补充一下关于squid userbased的限制

cxfcxf

好像以前的前辈们都没提到 刚看了一篇squid的文章 把关于userbased的部分总结出来
关于userbased 查找squid.conf里面的
#  TAG: auth_param
squid是通过这个选项来做限制的
找到配置部分
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/password
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
默认安装squid 会配置上NCSA 可以用slcoate来确定ncsa_auth的位置 保证文件夹和文件可读
用htpasswd 来创建passwd文件，我制定的路径是/etc/squid/password
htpasswd用法同apache用户限制
然后就是添加规则了
acl example proxy_auth REQUIRED
http_access allow example
这样 任何方向的主机 主要是用该代理 就会被要求提供用户名和密码（在password文件里定义的）

neozo

补充一下
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/password
改为
auth_param basic program /usr/lib/squid/pam_auth -o
pam_auth文件要setuid
/etc/pam.d/squid 为squid的PAM配置文件

使用PAM认证比较方便

ecloud

Post by neozo
补充一下
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/password
改为
auth_param basic program /usr/lib/squid/pam_auth -o
pam_auth文件要setuid
/etc/pam.d/squid 为squid的PAM配置文件

使用PAM认证比较方便

考试归考试
不过在实际应用中，最好不要用pam认证，基本上的原则，除非必须，尽量少用系统用户帐号

zaiwen

Thank you for the info. Very helpful. I have tried and it works fine.

One more question: if you use this 用户级别控制, it seems you can't at the same time use host/network base authentication. Am I right?

I tried to have both lines in squid.conf, but it will complain:

acl example proxy_auth REQUIRED
acl example src 194.168.0.0/255.255.255.0

cxfcxf

if u want to allow a net 194.168.0.0/255.255.255.0 without userauth
u can write it allow before proxy auth

acl example proxy_auth REQUIRED
acl example1 src 194.168.0.0/255.255.255.0

then
http_access allow example1
http_access allow example

it will make net 194.168.0.0/255.255.255.0 access without userauth
and make other access with userauth

if u want to deny that net ,i think there is no need to to make a new rule for 194.168.0.0/255.255.255.0