auth_param

The auth_param directive controls almost every aspect of Squid's external user authentication interface. Squid currently supports three authentication schemes: Basic, Digest, and NTLM. Basic authentication support is compiled by default. For the others, you must use the enable-auth option with ./configure.

Since the auth_param directive is very complex, I'm presenting it here as a separate directive for each combination of parameters.

auth_param basic program

The command for the HTTP Basic authentication helper. You need to specify the full pathname to the program, plus any command-line options.

auth_param basic program command ...

auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/

ncsa_passwd

auth_param basic children

This is the number of Basic authentication helper processes Squid uses.

auth_param basic children count

auth_param basic children 5

auth_param basic children 10

auth_param basic realm

This is the Basic authentication realm Squid sends in 407 (Proxy Authentication Required) responses. User agents typically display the realm string to the user when requesting a username and password. Refer to RFC 2617, Section 2.

auth_param basic realm string

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl

To reduce load on the external authentication processes, Squid caches successful answers for this amount of time. In other words, once a user is authenticated, Squid doesn't query the helper program again until this TTL expires. If you change the external database (e.g., password file), Squid may not notice the change until the cached credentials time out.

auth_param basic credentialsttl time-specification

auth_param basic credentialsttl 5 minutes

auth_param basic credentialsttl 15 minutes

auth_param digest program

As with Basic authentication, this specifies the command to execute for the external Digest authentication program.

auth_param digest program command ...

auth_param digest program /usr/local/squid/libexec/digest_auth /usr/local/squid/etc/

digest_passwd

auth_param digest children

This is the number of Digest authentication helper processes that Squid uses.

auth_param digest children count

auth_param digest children 5

auth_param digest children 11

auth_param digest realm

This is the Digest authentication realm that Squid sends in 407 (Proxy Authentication Required) responses. User agents typically display the realm string to the user when requesting a username and password. Refer to RFC 2617, Section 3.2.1.

auth_param digest realm string

auth_param digest realm Squid proxy-caching web server

auth_param digest nonce_garbage_interval

As I explained in Section 12.3, a nonce is a special string of data that changes from time to time. Its purpose is to prevent replay attacks with captured digest authentication data.

Squid maintains a cache of nonce values it has sent to clients requiring authentication. This cache must be pruned occasionally because nonce strings expire. This directive specifies how often Squid executes the garbage collection procedure for the nonce cache.

If Squid is very busy, you may want to clean the nonce cache more frequently to reduce the amount of time spent in the garbage collection function each time it runs.

auth_param digest nonce_garbage_interval time-specification

auth_param digest nonce_garbage_interval 5 minutes

auth_param digest nonce_garbage_interval 5 minutes

auth_param digest nonce_max_duration

This directive specifies how long a Digest nonce value remains valid. It is similar to the credentialsttl directive for Basic authentication.

If an attacker captures the client's digest authentication headers from an HTTP request, a simple replay attack provides authenticated access to Squid until the nonce value times out or until the maximum usage count is reached. Decrease this value to reduce that risk.

auth_param digest nonce_max_duration time-specification

auth_param digest nonce_max_duration 5 minutes

auth_param digest nonce_max_duration 30 minutes

auth_param digest nonce_max_count

This directive specifies a limit on the number of requests for a Digest nonce value. If a client issues this many requests with the same nonce value, Squid invalidates it and causes a new one to be generated. See Section 4.3 of RFC 2617.

auth_param digest nonce_max_count count

auth_param digest nonce_max_count 50

auth_param digest nonce_max_count 50

auth_param ntlm program

This directive specifies the command, including options, to execute for the external NTLM authentication program.

auth_param ntlm program command

auth_param ntlm program /usr/local/squid/libexec/ntlm_auth /usr/local/

squid/etc/ntlm_db

auth_param ntlm children

Specifies the number of NTLM authentication helper process that Squid uses.

auth_param ntlm children count

auth_param ntlm children 5

auth_param ntlm children 14

auth_param ntlm max_challenge_reuses

In Squid's NTLM implementation, the NTLM challenge token comes from the external helper process, rather than Squid itself. Each helper process generates its own challenge token. This directive specifies how many times each token may be reused. By default, the tokens are never reused. Challenge reuse is also subject to the max_challenge_lifetime restriction.

auth_param ntlm max_challenge_reuses count

auth_param ntlm max_challenge_reuses 0

auth_param ntlm max_challenge_reuses 5

auth_param ntlm max_challenge_lifetime

This directive also controls whether the external NTML helper processes can reuse their challenge tokens. It specifies the maximum amount of time a single challenge can be used.

auth_param ntlm max_challenge_lifetime time-specification

auth_param ntlm max_challenge_lifetime 1 minute

auth_param ntlm max_challenge_lifetime 2 minutes