LinuxDevCenter.com

oreilly.comSafari Books Online.Conferences.

We've expanded our Linux news coverage and improved our search! Search for all things Linux across O'Reilly!

Search
Search Tips

advertisement

Listen Print Subscribe to Linux Subscribe to Newsletters

Authentication and Squid
Pages: 1, 2, 3

Contributed authentication modules

The contributed authentication modules are available at http://www.squid-cache.org/related-software.html. At the time of writing, there is a RADIUS authenticator, a modification of the standard LDAP authenticator for non-anonymous servers, and a patch which supports static and dynamic LDAP group look-ups.



How Squid processes authentication

Squid uses sub-processes to process authentication requests to avoid being blocked by slow connections. The authentication sub-processes are connected to Squid by standard Unix pipes and Squid communicates with them via stdin and stdout. The sub-process responds with "OK" or "ERR", depending on the success of the authentication.

Because every request must be authenticated, Squid caches the name/password pairs along with the results from successful authentications for a configurable number of seconds. This enables Squid to send requests for each item on a page, yet require only one authentication from the user's client.

Because of the cache, it is impractical for multiple users to share a login name. Squid uses splay trees to handle the internal cache; these don't respond well to duplicate keys.

Caveats and gotchas

  • Authentication headers are consumed by the first proxy that requires them, and sometimes aren't passed on by proxies that don't need them.

  • The user authentication, ACL, reverses the usual ACL logic. http_access allow localusers acts as if it read http_access deny !localusers.

  • Access control lists have an implicit last line which reverses the rule of the last explicit line.

Final words

Now the boss is off your neck and your proxy authentication is working -- go grab yourself a drink and put your feet up. Unless he's after you to do the next job....

Further reading

  • RFC 2617 "HTTP Authentication: Basic and Digest Access Authentication"

  • Squid, a User's Guide

  • Squid Configuration Manual

  • $SQUID-HOME/etc/squid.conf

Jennifer Vesperman is the author of Essential CVS. She writes for the O'Reilly Network, the Linux Documentation Project, and occasionally Linux.Com.

Return to the Linux DevCenter.




Tagged Articles

Be the first to post this article to del.icio.us

Sponsored Resources

  • Inside Lightroom
Advertisement

Sponsored by:

O'Reilly Media

©2009, O'Reilly Media, Inc.
(707) 827-7000 / (800) 998-9938
All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. 		About O'Reilly
Academic Solutions
Authors
Contacts
Customer Service
Jobs
Newsletters
O'Reilly Labs
Press Room
Privacy Policy
RSS Feeds
Terms of Service
User Groups
Writing for O'Reilly
Content Archive
Business Technology
Computer Technology
Google
Microsoft
Mobile
Network
Operating System
Digital Photography
Programming
Software
Web
Web Design
 More O'Reilly Sites
O'Reilly Radar
Ignite
Tools of Change for Publishing
Digital Media
Inside iPhone
O'Reilly FYI
makezine.com
craftzine.com
hackszine.com
perl.com
xml.com

Partner Sites
InsideRIA
java.net
O'Reilly Insights on Forbes.com