Squid Puts the Squeeze on Net Wrongdoers - Page 2
Authenticating Users
Squid supports a number of authentication schemes and protocols. The simplest is the NCSA authentication helper. You'll need a separate password file for Squid, and NCSA support compiled into Squid, which would be most unusual if it were not. The password file is created with htpasswd, which comes with Apache, or you can download it from http://www.squid-cache.org/htpasswd/. While you're there, grab chpasswd, which allows users to change their own passwords. (Or not, depending how much control you wish to claim over the innocent lives of your users.)
You definitely do not want to use system logins. Leave them alone! Do not touch. etc. This is how to create a new password file with htpasswd:
# htpasswd -c /etc/squid/passfile alice New password: Re-type new password: Adding password for user alice |
The -c flag creates a new file. To add more users, don't use the -c:
# htpasswd /etc/squid/passfile ted New password: Re-type new password: Adding password for user ted |
Take a look and make sure:
# cat /etc/squid/passfile alice:mU7OltQzHySmY ted:8K.EZVQwHM/Ok |
The default encryption for htpasswd is crypt, which serious security geeks laugh at. Let them laugh; for use on your LAN, it's just fine. Make sure that the password file is mode 644. Now tell Squid about it:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passfile acl Passfile proxy_auth REQUIRED http_access allow Passfile http_access deny All |
You can really tighten the screws on your users, and restrict the hours that Internet access is available:
acl Internet_hours time M T W H F 12:00-13:00 http_access allow Passfile Internet_hours |
Squid and Iptables
None of this does any good if your users can simply disable the proxy in their Web browsers. Yes, these same users who stare at you blankly when you use big technical words like "Web browser" will find ways to mess with their browser configurations. To foil such cunning, make nice iptables rules:
lan="eth0" internet="eth1" iptables="/sbin/iptables" # Set default policies $iptables --policy INPUT DROP $iptables --policy OUTPUT DROP $iptables --policy FORWARD DROP #allow LAN users to use Squid $iptables -A INPUT -i $lan -p tcp --destination-port 3128 -m state \ --state NEW -j ACCEPT # allow Squid to proxy http & https traffic $iptables -A OUTPUT -o $internet -p tcp --destination-port 80 -m state \ --state NEW -j ACCEPT $iptables -A OUTPUT -o $internet -p tcp --destination-port 443 -m state \ --state NEW -j ACCEPT |
This is not a complete firewall, just the Squid-pertinent bits. Now your users can futz with their browser configurations all they want to- too bad, so sad, Squid runs the show.
Resources
