[squid-users] Protecting squid

Amos Jeffries squid3 at treenet.co.nz
Mon Mar 15 13:27:46 UTC 2021

On 15/03/21 2:26 am, Ben Goz wrote:
> Can I configure squid authentication TTL per only source IP and ignores 
> other parameters so authentication will be requested only once in TTL 
> for all the sessions?

Not with just authentication. You will need to use a slightly more 
complicated system involving an external_acl_type helper as well and 
switch to an SQL database auth system.

The idea for that is that you have a database of authenticated users 
with their last-known IP address.

  Your auth_param helper is changed to one which takes client IP address 
in the auth_param key_extras setting, and adds records to the SQL 
database before telling Squid the login is OK.

  Use an ext_sql_session_acl helper which takes IP address and checks 
the database to find the username who last authenticated from there. 
This needs to be checked and permit existing sessions before the auth 

The config looks something like this:

   external_acl_type ipuser negative_ttl=0 ttl=7200 %<a \
     /usr/bin/squid/ext_sql_session_acl \
     --dsn "..." --user dbUsername --password dbPassword --persist \
     --usercol username --uidcol ipaddress

   acl user_known external ipuser
   http_access allow user_known

   auth_param basic program /path/to/helper
   auth_param basic key_extras %<a
   auth_param basic credentialsttl 2 hours

   acl authenticated proxy_auth REQUIRED

   http_access allow authenticated


More information about the squid-users mailing list