Squid Web Cache wiki

Squid Web Cache documentation

๐Ÿ”— Configuring a Squid Server to authenticate from MySQL database

By Askar Ali Khan

๐Ÿ”— Outline

In this example a squid installation will use MySQL to authenticate users before allowing them to surf the web

๐Ÿ”— Squid Installation

Make sure that the squid_db_auth helper is built; this is generally the case for most prepackaged distributions, if you building squid on your own, it will be built if MySQL libraries are installed on the system; if you want to make sure, build Squid with the option --enable-basic-auth-helpers=DB - the build will fail if the helper cannot be built for any reason

๐Ÿ”— Creating MySQL db/table to hold user credentials 

mysql> create database squid;
mysql> grant select on squid.* to someuser@localhost identified by 'xxxx';
mysql> CREATE TABLE `passwd` (
    `user` varchar(32) NOT NULL default '',
    `password` varchar(35) NOT NULL default '',
    `enabled` tinyint(1) NOT NULL default '1',
    `fullname` varchar(60) default NULL,
    `comment` varchar(60) default NULL,
    PRIMARY KEY  (`user`)
);

Populate the table with some test data, eg

mysql> insert into passwd values('testuser','test',1,'Test User','for testing purpose');

๐Ÿ”— Squid Configuration File

Example squid.conf section:

auth_param basic program /usr/local/squid/libexec/squid_db_auth \
    --user someuser --password xxxx --plaintext --persist

auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off


acl db-auth proxy_auth REQUIRED
http_access allow db-auth
http_access allow localhost
http_access deny all

By default the helper connects to a MySQL database running on the local host. It can also be made to contact a remote server using the --dsn argument.

The Data Source Name ( --dsn ) parameter is the option string passed to the Perl DBI module for locating the database to use.

It takes the syntax "DSN:" <driver> ":" <params>

The params bit depends on what database driver (type) is. The โ€œmysqlโ€ driver uses semi-colon separated key=value pairs. So you can write something like:

auth_param basic program /path/to/squid_db_auth \
    --dsn "DSN:mysql:host=example.com;port=3306;database=squid" \
    --user someuser --password xxxx --plaintext --persist

๐Ÿ”— Testing the helper

It good idea to test the squid_db_auth helper from command line to make sure it authenticating with mysql before trying from browser.

/path/to/squid_db_auth --user someuser --password xxxx --plaintext --persist

Type the username and password on the same line separated with space, on successful authentication it will give โ€œOKโ€ otherwise โ€œERR login failureโ€

โš ๏ธ Disclaimer: Any example presented here is provided "as-is" with no support
or guarantee of suitability. If you have any further questions about
these examples please email the squid-users mailing list.

Categories: ConfigExample

Navigation: Site Search, Site Pages, Categories, ๐Ÿ”ผ go up