There are a couple of differences between Debian and Red Hat derived systems which are highlighted below. Other distros will be similar.
- Install the package:
Squid. Most repositories include it, but you can also get binaries from https://wiki.squid-cache.org/SquidFaq/BinaryPackages. CentOS 7 users will additionally need to install
apache2-utlisfor the htpasswd command
- Navigate to your install directory (
- Create a password
> sudo htpasswd -c /etc/squid_passwd/passwd make_up_a_username
- Make a note of the username and password for later - you will need to tell OpenAthens what they are
squid.conftaking care to use the correct
auth_paramline for your distro.
Code Block language bash
# Prevent X-Forwarded-For being overwritten by Squid forwarded_for transparent # Setup ACLs for OpenAthens auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_passwd # RHEL / CentOS based distros # auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd # Debian / Ubuntu based distros auth_param basic realm proxy acl authenticated proxy_auth REQUIRED # Allow authenticated access http_access allow authenticated # Deny all other access to this proxy http_access deny all
Start Squid and set it to autostart according to yourOS
Expand title How...
Modern RHEL and Debian based distros now both use systemctl so are the same. Which was a pleasant surprise.
> sudo systemctl start squid
> sudo systemctl enable squid
- <squids_ip_address>:3128 should now show an error page generated by Squid
You want to make sure that the inbound connection is limited to OpenAthens and this is secured using an X.509 client certificate. The process is a little different depending on which flavour of Linux you are using.
You should register your server in DNS before generating the certificate request.
|Table of Contents|
#http_port xxx.xxx.xxx.xxx:3128 # if certificate and key are in the same file use this one https_port xxx.xxx.xxx.xxx:3128 cert=/etc/squid/ssl_cert/server.pem clientca=/etc/squid/ssl_cert/openathens-client.pem # if the certificate and key are in separate files, use this one https_port xxx.xxx.xxx.xxx:3128 cert=/etc/squid/ssl_cert/server.pem key=/etc/squid/ssl_cert/privatekey.pem clientca=/etc/squid/ssl_cert/openathens-client.pem #2
xxx.xxx.xxx.xxxis the external IP address of your Squid instance. Remove any and all
http_portdirectives, leaving only the
server.pemis your server's certificate. This needs to be from a valid certification authority or Let's Encrypt . We'll need a copy alongside the username and password you set up earlier. Our service desk will be able to advise on secure ways to transfer the information to us(https://letsencrypt.org).
openathens-client.pemis the public key of the OpenAthens service and will ensure access is restricted. You can download it from https://proxy.openathens.net/tls/openathens-client.pem
- (Put both all the certificates in the