Squid Authorization Using Digest

I have set up a Squid proxy on my Linode for use when I am away from home and need to use a proxy. In order to stop anyone being able to use it I have set up authorization.

If I use basic authorization it all works correctly. I get prompted to enter my user name and password and I can start browsing. However, I want to set up digest authentication, so my password isn't transmitted in plain text.

When I enable digest authorization, I get prompted to enter my credentials, which are accepted. The browser then keeps contacting the site, but nothing is displayed. In my squid logs I see:

1246527762.271 15 217.146.125.41 TCP_DENIED/407 1796 GET http://thetimes.co.uk/ ian NONE/- text/html

1246527762.894 19 217.146.125.41 TCP_DENIED/407 1796 GET http://thetimes.co.uk/ ian NONE/- text/html

1246527763.553 21 217.146.125.41 TCP_DENIED/407 1796 GET http://thetimes.co.uk/ ian NONE/- text/html

Here is the relevant bit of squid.conf:

auth_param digest program /usr/lib/squid/digest_pw_auth -c /etc/squid/htdigest.squid
auth_param digest children 5
auth_param digest realm "Squid Proxy Server"
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50
acl digest_users proxy_auth REQUIRED
http_access allow digest_users

Anyone got any ideas?

Ian.

6 Replies

Doesn't actually answer your question, but I've found less headache to just have squid bind to localhost:3128, and SSH tunnel to it.

@mwalling:

Doesn't actually answer your question, but I've found less headache to just have squid bind to localhost:3128, and SSH tunnel to it.

Thanks, that's a nice idea. However, my use case is a computer, perhaps in an Internet cafe, where I don't have any means of establishing an ssh connection.

Ian.

@geekinthesticks:

@mwalling:

Doesn't actually answer your question, but I've found less headache to just have squid bind to localhost:3128, and SSH tunnel to it.

Thanks, that's a nice idea. However, my use case is a computer, perhaps in an Internet cafe, where I don't have any means of establishing an ssh connection.

Ian.

Why not? Just carry PuTTY in a USB stick. It doesn't require any installation, so it'll probably work in any Windoze machine you can find. With some tweaks you can even carry your configuration profiles and public keys with you.

Besides, plain old Squid listening on a plain old external port isn't secure at all. Anyone can sniff your authentication info – especially in public places. Digest auth only helps so far in that regard, because it's still vulnerable to a MITM attack, not to mention that most of your web browsing activity while on the proxy is also transmitted in plaintext for any sniffer to intercept. Save yourself the trouble and use something with a proven security record!

I have managed to solve the problem by installing Squid 3.0, which works fine with the same configuration options. So I assume it was some sort of Squid 2 bug.

I do usually carry a usb stick with Putty and various portable apps. However, sometimes it's useful to be able to use your own proxy. I was more concerned with the whole world being able to use my proxy, rather than making the traffic secure.

Ian.

So what exactly was your purpose with the proxy then?

@freedomischaos:

So what exactly was your purpose with the proxy then?

Sometimes I go to places (like my children's school) where they have access systems that rely on the use of a proxy server. Often these systems are not well implemented, so I can go into the browser and simply change the proxy server if I need to access a blocked site.

I could of course ask the system admin to unblock the site. However, owners of systems like this usually don't have a sys admin - it's all been set up by some external organization who can't easily be contacted. I could go home and look up the info I needed, or wait several weeks while they get their "filter" changed, or I could simply temporarily switch the proxy server.

Ian.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct