Rastricks

Tuesday, 23 August 2016

Squid Configuration With Radius Authentication

In this article we discuss about how to configure squid proxy server with Radius authentication. After configure squid using below steps all proxy clients requires Radius username and password for internet access.

For Squid server installation steps click on How to install squid proxy server

Note – All commands are tested on CentOS 7

Squid Configuration with Radius Authentication

1. Log in to your CentOS server with root permission and edit “squid.conf” file using vi editor command below,

vi /etc/squid/squid.conf

2. Enter below line at the beginning of the configuration file

auth_param basic program /usr/lib64/squid/basic_radius_auth -f /etc/squid/radius.conf

Note: Enter syntax in single line

In first part of the syntax we define authentication param and call plugin to support authentication where “/usr/lib64/squid/basic_radius_auth” is default plugin path for 64bit servers if its 32bit path should be “/usr/lib/squid/basic_radius_auth” like this.

Next you have to enter radius config file path.

Create “radius.conf”file inside “/etc/squid” Open file using

vi /etc/squid/radius.conf

Enter below lines

server 192.168.1.1

secret radiuspassword

“server” – Enter your radius server IP address

“secret” – Enter your radius server password to validate credentials.

Save and exit (:wq) radius.conf file and open squid conf file in vi editor again,

3. Enter the below line after step 2

auth_param basic children 5

auth_param basic realm proxyserver

auth_param basic credentialsttl 1 hour

“auth_param basic children” is the number of basic authentication helper processes squid uses.

“auth_param basic realm” here you can enter which every string(name) you want to display in authentication box. Here we use proxyserver so authentication box showing the name proxyserver.

“auth_param basic credentialsttl 1 hour” is used to reduce authentication process load, by using credentialsttl squid cache successful authentication for 1 hour (as per our example). If any changes happen in authentication server squid may not notice the change until ttl expiries.

4. Now move to line below “# Example rule allowing access from your local networks.” in squid config

By default there are number possible networks in squid config like

#acl localnet src 10.0.0.0/8

#acl localnet src 172.16.0.0/12

#acl localnet src 192.168.0.0/16

Enable network which you want to give internet access through proxy by removing “#” with authentication parameters. In this example we use 192.168.0.0/16

Below syntax enable authentication for possible networks. In this example we use radius authentication so whenever a request from 192.168.0.0/16 series proxy will ask for radius username/password.

acl localnet proxy_auth REQUIRED src 192.168.0.0/16

“acl” – Access control List

“localnet” – name of acl which we allow/denied access in next step.

“proxy_auth REQUIRED” – Using this syntax a request coming from 192.168.0.0/16 network proxy always ask for authentication.

“src” – network source list

5. Now move to line below “# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS”

Here we will decide whether we have to allow or deny access to acl’s which we enter in step 4. Syntax below,

http_access allow localnet

Above syntax will allow access to localnet (acl name entered in step4). If syntax is like below

http_access deny localnet

then it will deny request from localnet.

6. Squid uses default port 3128 you can change that to any port as you wish. For changing go to line below “# Squid normally listens to port 3128” Syntax below,

http_port 8080

Now squid listen to port 8080 as per above syntax.

7. Default log file path “/var/log/squid/access.log” you can customize log file path and log name as well, syntax below

access_log /var/log/squid/squidaccess.log

Squid log name change to “squidaccess.log” as per above syntax.

After making above changes in squid.conf save file and exit vi editor using “:wq”. Now you test the proxy server is working or not, open your browser(chrome) go to settings -> show advance setting->network->change proxy settings->lansettings->enter your proxy server IP address and port number under Proxy Server and click Ok refresh your browser it will ask for proxy authentication. Screenshot below,

Your proxy server is ready with Radius authentication.

Any doubts and query feel free to post it on comment section.

SHARE!!!!! COMMENT!!!!! SUBSCRIBE!!!!!!

