12.1 Configuring Squid

The auth_param directive controls every aspect of configuring Squid's authentication helpers. The different methods (Basic, Digest, NTLM) have some things in common, and some unique parameters. The first argument following auth_param must be one of basic, digest, or ntlm. I'll cover this directive in detail for each authentication scheme later in the chapter.

In addition to auth_param, Squid has two more directives that affect proxy authentication. You can use the max_user_ip ACL to prevent users from sharing their username and password with others. If Squid detects the same username coming from too many different IP addresses, the ACL is a match and you can deny the request. For example:

acl FOO max_user_ip 2

acl BAR proxy_auth REQUIRED

http_access deny FOO

http_access allow BAR

In this case, if a user submits requests from three or more different IP addresses, Squid denies the request. The authenticate_ip_ttl directive controls how long Squid remembers the source IP addresses for each user. A smaller TTL makes it easier for users with frequently changing IP addresses. You can use larger TTLs in an environment where users have the same IP address for long periods of time.

    Appendix A. Config File Reference