How to configure HTTP Digest Authentication in Squid

Basic authentication is bad because the password is actually transmitted in plain text (encoded in Base64). See the article “How to hack HTTP Basic and Digest Authentication” for details.

Therefore, it is preferable to use Digest authentication on the Squid proxy server.

Let's start by creating a file with a password hash, this is done with a command like:

sudo htdigest -c /etc/squid/passwd_digest REALM USER

REALM is a field of application. Any string can be used as a REALM, but remember that this same string will subsequently be shown in the form for entering a username and password.

An example of a command that creates a file with a password hash for the mial user:

sudo htdigest -c /etc/squid/passwd_digest 'Squid proxy for HackWare.ru' mial

Example configuration file for HTTP Digest authentication in Squid:

http_port 4080
via off
cache deny all

auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd_digest
auth_param digest children 5
auth_param digest credentialsttl 2 hours
auth_param digest casesensitive on
auth_param digest realm Squid proxy for HackWare.ru
acl auth_users proxy_auth REQUIRED

http_access allow auth_users
http_access deny all

Pay attention to the line “auth_param digest realm Squid proxy for HackWare.ru”, in it, instead of “Squid proxy for HackWare.ru”, enter the same line that you specified when using the htdigest command.

For an explanation of the directives, see the section “Configuring HTTP Basic Authentication in Squid” above.

Note that not only has the helper program (digest_file_auth) been changed, but also the -c option is used after it, followed by the path to the file with the user's password hash. All other directives are similar to HTTP Basic authentication, except that the word “basic” is replaced with the word “digest”.

See also the Squid setup guide: How to create and configure a Squid proxy server

Leave Your Observation

Your email address will not be published.