #If it didn't throw exceptions, that means it authenticated #Log success to cache.log sys.stderr.write("OK authenticated %s\n"%user) #Then allow access sys.stdout.write("OK\n") sys.stdout.flush()
Save the script you want to use somewhere, like /usr/bin/squidauth.py and make sure it has execution permission for the squid user.
Then you have to add, in your squid.conf, a line like this:
authenticate_program /usr/bin/squidauth.py
That allows squid to use our authentication proggy. Now, you can start adding ACLs of type proxy_auth, and you can use them in http_access commands.
For example, this creates an ACL called users and allows only users with a valid POP account to access the web:
authenticate_program /usr/bin/squidauth.py acl users proxy_auth REQUIRED http_access allow users http_access deny all
auth_param basic program /usr/bin/squidauth.py auth_param basic realm Proxy Server acl users proxy_auth REQUIRED http_access allow users http_access deny all
You can find a much better description of how to configure this in the Squid guide. Specially here and here