Squid (An Authentication Content Howto)
Last Modified: Monday, 18-Apr-2011 18:21:33 BST

GOAL:

To allow two differnet groups of people to access the Internet within valid times and to block certain websites.

ITEMS USED:

Linux / FreeBSD (Any platform will do)
Squid (Already Installed)
root / administrator access to server box

HERE WE GO:

We want squid to authenticate all our users, so enable authenticate_program in the squid.conf file:

authenticate_program /usr/local/sbin/ncsa_auth /usr/local/etc/squid/squid.passwd

The authentication program we use is ncsa_auth which is located /usr/local/sbin/ncsa_auth. This program needs a file that contains a list of users and thier passwords.

I wrote a program that is run from crontab at set periods, that ensures the file /usr/local/etc/squid/squid.passwd is current. Below is a copy of the perl program, if you use this program you will need to adapt this for your system. The program does more than just write out a password file, it creates 2 lists of users which we will use later. Don't forget to do a chmod 755 on the script:-).

#!/usr/bin/perl
# Script to create the Squid Authentication files
# Extracts all Users from /etc/master.passwd
# Users are staff and students
# Next we creta to user files, staff and students

$temp = '';
$userid = '';
$passwd = '';
$uid = '';
$auser = '';
$staff = ''; # All valid staff names only
$students = ''; # All valid student names only
@squid = (); # All Staff and Students wiith passwords

# Get password file
open (PASSWD,"</etc/master.passwd") || die "can't open file: $!";
my ($passtime) = (stat(PASSWD))[9];
@passwords = <PASSWD>;
close(PASSWD);

open (WWWACCESS,"/usr/local/etc/squid/squid.passwd") || die "can't open file: $!";
my ($squidtime) = (stat(WWWACCESS))[9];
close(WWWACCESS);

# Exit if password file has not been changed
if ($squidtime > $passtime) {
# print "No Change, terminating!!\n";
exit;
}

# Get SQuid process ID
open (SQUID,"</var/run/squid.pid") || die "can't open file: $!";
$squidPID = <SQUID>;
close(SQUID);

# Get the Groups file and search for group staff OR Students
open (GROUP,"</etc/group") || die "can't open file: $!";
$element = <GROUP>;
foreach $element (<GROUP>) {
($group ,$temp, $temp, $temp) = split(':',$element);
if ($group eq 'staff') { $staff = $temp };
if ($group eq 'student') { $students = $temp };
}
close(GROUP);

# Now process Staff at the same time drop each member of staff from student
$staff =~ s/\n//g; # drop any newline character
open (WWWACCESS,">/usr/local/etc/squid/staff.users") || die "can't open file: $!";
@usergrp = split(',', $staff);
# At this point we have a single userID from the group staff
foreach $usergrp (@usergrp) {
push (@squid,get_password($usergrp));
print WWWACCESS "$usergrp\n";
}
close(WWWACCESS);

# Now process Student
&get_groupmember(1002, "/usr/local/etc/squid/student.users",1);

# Process volunteer users
#&get_groupmember(1001, "/usr/local/etc/squid/volunteer.users",0);

# Write out the password file
open (WWWACCESS,">/usr/local/etc/squid/squid.passwd") || die "can't open file: $!";
foreach $auser (sort @squid) {
print WWWACCESS "$auser";
}
close(WWWACCESS);

# Restart Squid
system("kill -HUP $squidPID");

exit;
######################################################################
sub get_password {

my ($user) = @_;
my ($auser,$userid,$passwd,$uid);

foreach $auser (@passwords) {
($userid, $passwd , $uid) = split(':',$auser);
next if ($uid < 1001);
last if ($userid eq $user);
}

return("$userid:$passwd\n");
}
######################################################################
sub get_groupmember {

my ($thisguid, $writeFile,$skipAdd) = @_;
my ($auser,$userid,$passwd,$uid,$guid);

open (WWWACCESS,">$writeFile") || die "can't open file: $!";

foreach $auser (@passwords) {
($userid, $passwd , $uid, $guid) = split(':',$auser);
next if ($guid != $thisguid);
next if ($userid eq 'guest');
print WWWACCESS "$userid\n";
if ($skipAdd == 1) { push (@squid,"$userid:$passwd\n") };
}
close(WWWACCESS);
}
######################################################################

When to have run this program you will have 3 file in your squid folder:-

squid.passwd (Contains ALL users and current passwords)
student.users (Contains a list of students)
staff.users (Contains a list of staff)

Now we have to create some squid Access Lists (acl's) in the squid.conf file:

acl students proxy_auth "/usr/local/etc/squid/student.users"
acl staff proxy_auth "/usr/local/etc/squid/staff.users"
acl password proxy_auth 300

Above we have created 3 new acl's, the last rule is a standard rule. The first 2 rules tell squid that there are 2 rules called students and staff. Now we have to put the rules to use, do the following in the squid.conf file:

http_access deny !students !staff

What if we want staff to have access to the web anytime but students can only access the web during supervised periods? We to do this we create another acl rule for squid.conf:

acl okTime time MTWHF 09:00-18:30

The above rule allows access to the web between 9am and 6.30pm weekdays. Now we have to combine the okTime rule with the students rule:

http_access deny students !okTime

To summarise you should have the following in the squid.conf file:

authenticate_program /usr/local/sbin/ncsa_auth /usr/local/etc/squid/squid.passwd

acl students proxy_auth "/usr/local/etc/squid/student.users"
acl staff proxy_auth "/usr/local/etc/squid/staff.users"
acl okTime time MTWHF 09:00-18:30
acl password proxy_auth 300

http_access deny !students !staff
http_access deny students !okTime

(Rest will be done soon).

[back to wiZdom]

[an error occurred while processing this directive]

Squid (An Authentication Content Howto) Last Modified: Monday, 18-Apr-2011 18:21:33 BST

Squid (An Authentication Content Howto)
Last Modified: Monday, 18-Apr-2011 18:21:33 BST