[squid-users] Tutorial for better authentication than basic

j m acctforjunk at yahoo.com
Wed May 3 00:10:32 UTC 2017

This is in response to:
"There is another option if you don't have any issue to allow a certain public IP address access to your network you can use some kind of portal which will allow based on a SSL(even with self signed certificate) the "session" access to the service."
I didn't receive the email so couldn't reply directly.  
I'm pretty happy with digest auth as I think that is likely secure enough.  The proxy is working, mostly  However I'm having trouble with two things:
1. I'm not able to figure out what goes into squid.conf to allow SSH through proxy.  My SSH server is on a non-standard port above 1024, and as I understand, squid.conf has to account for this.  I have references to (ssh_port) and have the CONNECT method enabled (I believe) but I'm not sure if this is correct.  I'm certainly not able to SSH thru it:

auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwdauth_param digest realm the_zone
auth_param digest children 2
acl auth_users proxy_auth REQUIRED
acl SSL_ports port (ssh_port)
acl Safe_ports port (ssh_port)
acl SSL_ports port 443
acl Safe_ports port 80        # httpacl Safe_ports port 21        # ftpacl Safe_ports port 443        # httpsacl Safe_ports port 70        # gopheracl Safe_ports port 210        # waisacl Safe_ports port 1025-65535    # unregistered portsacl Safe_ports port 280        # http-mgmtacl Safe_ports port 488        # gss-httpacl Safe_ports port 591        # filemakeracl Safe_ports port 777        # multiling httpacl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_portshttp_access allow auth_users
http_access allow all
http_port (proxy_port)
cache deny all
access_log none

2. I am no longer able to start squid in Ubuntu by using "service squid start".  This used to work, but it gives no error; it appears to immediately execute, but it's not running as a process.    However, if I run "squid -N -d 1 -D", it runs with no complaints.

      From: Eliezer Croitoru <eliezer at ngtech.co.il>
 To: 'j m' <acctforjunk at yahoo.com>; squid-users at lists.squid-cache.org 
 Sent: Monday, May 1, 2017 3:30 PM
 Subject: RE: [squid-users] Tutorial for better authentication than basic
And what about digest authentication?

Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of j m
Sent: Monday, May 1, 2017 4:18 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Tutorial for better authentication than basic

I'm using Ubuntu 16.04 Server in the home and would like to set up a proxy server for use from over the Internet.  The main purpose for this is to easily access a few web-devices on my LAN without using VPN, and at times to route web traffic from a remote location through my home ISP.  I do not need nor want any caching or filtering.

I previously used Tinyproxy and that did the job, but it had no authentication whatsoever.  I have basic authentication working on squid 3.5, where it asks for the username and password, but I believe this login is sent in clear text.  I've did some research and found squid supports various better methods, such as kerberos, ntlm, smb, etc.  However, while I'm able to install Linux and set up various things, I'm struggling with this authentication aspect.  I have a suspicion some of these methods will not work well because they rely on other services (such as SMB) and may require opening more ports on my router, something I'm not crazy about.

Amos previously suggested client cert auth, but I'm not sure how to set this up.  Are there any other secure auth methods that would work well over the Internet and are fairly simple to configure?

In any case, can anyone point me to an online tutorial somewhere (for a authentication newbie) that outlines how this is done?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170503/0390f9f3/attachment-0001.html>

More information about the squid-users mailing list