Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


 There are a couple of differences between Debian and Red Hat derived systems which are highlighted below. Other distros will be similar.


  1. Install the package: Squid. Most repositories include it, but you can also get binaries from CentOS 7 users will additionally need to install apache2-utlis for the htpasswd command
  2. Navigate to your install directory (/etc/squid)

  3. Create a password 

    1. > sudo htpasswd -c /etc/squid_passwd/passwd make_up_a_username
    2. Make a note of the username and password for later - you will need to tell OpenAthens what they are

  4. Edit squid.conf taking care to use the correct auth_param line for your distro.

    Code Block
    # Prevent X-Forwarded-For being overwritten by Squid
    forwarded_for transparent
    # Setup ACLs for OpenAthens
    auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_passwd # RHEL / CentOS based distros
    # auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd # Debian / Ubuntu based distros
    auth_param basic realm proxy
    acl authenticated proxy_auth REQUIRED
    # Allow authenticated access
    http_access allow authenticated
    # Deny all other access to this proxy
    http_access deny all
  5. Start Squid and set it to autostart according to your




    Modern RHEL and Debian based distros now both use systemctl so are the same. Which was a pleasant surprise.

    sudo systemctl start squid
    sudo systemctl enable squid

  6. <squids_ip_address>:3128 should now show an error page generated by Squid


You want to make sure that the inbound connection is limited to OpenAthens and this is secured using an X.509 client certificate. The process is a little different depending on which flavour of Linux you are using. 

You should register your server in DNS before generating the certificate request.

Table of Contents


Code Block

# if certificate and key are in the same file use this one 
https_port cert=/etc/squid/ssl_cert/server.pem clientca=/etc/squid/ssl_cert/openathens-client.pem 

# if the certificate and key are in separate files, use this one
https_port cert=/etc/squid/ssl_cert/server.pem key=/etc/squid/ssl_cert/privatekey.pem clientca=/etc/squid/ssl_cert/openathens-client.pem #2
    • is the external IP address of your Squid instance. Remove any and all http_port directives, leaving only the https_port directive
    • server.pem is your server's certificate. This needs to be from a valid certification authority or Let's Encrypt . We'll need a copy alongside the username and password you set up earlier. Our service desk will be able to advise on secure ways to transfer the information to us(  
    • openathens-client.pem is the public key of the OpenAthens service and will ensure access is restricted. You can download it from
    • (Put both all the certificates in the /etc/squid/ssl_cert folder)