Sometimes you may want to classify web traffic per user, not IP-based classification, in Squid. Squid supports this mechanism via external authentication plugin. The most common one is NCSA authentication but a flexible one is PAM since it is possible to use LDAP backend as well as unsecured passwd and shadow.

To enable PAM authentication in Squid, there are 2 parts. The first one is to specify auth_param and associated acl to use pam_auth.

auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Proxy
auth_param basic credentialsttl 2 hours
 
acl password proxy_auth REQUIRED

Then put below line in the right place.

http_access allow password

For example, you may want to ask for password only some clients.

http_access allow manager localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow password
http_access allow lan
http_access deny all

All manager will be able to access Squid without password but other users in lan must specify password.

Tags: squid, proxy, linux