How to build squid authentication helpers

How to build squid authentication helpers


Have you ever tried to figure out how to make Squid authenticate users according to your own exotic rules? Users are in a DB? Are you using an ActiveDirectory? Users/passwords are authenticated by a java class? Everything is possible. Here I intend to explain how to make your own custom authentication helpers so you can develop your own routines for your own requirements.

This article has downloads!

Squid

Squid is such a wonderful HTTP cache server. It’s stable, fast, highly customizable, and you barely notice it when it’s working (oh and did I say it’s free as in freedom?).

It comes with a number of authentication helpers, but there are times when these helpers are not enough. Sometimes you have authentication requirements exotic enough that make those default helpers useless.

The need

Suppose you have to do a little checking: you have users/passwords in a MySQL DB table. To make it a little more exotic, passwords are not directly stored, but MD5s instead. Suppose that you also want the allowed users to be listed in a text file in your file system and, finally, make an LDAP request to see if there’s an item in the directory that matches usernames by the field named “thisCrazyField”. If all that fails, the user/password can be the pair “foo/bar” (a backdoor... just in case you want to see some things that are better left anonymous in the Squid logs!). I am sure no default helper will be able to pull it off.

Before you waste more brainpower trying to figure out when your boss is going to fire you because you couldn’t find a way to make this authentication scheme work with Squid (or any other HTTP cache solution for that matter), you should know that you can make a stand-alone program that can tell if a user is permitted to go through or not. Easy!

Authentication helpers

What a helper does (even a default one) is very simple: it reads username/password pairs from Standard Input one pair at a time in a single line of text, and writes a single line of text to Standard Output that either says “OK” (for a user that can go through) or “ERR” (in case of problems)—that’s it. The helper has to repeat this action in an endless cycle. Username and passwords are encoded using the character encoding described in RFC 1738 (section 2.2) and are separated by a white space.

What a helper does (even default ones) is very simple

Say I want to make a helper in PHP that will check if the user/password is one of the following pairs:

  • hello/world
  • foo/bar

Here’s the PHP code:

<?
if (! defined(STDIN)) {
        define("STDIN", fopen("php://stdin", "r"));
}
while (!feof(STDIN)) {
        $line = trim(fgets(STDIN));
        $fields = explode(' ', $line);
        $username = rawurldecode($fields[0]); //1738
        $password = rawurldecode($fields[1]); //1738
        if ($username == 'hello' 
            and $password == 'world') {
                fwrite(STDOUT, "OK\n");
        } else if ($username == 'fo'
            and $password == 'bar') {
                fwrite(STDOUT, "OK\n");
        } else {
                // failed miserably
                fwrite(STDOUT, "ERR\n");
        }
}
?>

That’s it! I’ve just created a PHP-based Squid helper. Feel free to use any tool you want, be it bash, python, Perl or any other language you like. The only requirement is that the language is able to read from the standard input and write to the standard output (if you want to use bash, be careful to avoid making passwords visible with a ps ax).

Testing your masterpiece

Now comes the testing part. You have to act the same way Squid would have to: start the script and interact with it passing username/password pairs. If it outputs “OK” or “ERR” as wanted, then your helper is done. Here’s a demonstration of the helper I just made:

$ php squid_helper.php
hello world
OK
foo bar
ERR

Oops! “foo/bar” is not okay. Go to the source code of the helper. See what’s going on? I wrote == '**fo**' instead of == '**foo**'. Correct it in the source code and try all over again:

$ php squid_helper.php
hello world
OK
fo bar
ERR
foo bar
OK
other things
ERR
cool!
ERR

Great job! Now we know that the script really authenticates the way we want to. Our helper is ready to be used together with Squid.

Configuring Squid

You have to edit /etc/squid/squid.conf and add these lines, in the "OPTIONS FOR EXTERNAL SUPPORT PROGRAMS" section:

auth_param basic program /bin/php your_script_location
auth_param basic children 20
auth_param basic realm Username and password
auth_param basic credentialsttl 5 hours

What these lines tell Squid is:

program: how to run your helper? If it’s an executable in itself, just call it; if it needs another interpreter, then provide all the things to make it run. In my case, I need the PHP interpreter (unless I make the script executable and provide the interpreter with a shebang line).

children: this is the number of processes that Squid will have to do concurrent authentications for all the clients. If you set too low a number and authentications are coming in too quickly, Squid will have to wait for a helper to finish an authentication cycle before trying with the next key pair. In my case, I’m creating 20 helpers.

realm: this is the text that will be shown to the user in the authentication window.

credentialsttl: this tells Squid how long an already authenticated user/password pair will be valid without needing to ask a helper to re-authenticate (remember the children option? Keep this in mind). In environments that change passwords too often, don’t set this parameter too high.

