Avatar of ltpitt
 asked on

Force all users to authenticate on Squid Proxy

Hi all...

I have a linux server acting as gateway and Squid Proxy.

If a client has correctly configured its browser to user proxy at myserverip port 3128 he needs to fill authentication: no problem.

However if he disables proxy in his internet explorer he can surf without authenticatin.

Which is the correct way to force users to authenticate and how can I implement it (Debian)?

Block port 80?

Redirect port 80 traffic to 3128?

How can I achieve this?

Linux Networking

Avatar of undefined
Last Comment

8/22/2022 - Mon
Duncan Roe

As long as the client is not running on the server system, either would work but redirection is more friendly.
IE is on a Windows system so no problem there.
As for implementation: gateway and Squid should ideally be different systems, with Squid on a separate LAN unless you don't care that internal clients can bypass authentication. Then you have a simple iptables  DNAT rule in the nat table.
I have not tried using a nat rule on packets coming into the box (your situation, with Squid running on the gateway system). It might work - you'll just have to experiment. I would experiment on some otherwise unused port, using telnet on a remote system to connect to the gateway and nc (netcat) on the gateway to listen on the amended port.

I've tried redirection without luck:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Open in new window

After doing this redirection (I hope correctly) my clients get:

The following error was encountered:

Invalid Request
Some aspect of the HTTP Request is invalid. Possible problems:

Missing or unknown request method
Missing URL
Missing HTTP Identifier (HTTP/1.0)
Request is too large
Content-Length missing for POST or PUT requests
Illegal character in hostname; underscores are not allowed

Open in new window

I appreciate the various ideas but looks like I'm not in an ideal situation (I have a single server that have to handle both squid and gateway) and I'm looking for a precise solution (that's why I'm here :) )
Duncan Roe

That's odd. Your iptables command is correct as far as I can tell - at least, it worked for me. I did a test using netcat and telnet.
I can only suppose there must be some difference in interaction between a client and a proxy from what there is between a client and a server. I am surprised that that should be the case but it's all I can think of. The client expects to interact with a server but gets the proxy interaction instead and that throws it.
It looks like you will have to block port 80 after all:
   iptables -A INPUT -i eth0 -p tcp --dport 80 -j REJECT
You could modify the rejection type by adding e.g. --reject-with icmp-proto-unreachable but I shouldn't think IE will give a different error message.
I checked whether a telnet to the IP of eth0 from within the system goes through the filter table and it doesn't, so Squid should have no problem talking to the server even if it doesn't use
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

You will not believe this but they can surf the internet anyway.

iptables -A INPUT -i eth0 -p tcp --dport 80 -j REJECT


iptables -A INPUT -i eth1 -p tcp --dport 80 -j REJECT

will not stop the navigation...

Maybe it is related to the ip forwarding in sysctl?

I need this because of imap and smpt servers...

I really can't think how to get out of this loophole.

Thanks for the help!


If I try telnet proxyip:80 from another pc I get a door correctly slammed in the face :/
Duncan Roe

You had -i eth0 before...

You mean I had a previous rule?

My basic firewall config (the one I load at startup):

# delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

Open in new window

Should I change it?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Duncan Roe

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Great :)