2 Comments

Squid Proxy Server Configuration With MySQL Authentication

00:21:00 Unknown

In this article we discuss about how to configure squid proxy server with MySQL authentication. After configure squid using below steps all proxy clients requires MySQL username and password for internet access.

For Squid server installation steps click on How to install squid proxy server

Note – All commands are tested on CentOS 7

Squid Configuration with MySQL Authentication

1. Log in to your CentOS server with root permission and edit “squid.conf” file using vi editor command below,

vi /etc/squid/squid.conf

2. Enter below line at the beginning of the configuration file

auth_param basic program /usr/lib64/squid/basic_db_auth --user mysqlusername --password mysqlpassword --plaintext --persist

Note: Enter syntax in single line

In first part of the syntax we define authentication param and call plugin to support authentication where “/usr/lib64/squid/basic_db_auth” is default plugin path for 64bit servers if its 32bit path should be “/usr/lib/squid/basic_db_auth” like this.

For MySQL server installation tutorial click MySQL server installation

Next part you have to enter the mysql username and password to access database.

“- -user” – mysql username

“- - password” – mysql password

You should configure “basic_db_auth” for mysql database connectivity

vi /usr/lib64/squid/basic_db_auth

Go to line below “use Digest::MD5 qw(md5 md5_hex md5_base64);” and enter database credentials, check below

my $dsn = "DBI:mysql:database=yourdatabasename;host=192.168.1.1";

my $db_user = undef;

my $db_passwd = undef;

my $db_table = "your mysql table contain username/password";

my $db_usercol = "username column in mysql table ";

my $db_passwdcol = " password column in mysql table ";

my $db_cond = "enabled = 1";

“my $dn=DBI:mysql:database” – Enter your database name

“host” – IP address of your mysql server

“my $db_user ” and “my $db_user” – Don’t make any changes because we already define db username/password in squid.conf (step2).

“my $db_table” – Enter mysql table name where username/password saved.

“my $db_usercol” – Enter the column name where username needs to validate.

“my $db_passwdcol” - Enter the column name where password needs to validate.

“my $db_cond=enable=1” – Enable should be “1” otherwise credential not get validated.(enable=0 means disable validation).

Save and exit (:wq) basic_db_auth file and open squid file in vi editor again,

3. Enter the below line after step 2

auth_param basic children 5

auth_param basic realm proxyserver

auth_param basic credentialsttl 1 hour

“auth_param basic children” is the number of basic authentication helper processes squid uses.

“auth_param basic realm” here you can enter which every string(name) you want to display in authentication box. Here we use proxyserver so authentication box showing the name proxyserver.

4. Now move to line below “# Example rule allowing access from your local networks.” in squid config

By default there are number possible networks in squid config like

#acl localnet src 10.0.0.0/8

#acl localnet src 172.16.0.0/12

#acl localnet src 192.168.0.0/16

Enable network which you want to give internet access through proxy by removing “#” with authentication parameters. In this example we use 192.168.0.0/16

Below syntax enable authentication for possible networks. In this example we use mysql authentication so whenever a request from 192.168.0.0/16 series proxy will ask for mysql username/password.

acl localnet proxy_auth REQUIRED src 192.168.0.0/16

“acl” – Access control List

“localnet” – name of acl which we allow/denied access in next step.

“proxy_auth REQUIRED” – Using this syntax a request coming from 192.168.0.0/16 network proxy always ask for authentication.

“src” – network source list

5. Now move to line below “# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS”

Here we will decide whether we have to allow or deny access to acl’s which we enter in step 4. Syntax below,

http_access allow localnet

Above syntax will allow access to localnet (acl name entered in step4). If syntax is like below

http_access deny localnet

then it will deny request from localnet.

6. Squid uses default port 3128 you can change that to any port as you wish. For changing go to line below “# Squid normally listens to port 3128” Syntax below,

http_port 8080

Now squid listen to port 8080 as per above syntax.

7. Default log file path “/var/log/squid/access.log” you can customize log file path and log name as well, syntax below

access_log /var/log/squid/squidaccess.log

Squid log name change to “squidaccess.log” as per above syntax.

