Link to home
Start Free TrialLog in
Avatar of ltpitt

asked on

Force all users to authenticate on Squid Proxy

Hi all...

I have a linux server acting as gateway and Squid Proxy.

If a client has correctly configured its browser to user proxy at myserverip port 3128 he needs to fill authentication: no problem.

However if he disables proxy in his internet explorer he can surf without authenticatin.

Which is the correct way to force users to authenticate and how can I implement it (Debian)?

Block port 80?

Redirect port 80 traffic to 3128?

How can I achieve this?

Avatar of Duncan Roe
Duncan Roe
Flag of Australia image

As long as the client is not running on the server system, either would work but redirection is more friendly.
IE is on a Windows system so no problem there.
As for implementation: gateway and Squid should ideally be different systems, with Squid on a separate LAN unless you don't care that internal clients can bypass authentication. Then you have a simple iptables  DNAT rule in the nat table.
I have not tried using a nat rule on packets coming into the box (your situation, with Squid running on the gateway system). It might work - you'll just have to experiment. I would experiment on some otherwise unused port, using telnet on a remote system to connect to the gateway and nc (netcat) on the gateway to listen on the amended port.
Avatar of ltpitt


I've tried redirection without luck:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Open in new window

After doing this redirection (I hope correctly) my clients get:

The following error was encountered:

Invalid Request
Some aspect of the HTTP Request is invalid. Possible problems:

Missing or unknown request method
Missing URL
Missing HTTP Identifier (HTTP/1.0)
Request is too large
Content-Length missing for POST or PUT requests
Illegal character in hostname; underscores are not allowed

Open in new window

I appreciate the various ideas but looks like I'm not in an ideal situation (I have a single server that have to handle both squid and gateway) and I'm looking for a precise solution (that's why I'm here :) )
That's odd. Your iptables command is correct as far as I can tell - at least, it worked for me. I did a test using netcat and telnet.
I can only suppose there must be some difference in interaction between a client and a proxy from what there is between a client and a server. I am surprised that that should be the case but it's all I can think of. The client expects to interact with a server but gets the proxy interaction instead and that throws it.
It looks like you will have to block port 80 after all:
   iptables -A INPUT -i eth0 -p tcp --dport 80 -j REJECT
You could modify the rejection type by adding e.g. --reject-with icmp-proto-unreachable but I shouldn't think IE will give a different error message.
I checked whether a telnet to the IP of eth0 from within the system goes through the filter table and it doesn't, so Squid should have no problem talking to the server even if it doesn't use
Avatar of ltpitt


You will not believe this but they can surf the internet anyway.

iptables -A INPUT -i eth0 -p tcp --dport 80 -j REJECT


iptables -A INPUT -i eth1 -p tcp --dport 80 -j REJECT

will not stop the navigation...

Maybe it is related to the ip forwarding in sysctl?

I need this because of imap and smpt servers...

I really can't think how to get out of this loophole.

Thanks for the help!


If I try telnet proxyip:80 from another pc I get a door correctly slammed in the face :/
You had -i eth0 before...
Avatar of ltpitt


You mean I had a previous rule?

My basic firewall config (the one I load at startup):

# delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

Open in new window

Should I change it?
Avatar of Duncan Roe
Duncan Roe
Flag of Australia image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ltpitt


Great :)