How to Configure Squid with Mysql DB authentication
- Download squid source from http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE24.tar.gz
- Copy the downloaded file to /tmp
- Tar –zxvf squid-3.0.STABLE24.tar.gz
- Cd squid-3.0.STABLE24
- ./configure --enable-basic-auth-helpers=DB
- make
- make install
- Download Current Mysql5.1 Source RPM from http://dev.mysql.com/get/Downloads/MySQL-5.1/MySQL-5.1.44-1.glibc23.src.rpm/from/ftp://mirror.anl.gov/pub/mysql/
- Copy MySQL-5.1.44-1.glibc23.src.rpm /tmp
- Rpm –ivh MySQL-5.1.44-1.glibc23.src.rpm
- Cd /usr/src/redhat/SPEC
- Rpmbuid –bb mysql-5.1.44.spec
- After compilation the RPM files will be in /usr/src/redhat/`uname –m`/RPMS
- Cd /usr/src/redhat/`uname –m`/RPMS
- Rpm –ivh MySQL-server-5.1.44-1.glibc23.ia64.rpm
- The service will start automatically after installation
Here we are using Default Mysql database engine MyISAM (Non transactional Engine)
In a large application Database we will use Engine INNODB (Transactional engine).It has many configurable options to get mysql to work efficiently with maximum performance. The default database directory will be /var/lib/mysql.
- Rpm –ivh MySQL-client-5.1.44-1.glibc23.ia64.rpm
- The mysql service can be stop/start by running #service mysql stop/start
- Login to Mysql as root
- #mysql –u root
- You must have to set a password for mysql root user
- Mysql>set password=PASSWORD('your password');
- Mysql>/q
- Test your authentication
- #mysql -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
- #mysql –u root –p
- Enter your password, then you will get mysql prompt.
- The we have to create one Database and table for squid as follows
mysql>create database squid;
mysql>grant select on squid.* to squiduser@localhost identified by 'squid';
mysql>use squid;
mysql> CREATE TABLE `passwd` (
`user` varchar(32) NOT NULL default '',
`password` varchar(35) NOT NULL default '',
`enabled` tinyint(1) NOT NULL default '1',
`fullname` varchar(60) default NULL,
`comment` varchar(60) default NULL,
PRIMARY KEY (`user`)
);
mysql>; insert into passwd values('testuser','test',1,'Test User','for testing purpose');
mysql>\q
#/usr/local/squid/libexec/squid_db_auth –-user squiduser -–password squid -–plaintext –-persist
testuser test
OK
- Enter Test user name and password ,separated with space and press enter ,if it shown OK ,your authentication will work .If you got "ERR unknown login", you missed something
- Now your database is ready and we are going to configure squid
- Go to /usr/local/squid/etc/
- Cp squid.conf squid.conf.org
- Search for auth_param and add these lines
auth_param basic program /usr/local/squid/libexec/squid_db_auth --user squiduser --password squid --plaintext --persist
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off
- Now you have to create an ACL and Rule to authenticate
- Here we will use two separate user ACL groups
A) Master users with all allowed sites as MSTUSR
B) Normal users with minimum access NRMUSR
- Two ACL for IP based authentication
a) Allowed IPs as ALLOWIP
b) Denied IPs DENYIP
- Two ACL for Allowed and Denied sites
a)Allowed sites as ALLOWSITE
b)Denied sites as BLOCKSITES
- The ACLs in squid.conf as follows
acl localnet src 10.0.0.0/8 #Your
acl localnet src 172.16.0.0/12 #Possible
acl localnet src 192.168.0.0/16 #Internal Network
acl ALLOWIP src "/usr/ansil/proxy/policy/allowip"
acl DENYIP src "/usr/ansil/proxy/policy/denyip"
acl ACLAUTH proxy_auth REQUIRED
acl MSTUSR proxy_auth "/usr/ansil/proxy/policy/mstusr"
acl ALLOWSITE url_regex "/usr/ansil/proxy/policy/allowsite"
acl NRMUSR proxy_auth "/usr/ansil/proxy/policy/normaluser"
acl BLOCKSITES url_regex -i "/usr/ansil/proxy/policy/blocksites"
- Now we have to assign rules for according to our ACLs
http_access deny BLOCKSITES
http_access allow ACLAUTH MSTUSR
http_access allow ALLOWIP
http_access deny DENYIP
http_access allow ACLAUTH ALLOWSITE ICMSUSER
- Now save the configuration file.