After that, you have to use one access rule to be able to tell authenticated users from “plain” users.

acl AuthenticatedUsers proxy_auth REQUIRED

And, finally, add a rule to permit these users to go through in the "ACCESS CONTROLS" section:

http_access allow AuthenticatedUsers

Restart Squid or ask it to reload the new configuration.

Once the new configuration is working, you should be able to see as many children processes of your authentication helper as you told Squid to use (even if no client is using Squid right now) by typing ps ax.

In an organization where I previously worked, I created a PHP script that authenticates users against an ActiveDirectory by following this “recipe”:

If the user doesn’t provide the “realm”, the script adds it (so users can write REALM\username or plain username).

One LDAP connection is created using the provided user/password to “bind”.

If the connection is established (which means the user does exist in the directory and the password is correct), then the script checks if the user is a member of one group created in the directory named (strangely enough) Internet. For that, it makes a query like this (making sure the $username has been stripped of the REALM\ part before the query, because it’s not a part of the sAMAccountName field):

(&(sAMAccountName=$username)
(memberOf=CN=Internet,DC=OURDOMAIN,DC=ORG))

If the query result is empty, unfortunately the user has been rejected (because he/she doesn’t belong into the Internet group).

That’s it.

Any resource you want to use is okay

Conclusion

Any resource you want to use is okay as long as the language you use to make the helper supports it. Just remember that all Squid will provide you with is the username and the password.

Enjoy!

Category: 
License: 

Comments

dorgan's picture
Submitted by dorgan on

This article rocks and will allow me to have one less things to integrate. Thank you soo much.

amit_shogun's picture

First, Great article, helped me a lot. Thanks.
When using 'squid -k reconfigure' seems like my auth program (written in C++) is duplicating it self, i,e: If i have 32 children - i get 64, 96 etc...
What am i missing. I need '-k reconfigure' to always keep 32 (in my case) children.
Thanks in advance, Amit

Edmundo Carmona's picture

...that in the downloads of the article is a helper to authenticate against ActiveDirectory as a real example.

And thanks for that comment!

Glad to be helpful (even more if there are some ISA servers to be replaced as a side effect of the article :-D).

valen_willie's picture

Excellent article. My company is working on providing Internet pre-paid system to miners who are in the middle of nowhere. The only backhaul we have is Satellite, so we have to treasure our bandwidth. We are tinkling with NoCat at the moment. This article opens up a new possibility of a whole new system all together. Of course, we have to think of how to block all traffics that squid cannot proxy, or else there will be holes in this system (`iptables' to the rescue!). Also, how to tunnel other traffics via HTTP.

omid mohajerani's picture

hi
first thank you for your nice article . I have a problem with the script
when i want to run it ( /bin/php /etc/squid/script.php)
it says :

Constant STDIN already defined in /etc/squid/script.php on line 3

please help me.
best regards

Edmundo Carmona's picture

I thought the if (! defined()) would avoid that (at least, it does avoid that problem over here).

Make sure you included the "!" in the conditional on line 2. If you did, that'd be weird... but anyway it seems that your "PHP machine" already has STDIN defined, so you can comment line 3, where it's "redefined"... or remove that whole checking section altogether (the conditional and definition of STDIN).

Hope that works.

Edmundo Carmona's picture

sounds like your program is crashing right after squid starts it (or them, if you have many children). Did you test it as a standalone console application before using it with squid to see that it receives the username/password pair and replies with OK/ERR in an infinite cycle?

omid mohajerani's picture

first tanx for your answer ; I have delete that line and now my script( ofcourse yours ) is like this

<?
while (!feof(STDIN)) {
$line = trim(fgets(STDIN));
$fields = explode(' ', $line);
$username = rawurldecode($fields[0]); //1738
$password = rawurldecode($fields[1]); //1738
if ($username == 'hello'
and $password == 'world') {
fwrite(STDOUT, "OK\n");
} else if ($username == 'fo'
and $password == 'bar') {
fwrite(STDOUT, "OK\n");
} else {
// failed miserably
fwrite(STDOUT, "ERR\n");
}
}
?>

and now result of excuting /bin/php script.php is :(of course when i enter a string)

PHP Notice: Undefined offset: 1 in /omid/omid.php on line 10
ERR

any suggestion ?

