Installing a Squid proxy server on Ubuntu 12.10 with NCSA authentication

This week I needed to investigate and fix some bugs that customers behind proxy servers were experiencing in Octopus Deploy. I didn't have easy access to a proxy server, so I decided to set one up using Squid, an open source web proxy server. I've seen Squid used in many shops before but this is the first time I'd ever configured it.

Getting started

I use Windows 8 day to day, and although Squid appears to work on Windows, I wanted to set this up in a clean environment. So I created a new virtual machine in Hyper-V, and installed Ubuntu Server 12.10. I worked through the installation guide, selecting the keyboard layout, timezone, and so on. When prompted for packages, I only chose to install OpenSSH server.

Installing Squid

I started by installing Squid:

sudo apt-get install squid

This actually installed Squid 3.1.20, so my Squid configuration file was located at /etc/squid3/squid.conf.

Next, I tested whether Squid worked out of the box. I used ifconfig to find out my VM's IP address, then opened that in a browser on port 3128. I was given a page that said Squid at the bottom, so that's a good sign.

Squid

Setting up a password file

Squid has a ton of options for authentication. Since I'm just testing proxy server authentication, I went with a simple NCSA-style username and password configuration. First I installed apache2-utils to get access to htpasswd:

sudo apt-get install apache2-utils

Next I created a file called users in my Squid configuration folder, with a user named paul.

sudo htpasswd -c /etc/squid3/users paul

Using htpasswd to set a password

And I made sure Squid could read that file:

sudo chmod o+r /etc/squid3/users

Configuring Squid to use NCSA authentication module

The different authentication modules are distributed as binaries that come with Squid, and to configure them you have to know where they are located. This command listed their locations:

dpkg -L squid3 | grep ncsa_auth

For me the output was /usr/lib/squid3/ncsa_auth.

To enable the module, I opened the Squid configuration file in vi:

sudo vi /etc/squid3/squid.conf

I searched for the text TAG: auth_param to find where the authentication module is configured. Next I added the following configuration:

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/users
auth_param basic children 5
auth_param basic realm Paul's Squid!
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Next, I needed to add the ACL to give the users access. I searched for TAG: acl in the Squid configuration file and added this ACL to the list:

acl ncsa_users proxy_auth REQUIRED

Then I searched for TAG: http_access to find where HTTP access rules are configured. Scrolling down, there's a section where you can insert your own rules. I added:

http_access allow ncsa_users

Restart Squid

Finally, I restarted Squid:

sudo service squid3 restart

And bam! After configuring the proxy settings, I was prompted for proxy credentials:

Prompted for proxy credentials

I could have just used Fiddler

Not long after this, I discovered that Fiddler (which acts as a proxy) can require authentication. It's as simple as checking Rules -> Require Proxy Authentication. D'oh!

Sources

The following guides were very useful in getting this working. The main differences I found was that when I installed Squid, I got Squid 3.1.20, while the guides appear to use an older version.

A picture of me

Welcome, my name is Paul Stovell. I live in Brisbane and work on Octopus Deploy, an automated deployment tool for .NET applications.

Prior to founding Octopus Deploy, I worked for an investment bank in London building WPF applications, and before that I worked for Readify, an Australian .NET consulting firm. I also worked on a number of open source projects and was an active user group presenter. I was a Microsoft MVP for WPF from 2006 to 2013.