- Restart squid service ,for that you need to create one script for squid
- Create a script as follows and put it on /etc/ini.d/ with name as squid
- #chmod 755 /etc/init.d/squid
- chkconfig --add squid
#!/bin/bash
PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH
. /etc/rc.d/init.d/functions
. /etc/sysconfig/network
if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi
SQUID_OPTS=${SQUID_OPTS:-"-D"}
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
[ -f /usr/sbin/squid ] && SQUID=squid
if [ "$1" == "status" ]; then
[ -z "$SQUID" ] && exit 4
else
[ -z "$SQUID" ] && exit 1
fi
prog="$SQUID"
CACHE_SWAP=`sed -e 's/#.*//g' /usr/local/squid/etc/squid.conf | \
grep cache_dir | awk '{ print $3 }'`
[ -z "$CACHE_SWAP" ] && CACHE_SWAP=/var/spool/squid
RETVAL=0
probe() {
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 1
# check if the squid conf file is present
[ -f /usr/local/squid/etc/squid.conf ] || exit 6
}
start() {
probe
$SQUID -k parse
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
echo -n $"Starting $prog: "
echo_failure
echo
return 1
fi
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
$SQUID -z -F -D >> /var/log/squid/squid.out 2>&1
fi
done
echo -n $"Starting $prog: "
$SQUID $SQUID_OPTS >> /var/log/squid/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
timeout=0;
while : ; do
[ ! -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
RETVAL=1
break
fi
sleep 1 && echo -n "."
timeout=$((timeout+1))
done
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
[ $RETVAL -eq 0 ] && echo_success
[ $RETVAL -ne 0 ] && echo_failure
echo
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
$SQUID -k check >> /var/log/squid/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
$SQUID -k shutdown &
rm -f /var/lock/subsys/$SQUID
timeout=0
while : ; do
[ -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
echo
return 1
fi
sleep 2 && echo -n "."
timeout=$((timeout+2))
done
echo_success
echo
else
echo_failure
echo
fi
return $RETVAL
}
reload() {
$SQUID $SQUID_OPTS -k reconfigure
}
restart() {
stop
start
}
condrestart() {
[ -e /var/lock/subsys/squid ] && restart || :
}
rhstatus() {
status $SQUID && $SQUID -k check
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
condrestart)
condrestart
;;
status)
rhstatus
;;
probe)
probe
return 0
;;
*)
echo $"Usage: $0 {start|stop|status|reload|restart|condrestart|probe}"
exit 2
esac
exit $
tnx
ReplyDeletehii its good information, can u help to configure squid acl using mysql database.?
ReplyDeleteThanks
ReplyDeleteThis easy tutorial is still very usable in 2013
Hey dear everything is ok..thn m run this command "/usr/local/squid/libexec/squid_db_auth –-user squiduser -–password squid -–plaintext –-persist
ReplyDeletetestuser test" and get me error down
Unknown option: –password
Unknown option: –plaintext
Can't open –-user: No such file or directory at /usr/local/squid/libexec/squid_db_auth line 135.
Can't open squiduser: No such file or directory at /usr/local/squid/libexec/squid_db_auth line 135.
Can't open squid: No such file or directory at /usr/local/squid/libexec/squid_db_auth line 135.
Can't open –-persist: No such file or directory at /usr/local/squid/libexec/squid_db_auth line 135.
Please help me for this solutions...M waiting........
thanks
ReplyDeleteany video tutorials there....pls sent