Quick Install Guide for the squid-IP_AUTH [c] Steffen Dettmer Requirements You need an working SSL server with CGI script support for the perl scripts. The packed login.cgi uses a windows domain for authentication (SMB protocol, Samba should work also). Of course you can replace this with another login script. Squid Installation You may install from RPM (preferred) or from source tar ball. If you install from soruces, you need the squid sources, the IP_AUTH patch and the IP_AUTH contributions (examples). Extract the squid sources and apply the patch. Don't forget --enable-ip_auth as argument for configure. Follow the ordinary squid install process. If you install from RPM, just give an "rpm -i squid-IP_AUTH-*.i386.rpm". Setting up the scripts Make sure your SSL/TLS web server is running. The provided examples require to operate an SSL server on the same physical host as the proxy (since a FIFO is used for communication). Now copy the login.cgi and logout.cgi to the server root. If you use the SuSE rpm, try: install -m 500 -o wwwrun \ /usr/share/doc/packages/squid-IP_AUTH/contrib/IP_AUTH/log*.cgi \ /usr/local/httpd/htdocs Please note, that you specify the DocumentRoot for the SSL server as destination. Configuring the web server Now you need to allow CGI execution for this two files. When you use SuSE's apache with default configuration, you need to edit /etc/httpd/httpd.conf. Modify the block Search AllowOverride None and change this to AllowOverride All to allow .htaccess files in the DocumentRoot (usually controlled by the server admin, anyway). Create (or copy) the .htaccess file, include as least: Options +ExecCGI The contributed htaccess (don't forget to rename into .htaccess!) is much more strict, you'd perfere that. Restart the Webserver (SuSE: rcapache restart) finally. Create the FIFO For communication, a FIFO is used. The contributed rcscript creates the default FIFO (for contributed setup). If you have a different setup or if you cannot use that rcscript for starting (i.e., maybe on RedHat Systems), you have to create it, for instance with: mkfifo /usr/local/squid/mini_auth.fifo chown wwwrun:nogroup /usr/local/squid/mini_auth.fifo chmod 640 /usr/local/squid/mini_auth.fifo (if you don't like nogroup files, please note that squid must be able to read this FIFO, so the change isn't trivial when avoiding read permissions for others). Setting up Squid Now it's time to adjust /etc/squid.conf. Open it with $EDITOR, and set/change the following options: authenticate_program /usr/local/squid/bin/mini_auth authenticate_children 1 authenticate_ttl 1 second (mini_auth requires authenticate_children to be one!). Search the line with the ACLs. Add something like: acl validuser proxy_auth REQUIRED http_access allow validuser (an example squid.conf file is also contributed). Now copy the contrib/IP_AUTH/ERR_CACHE_ACCESS_DENIED file from the contribution. When you installed the RPM, this is already done. Otherwise, copy it now. For SuSE this can be done with: cd /usr/share/doc/packages/squid-IP_AUTH/contrib/IP_AUTH cp ERR_CACHE_ACCESS_DENIED /usr/local/squid/share/errors/ Now start squid. Now you need to set up the browsers to use that proxy. Please note, that you need to specify the proxy itself in the no-proxy-for list; otherwise, client's would not be able to login! If your login.cgi is not working, you can manually add allowed IPs. For that, you must either be root or wwwrun. To allow the IP 127.0.0.2 (for SuSE's localhost), try: echo "+127.0.0.2" >> /usr/local/squid/mini_auth.fifo Check the log in /usr/local/squid/logs/mini_auth.log and /var/log/squid/.