Proxy authentication with external programs (ALPHA version)

From: Arjan de Vet <>
Date: Mon, 9 Feb 1998 00:21:04 +0100 (CET)

Proxy authentication with external programs (ALPHA)

NOTE: this is ALPHA code, it is unfinished and not very well tested.

Patch relative to Squid 1.1.20:

This is a further generalization of my proxy authentication code for Squid.

The authentication is moved into external 'authenticator' programs which are
allowed to block on e.g. remote lookups. The authenticate.c file is a
reworked version of the redirect.c file.

Uncomment -DUSE_PROXY_AUTH in src/Makefile before compiling. A good setting
for debug_options is "ALL,1 28,9 33,5 44,5"

New squid.conf settings:

    acl password proxy_auth [timeout]

    authenticator_program /home/squid/bin/authenticate
    authenticator_children 5

An authenticator program should behave as such:

        username cleartextpassword

        OK (in case the password was OK)
        ERR (in case the password was NOT OK)

Example for testing:


    open(L, ">>/tmp/authenticate.log") || die "$!";
    select(L); $| = 1;
    select(STDOUT); $| = 1;

    while (<>) {
            print L;
            ($user, $passwd) = split;
            if ($user eq "devet" && $passwd eq "test234") {
                    print "OK\n";
            } else {
                    print "ERR\n";

A correct username/cleartextpassword is cached within Squid until
reconfigure, shutdown (of course :-), a failed proxy-authentication or
the timeout period.


- Fix possible bugs.

- Test and clean up the code.

- Make example authenticator programs like ncsa_auth, radius_auth,
  ldap_auth, pam_auth, etc.


Arjan de Vet, Eindhoven, The Netherlands            <>
URL:       for PGP key: finger
Received on Sun Feb 08 1998 - 15:23:43 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:38:49 MST