auth_param

auth_param

The auth_param directive controls almost every aspect of Squid's external user authentication interface. Squid currently supports three authentication schemes: Basic, Digest, and NTLM. Basic authentication support is compiled by default. For the others, you must use the enable-auth option with ./configure.

Since the auth_param directive is very complex, I'm presenting it here as a separate directive for each combination of parameters.

Syntax

See the following subsections

Default

See the following subsections

Example

See the following subsections

Related

authenticate_cache_garbage_interval, authenticate_ttl, authenticate_ip_ttl

auth_param basic program

The command for the HTTP Basic authentication helper. You need to specify the full pathname to the program, plus any command-line options.

Syntax

auth_param basic program command ...

Default

No default

Example

auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/

ncsa_passwd

Related

auth_param basic children, auth_param basic realm, auth_param basic credentialsttl

auth_param basic children

This is the number of Basic authentication helper processes Squid uses.

Syntax

auth_param basic children count

Default

auth_param basic children 5

Example

auth_param basic children 10

Related

auth_param basic program, auth_param basic realm, auth_param basic credentialsttl

auth_param basic realm

This is the Basic authentication realm Squid sends in 407 (Proxy Authentication Required) responses. User agents typically display the realm string to the user when requesting a username and password. Refer to RFC 2617, Section 2.

Syntax

auth_param basic realm string

Default

No default

Example

auth_param basic realm Squid proxy-caching web server

Related

auth_param basic program, auth_param basic children, auth_param basic credentialsttl

auth_param basic credentialsttl

To reduce load on the external authentication processes, Squid caches successful answers for this amount of time. In other words, once a user is authenticated, Squid doesn't query the helper program again until this TTL expires. If you change the external database (e.g., password file), Squid may not notice the change until the cached credentials time out.

Syntax

auth_param basic credentialsttl time-specification

Default

auth_param basic credentialsttl 5 minutes

Example

auth_param basic credentialsttl 15 minutes

Related

auth_param basic program, auth_param basic children, auth_param basic realm

auth_param digest program

As with Basic authentication, this specifies the command to execute for the external Digest authentication program.

Syntax

auth_param digest program command ...

Default

No default

Example

auth_param digest program /usr/local/squid/libexec/digest_auth /usr/local/squid/etc/

digest_passwd

Related

auth_param digest children, auth_param digest realm, auth_param digest nonce_garbage_interval, auth_param digest nonce_max_duration, auth_param digest nonce_max_count

auth_param digest children

This is the number of Digest authentication helper processes that Squid uses.

Syntax

auth_param digest children count

Default

auth_param digest children 5

Example

auth_param digest children 11

Related

auth_param digest program, auth_param digest realm, auth_param digest nonce_garbage_interval, auth_param digest nonce_max_duration, auth_param digest nonce_max_count

auth_param digest realm

This is the Digest authentication realm that Squid sends in 407 (Proxy Authentication Required) responses. User agents typically display the realm string to the user when requesting a username and password. Refer to RFC 2617, Section 3.2.1.

Syntax

auth_param digest realm string

Default

No default

Example

auth_param digest realm Squid proxy-caching web server

Related

auth_param digest program, auth_param digest children, auth_param digest nonce_garbage_interval, auth_param digest nonce_max_duration, auth_param digest nonce_max_count

auth_param digest nonce_garbage_interval

As I explained in Section 12.3, a nonce is a special string of data that changes from time to time. Its purpose is to prevent replay attacks with captured digest authentication data.

Squid maintains a cache of nonce values it has sent to clients requiring authentication. This cache must be pruned occasionally because nonce strings expire. This directive specifies how often Squid executes the garbage collection procedure for the nonce cache.

If Squid is very busy, you may want to clean the nonce cache more frequently to reduce the amount of time spent in the garbage collection function each time it runs.

Syntax

auth_param digest nonce_garbage_interval time-specification

Default

auth_param digest nonce_garbage_interval 5 minutes

Example

auth_param digest nonce_garbage_interval 5 minutes

Related

auth_param digest program, auth_param digest children, auth_param digest realm, auth_param digest nonce_max_duration, auth_param digest nonce_max_count

auth_param digest nonce_max_duration

This directive specifies how long a Digest nonce value remains valid. It is similar to the credentialsttl directive for Basic authentication.

If an attacker captures the client's digest authentication headers from an HTTP request, a simple replay attack provides authenticated access to Squid until the nonce value times out or until the maximum usage count is reached. Decrease this value to reduce that risk.

Syntax

auth_param digest nonce_max_duration time-specification

Default

auth_param digest nonce_max_duration 5 minutes

Example

auth_param digest nonce_max_duration 30 minutes

Related

auth_param digest program, auth_param digest children, auth_param digest realm, auth_param digest nonce_garbage_interval, auth_param digest nonce_max_count, auth_param basic credentialsttl

auth_param digest nonce_max_count

This directive specifies a limit on the number of requests for a Digest nonce value. If a client issues this many requests with the same nonce value, Squid invalidates it and causes a new one to be generated. See Section 4.3 of RFC 2617.

Syntax

auth_param digest nonce_max_count count

Default

auth_param digest nonce_max_count 50

Example

auth_param digest nonce_max_count 50

Related

auth_param digest program, auth_param digest children, auth_param digest realm, auth_param digest nonce_garbage_interval, auth_param digest nonce_max_duration

auth_param ntlm program

This directive specifies the command, including options, to execute for the external NTLM authentication program.

Syntax

auth_param ntlm program command

Default

No default

Example

auth_param ntlm program /usr/local/squid/libexec/ntlm_auth /usr/local/

squid/etc/ntlm_db

Related

auth_param ntlm children, auth_param ntlm max_challenge_reuses, auth_param ntlm max_challenge_lifetime

auth_param ntlm children

Specifies the number of NTLM authentication helper process that Squid uses.

Syntax

auth_param ntlm children count

Default

auth_param ntlm children 5

Example

auth_param ntlm children 14

Related

auth_param ntlm program, auth_param ntlm max_challenge_reuses, auth_param ntlm max_challenge_lifetime

auth_param ntlm max_challenge_reuses

In Squid's NTLM implementation, the NTLM challenge token comes from the external helper process, rather than Squid itself. Each helper process generates its own challenge token. This directive specifies how many times each token may be reused. By default, the tokens are never reused. Challenge reuse is also subject to the max_challenge_lifetime restriction.

Syntax

auth_param ntlm max_challenge_reuses count

Default

auth_param ntlm max_challenge_reuses 0

Example

auth_param ntlm max_challenge_reuses 5

Related

auth_param ntlm program, auth_param ntlm children, auth_param ntlm max_challenge_lifetime

auth_param ntlm max_challenge_lifetime

This directive also controls whether the external NTML helper processes can reuse their challenge tokens. It specifies the maximum amount of time a single challenge can be used.

Syntax

auth_param ntlm max_challenge_lifetime time-specification

Default

auth_param ntlm max_challenge_lifetime 1 minute

Example

auth_param ntlm max_challenge_lifetime 2 minutes

Related

auth_param ntlm program, auth_param ntlm children, auth_param ntlm max_challenge_reuses



    Appendix A. Config File Reference