Your proxy server is ready with MySQL authentication.

Any doubts and query feel free to post it on comment section.

For proxy server with Radius authentication click on Squid Proxy ServerConfiguration with RADIUS Authentication.

SHARE!!!!! COMMENT!!!!! SUBSCRIBE!!!!!!

2 Comments

Monday, 22 August 2016

Squid Proxy Server Configuration With Active Directory (LDAP) Authentication

23:03:00 Unknown

In this article we discuss about how to configure squid proxy server with windows Active Directory (LDAP) authentication. After configure squid using below steps all proxy clients requires AD username and password for internet access.

For Squid server installation steps click on How to install squid proxy server

Note – All commands are tested on CentOS 7

Squid Configuration with LDAP Authentication

1. Log in to your CentOS server with root permission and edit “squid.conf” file using vi editor command below,

vi /etc/squid/squid.conf

2. Enter below line at the beginning of the configuration file

auth_param basic program /usr/lib64/squid/basic_ldap_auth -P -R -b "dc=yourdomainname,dc=com" -D "cn=domainusername,cn=Users,dc=d,dc=com" -w "password" -f sAMAccountName=%s -h 192.168.1.1

Note: Enter syntax in single line

In first part of the syntax we define authentication param and call plugin to support authentication where “/usr/lib64/squid/basic_ldap_auth” is default plugin path for 64bit servers if its 32bit path should be “/usr/lib/squid/basic_ldap_auth” like this.

Next part you have to enter the your domain controller (active directory server) details where

“dc – yourdomaincontroller name”

“cn – your ldap administrative username”

“-w - your ldap administrative user password”

“-h – IP address of your ldap server”

3. Enter the below line after step 2

auth_param basic children 5

auth_param basic realm proxyserver

auth_param basic credentialsttl 1 hour

“auth_param basic children” is the number of basic authentication helper processes squid uses.

“auth_param basic realm” here you can enter which every string(name) you want to display in authentication box. Here we use proxyserver so authentication box showing the name proxyserver.

4. Now move the line below “# Example rule allowing access from your local networks.” in squid config

By default there are number possible networks in squid config like

#acl localnet src 10.0.0.0/8

#acl localnet src 172.16.0.0/12

#acl localnet src 192.168.0.0/16

Enable network which you want to give internet access through proxy by removing “#” with authentication parameters. In this example we use 192.168.0.0/16

Below syntax enable authentication for possible networks. In this example we use ldap authentication so whenever a request from 192.168.0.0/16 series proxy will ask for ldap username/password.

acl localnet proxy_auth REQUIRED src 192.168.0.0/16

“acl” – Access control List

“localnet” – name of acl which we allow/denied access in next step.

“proxy_auth REQUIRED” – Using this syntax a request coming from 192.168.0.0/16 network proxy always ask for authentication.

“src” – network source list

5. Now move to line below “# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS”

Here we will decide whether we have to allow or deny access to acl’s which we enter in step 4. Syntax below,

http_access allow localnet

Above syntax will allow access to localnet (acl name entered in step4). If syntax is like below

http_access deny localnet

then it will deny request from localnet.

6. Squid uses default port 3128 you can change that to any port as you wish. For changing go to line below “# Squid normally listens to port 3128” Syntax below,

http_port 8080

Now squid listen to port 8080 as per above syntax.

1. Default log file path “/var/log/squid/access.log” you can customize log file path and log name as well, syntax below

access_log /var/log/squid/squidaccess.log

Squid log name change to “squidaccess.log” as per above syntax.

After making above changes in squid.conf save file and exit vi editor using “:wq”.

Now you test the proxy server is working or not, open your browser(chrome) go to settings à show advance settingànetworkàchange proxy settingsàlansettingsàenter your proxy server IP address and port number under Proxy Server and click Ok refresh your browser it will ask for proxy authentication. Screenshot below,