Squid user authentication


You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd program that comes installed with Apache to create your passwords.

Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it’s universally readable

touch /etc/squid3/squid_passwd

chmod o+r /etc/squid3/squid_passwd

Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called admin

htpasswd /etc/squid3/squid_passwd admin

New password:

Re-type new password:

Adding password for user admin

Find your ncsa_auth file using the locate command.

locate ncsa_auth


Edit squid.conf…..specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry

# Add this to the auth_param section of squid.conf
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd

# Add this to the bottom of the ACL section of squid.conf
acl ncsa_users proxy_auth REQUIRED

# Add this at the top of the http_access section of squid.conf
http_access allow ncsa_users

May be a modified my acl &  http_access will be like this

acl my_network src
acl ncsa_users proxy_auth REQUIRED
acl work_hours time SMTWHFA 07:00-21:00

http_access allow  my_network ncsa_users work_hours

Restart squid 🙂

Screenshot from 2012-12-10 11:51:15







If denied…..

Screenshot from 2012-12-10 11:51:24


Squid Access Control Lists

You can limit users’ ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.

Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it.

Adding my network on acl.

I can add it in two ways like this

acl my_network src


acl my_network src

both means my network starts from to 255

Now on http_access section allow this network to access internet

http_access allow my_network

Restricting Web Access By Time

You can create access control lists with time parameters.that is you can allow internet only on working hours etc..Add acl for time

acl work_hours time SMTWHFA 08:00-17:00

SMTWHFA- represents Sunday to Saturday

please ensure there is no space between the time it may cause error..

now modify htt_access with time

http_access allow  my_network  work_hours

Now the machines under my_network will get internet connection only during working hours