2003-09-15 19:58

Squid authentication via POP or IMAP

Why do this?

It is often obviously needed to restrict web access based on usernames and passwords, rather than IP numbers, specially if users switch computers often (example, a computer lab in a school).

The usual ways to handle this are:

PAM authentication for Squid
This makes Squid use the system's list of users to identify the clients. The problem is, of course, that then you need to have all the users defined in the Squid system, or something involving remote PAM authentication, which is non-trivial sometimes.
NTLM authentication for Squid
This uses the windows session credentials to check identity against a Windows Domain Controller. The issues here for Linux clients are obvious. Besides, sometimes people don't start sessions, or have generic sessions shared between many users.
Apache style password files
The same problems as PAM, and you don't have the chance to authenticate remotely.

So, here's another solution: make Squid check the user and password against a POP or IMAP account. As long as everyone has a mail account on some server (all users in the same server, if you want this to be simple), this should work.

External Authentication Programs

Squid uses external programs to handle the authentication. Here are simple versions written in Python. feel free to write better ones in other languages and send them to me.

POP3 external authentication program for Squid
#!/usr/bin/env python

from poplib import POP3
import sys


#POP server against which we authenticate
server="127.0.0.1"
#Port number for POP server. Usually 110
port=110


#Below here you shouldn't need to edit anything

while 1:

    #Read user and password from stdin, remove the newline, split at the space
    #and assign to the user and password variables

    line=sys.stdin.readline()[:-1]
    [user,password]=line.split(' ')

    #Connect to the POP server

    p=POP3(server,port)

    #Try to authenticate. If it doesn't work, it throws an exception

    try:
            p.user(user)
            p.pass_(password)
    except:

            #If it threw an exception, log in cache.log the ayth booboo
            sys.stderr.write("ERR authenticating %s\n"%user)
            #Then deny access
            sys.stdout.write("ERR\n")
            #IMPORTANT!!!!!!!!!!!! Flush stdout
            sys.stdout.flush()
            continue

    #If it didn't throw exceptions, that means it authenticated

    #Log success to cache.log
    sys.stderr.write("OK authenticated %s\n"%user)
    #Then allow access
    sys.stdout.write("OK\n")
    sys.stdout.flush()

The IMAP version is better because POP access often locks the mailbox, so you could have authentication failures in the proxy is the user is reading his mail at the same time. As you can see, the programs are pretty much the same.

Of course, it is possible to write versions that use secure POP, or TLS, or APOP. Since I don't need them, I won't write them, but it is possible if you write them ;-)

IMAP external authentication program for Squid
#!/usr/bin/env python

from imaplib import IMAP4
import sys


#IMAP server against which we authenticate
server="127.0.0.1"
#Port number for IMAP server. Usually 143
port=143


#Below here you shouldn't need to edit anything

while 1:

    #Read user and password from stdin, remove the newline, split at the space
    #and assign to the user and password variables

    line=sys.stdin.readline()[:-1]
    [user,password]=line.split(' ')

    #Connect to the IMAP server

    p=IMAP4(server,port)

    #Try to authenticate. If it doesn't work, it throws an exception

    try:
            p.login(user,password)
    except:

            #If it threw an exception, log in cache.log the auth booboo
            sys.stderr.write("ERR authenticating %s\n"%user)
            #Then deny access
            sys.stdout.write("ERR\n")
            #IMPORTANT!!!!!!!!!!!! Flush stdout
            sys.stdout.flush()
            continue

    #If it didn't throw exceptions, that means it authenticated

    #Log success to cache.log
    sys.stderr.write("OK authenticated %s\n"%user)
    #Then allow access
    sys.stdout.write("OK\n")
    sys.stdout.flush()

Making Squid use this

Save the script you want to use somewhere, like /usr/bin/squidauth.py and make sure it has execution permission for the squid user.

Then you have to add, in your squid.conf, a line like this:

authenticate_program /usr/bin/squidauth.py

That allows squid to use our authentication proggy. Now, you can start adding ACLs of type proxy_auth, and you can use them in http_access commands.

For example, this creates an ACL called users and allows only users with a valid POP account to access the web:

Squid Configuration File Snippet (Squid 2.4)
authenticate_program /usr/bin/squidauth.py
acl users proxy_auth REQUIRED
http_access allow users
http_access deny all
Squid Configuration File Snippet (Squid 2.5)
auth_param basic program /usr/bin/squidauth.py
auth_param basic realm Proxy Server
acl users proxy_auth REQUIRED
http_access allow users
http_access deny all

You can find a much better description of how to configure this in the Squid guide. Specially here and here

Important URLs

Comments

Comments powered by Disqus

Contents © 2000-2018 Roberto Alsina