Edmundo Carmona's picture

Why don't you email me? I just copied (verbatim) your script and tried it over here and it worked:

$ php prueba.php
hello world
OK
foo
ERR
foo bar
ERR
fo bar
OK
it's ok
ERR

Maybe the problem is here:
$ php -version
PHP 5.2.3-1ubuntu2 (cli) (built: Jul 4 2007 16:13:07)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

Anyway, email me so we can take a closer look at what's going on. eantoranz at google's public mail service, you know, right? :-D

Edmundo Carmona's picture

The problem is the define call. I have the fopen() right in the define, and it fails that way. If you do the fopen and save the result in a temporary variable, it works.

Try with this:

if (! defined(STDIN)) {
$temp = fopen("php://stdin", "r");
define("STDIN", $temp);
}

It worked with version 5.1.2 that way.

It worked with 5.2.3 the original way... I guess it's a bug in 5.1.2

AHMED.S's picture
Submitted by AHMED.S (not verified) on

Thanks for your wonderful article. I am having problems with your script. I believe it is due to the fact that my windows 2003 AD requires authentication to do any LDAP binds. I have another php LDAP application that connects to my AD successfully as it has a variable to configure a user account to connect to the AD with.

Can you please tell me how I can edit your script to bind to ldap using a username and password?

thanks

Edmundo Carmona's picture

Ahmed, in the article's attachments, there's a PHP script that authenticates against AD through LDAP, and it binds to AD using the username/password provided by squid. Are you having problems with that script? Email me if you have any problems: eantoranz at gmail dot com.

Tobias K.'s picture
Submitted by Tobias K. (not verified) on

Thanks a lot for your nice article and for writing for the freesoftwaremagazine.

In many environments the transmission of usernames and passwords as cleartext is not acceptable.

Do you haven an idea of how to solve this problem an transmit the authorization data between client and proxy encrypted?

Regards.
Tobias

Edmundo Carmona's picture

If you check my example (and the attached script), I always used the "basic" method. However, there are some other methods: digest, ntlm, negociate, so don't stick with basic if you want to do it some other way.

As I'm reading squid.conf's details of each method, helpers will interact with squid in different ways, so take a close look at that.

admin's picture
Submitted by admin on

Contacted Mr. Carmona today concerning the PHP script that authenticates against AD through LDAP. It no longer appears to be in the downloadable section of this article. I made mention of this in my email and requested help if he could provide.

I barely got the email sent before he responded. Not only did he respond he sent me the code after a very short time. Plus he said if I needed more help just email him.

Very impressed.

Tis my opinion the world needs more like him. Thanks for sharing this and thanks for all the help

Danbo's picture
Submitted by Danbo on

Hi everyone,

I am a web designer and I have limited linux knowledge but I have set up two linux boxes.

One that runs a Voip system and another running Squid.

I have managed to get NCSA authentication working on the Squid proxy server but what bothers me is, that, the NCSA authentication method allows the same username and password to make simulataneous multiple logins which I don't want.

I need to write an authentication helper to restrict logins to one machine per session. Can anyone help me with this?

Kind Regards and Seasons Greetings!

Danbo

rosdi's picture
Submitted by rosdi on

If you install Squid on Windows Server (2000/2003) and your requirement is simple, it is easier to use mswin_auth.exe provided in libexec.

Then you can login to Squid using your windows login id and password.

Check out mswin_auth.exe in libexec folder.

jensen's picture
Submitted by jensen on

Thanks for the article. For a squid rookie like me the perfect entry point. As I intend to use squid mainly for elaborate authentication and logging purposes could you (or someone) tell me
-if there's a way to define a chain of authentication helpers and
-if there's a way to define a logging helper?

thanks a lot jens

jensen's picture
Submitted by jensen on

First of all thanks for your article. For me as a rookie it was a good entry point.
As i want to use squid mainly for authentication and logging there are two questions left: Is there a way to define a chain of authentication helpers? Can i define a logging helper in the same way as a authentication helper? Thanks for any clue,
jens

Author information

Edmundo Carmona's picture

Biography

Edmundo is a Venezuelan Computer Engineer. He is working as a Freelance Java Developer in Colombia since very recently. He has also been a GNU/Linux user and consultant for several years.

After years of being retired from music, he's working right now to regain his classical flute skills.