Write the minimum required squid config (squid 3.1) for creating a proxy with authentication
New here? Learn about Bountify and follow @bountify to get notified of new bounties! x

I need short / minimalist and clean squid config to accomplish this:

  • A proxy that's accessible from any IP addresses
  • Requires authentication (normal proxy authentication, not NTLM etc.)
  • Listens on port 4050
  • Has no restrictions
  • Act like a transparent proxy (no x-forwarded or similar extra headers)
  • Supports SSL and CONNECT on all ports
  • Supports all outbound ports
  • Suitable for multiple clients and frequent 250+ HTTP requests per second
awarded to alixaxel

Crowdsource coding tasks.

1 Solution

Winning solution

The following worked for me (/etc/squid3/squid.conf):

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic utf8 on
auth_param basic children 5
auth_param basic realm Squid Proxy Authentication
auth_param basic credentialsttl 1 hours
auth_param basic casesensitive on

acl CONNECT method CONNECT
acl authenticated proxy_auth REQUIRED

http_access allow authenticated
http_access deny all
http_port 4050

via off
forwarded_for transparent # or "delete" if you want to drop it even when the client sends it

Imgur

Note that the Via and X-Forwarded-For headers are never added, but X-Forwarded-For is preserved if it's sent by the client. If you want to always drop that header, you need to change forwarded_for to delete.

To create the passwd file:

htpasswd -c /etc/squid3/passwd USERNAME [PASSWORD]

And to reload squid3:

squid3 -k reconfigure && service squid3 restart

Oh, and don't forget to open the port in /etc/iptables.rules:

-A INPUT -p tcp -m tcp --dport 4050 -j ACCEPT

On the performance side, honestly I haven't benchmarked it, but from my experience with Varnish the default settings should handle 250 requests/s easily. However, this varies greatly depending on your server specs. It would be better if you stress test this configuration with blitz.io first and then tweak if you have any bottleneck.

Thanks I'll test it and let you know.
sceo over 6 years ago
OK tested it and this is what I keep getting, it connects, asks for user/password. Then asks again, then asks again ... infinitely. /var/log/squid/access.log 1371112123.737 169 MYIP.ADDR.ESS TCP_DENIED/407 3744 CONNECT www.google.com:443 test NONE/- text/html . . . . For testing purposes you can send me a config which doesn't require auth at all. Thanks,
sceo over 6 years ago
Great job, finally I got it working. Thanks a lot.
sceo over 6 years ago
@sceo: Just saw it, is everything working okay now?
alixaxel over 6 years ago
Yes thanks, not sure what was wrong initially, but I've done some changes and restart + reconfigure etc. and now it's working good. Your help much appreciated.
sceo over 6 years ago
@sceo: You're welcome, glad it's working. =)
alixaxel over 6 years ago