Thursday 1 March 2012

My Book Live with Squid and fakeauth

Next for the new My Book Live was to install and configure Squid. Since MBL runs Debian, it is fairly straight forward to get Squid up and running. But here we also want to setup fakeauth which complicate things a little bit.

The reason for using fakeauth is to authenticate users on a home network without the need for any central authentication database. It is far from secure, but for the sole purpose of identifying the user it is good enough.


Install Squid3
First we need to update the package repositories from where we wish to install.
Simply run the following in the shell:
echo 'deb http://ftp.us.debian.org/debian/ squeeze main
deb-src http://ftp.us.debian.org/debian/ squeeze main
#deb http://ftp.us.debian.org/debian/ sid main
#deb http://ftp.us.debian.org/debian/ experimental main' > /etc/apt/sources.list
Then execute the next line to update the local cache and install Squid 3:
apt-get update && apt-get -y install squid3
This will download and install Squid3 followed by starting it up listening on port 3128.


Install fakeauth
Fakeauth is part of Squid3 but it is not bundled with the installable package. This forces us to build it from source.

Let's start by installing dependencies:
apt-get -y install gcc g++ make patch
Next we download and unpack the source for Squid 3.1.6:
cd ~/ && apt-get source squid3
tar xzf squid3_3.*.orig.tar.gz && cd squid-*/
Below we build fakeauth with a patch required for the MBL:
./configure
cd compat/ && make
cd ../lib && make
cd ../helpers/ntlm_auth/fakeauth/
echo '279a280,281
>     // Fix for platform
>     auth->flags = le32toh(auth->flags);
282c284
<     debug("ntlmDecodeAuth: usr o(%d) l(%d)\n", auth->user.offset, auth->user.len);
---
>     debug("ntlmDecodeAuth: usr o(%d) l(%d)\n", le32toh(auth->user.offset), le16toh(auth->user.len));
' | patch fakeauth_auth.c
make
This would produce an executable file called fakeauth_auth in the current directory compatible with MBL.
Copy this file to Squid's library path to keep it all in one place:
cp fakeauth_auth /usr/lib/squid3/
chmod 755 /usr/lib/squid3/fakeauth_auth

Configure fakeauth
Fakeauth is a NTLM authentication helper which we configure in /etc/squid3/squid.conf by adding the following:
auth_param ntlm program /usr/lib/squid3/fakeauth_auth -S
auth_param ntlm children 5
auth_param ntlm keep_alive on
This will enable the module but won't restrict any users accessing the proxy.

At approx. line 760 add the following two lines to enable fakeauth module:
(Note that http_access deny needs to be above any other http_access allow to work properly)
acl dummyAuth proxy_auth REQUIRED
http_access deny !dummyAuth all
This basically tells Squid only to allow clients that support NTLM. This will only work for Windows users so additional rules needs to be added to allow other clients to bypass the authentication.

After restarting Squid (/etc/init.d/squid3 restart) the username should now appear in the logfile when using Squid as a proxy:
# tail /var/log/squid3/access.log
1221111156.178    170 10.0.0.9 TCP_MISS/204 351 GET http://www.google.com/csi? charlie DIRECT/74.125.237.112 image/gif





9 comments:

  1. Hi,
    Thanks for your tutorial !
    I have a little problem with fakeauth : the non-ntlm clients (mac's, iphone, android phones), how can I add rules to allow these cleints to bypass authentification ?

    The solution I found for the moment is to exclude the ip range of the wifi from the dummyAuth acl but it does not solve the problem with macos connected via ethernet.

    I would be glad if you could help me.
    Thanks by advance,
    Nono

    ReplyDelete
    Replies
    1. There's a few different ways of solving that issue.
      The way I have done it is to perform ACL based on IP or User-Agent.

      If based on IP, add the ACL like:
      acl mobile1 src 10.0.0.77/32
      http_access allow mobile1

      Or by User-Agent:
      acl avg browser -i avg.*
      http_access allow avg

      Just make sure the "http_access allow ..." appears before "http_access deny !dummyAuth all"

      Delete
  2. Thanks ! It works like a charm with Iphones and mac's, using the user agent technique.

    Now I have a problem with Windows 7, it doesnt seem to handle the ntlm_fakeauth ...

    ReplyDelete
    Replies
    1. If I remember correctly, you need to update the registry to force NTLMv1.
      Under key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
      Create DWORD: LMCompatibilityLevel = 0
      (Possibly restart computer for changes to take effect)

      Delete
    2. Thanks it works with Windows 7 too :).

      Do you know if there is a way to use fakeauth in transparent proxy mode ?

      Delete
    3. No, as far as I know the browser needs to be aware of the proxy in order to perform authentication.

      Delete
  3. Yeah I was afraid of that.

    The idea was to get the username from the fakeauth in a citrix environnement whitout the need for the users to authentificate.

    ReplyDelete
    Replies
    1. If the problem is the configuration to use proxy on the client you should read up on WPAD..

      Delete
  4. Im currently looking into WPAD.
    I found another solution which is to use transparent proxy for everything except the citrix servers chich are redirected to an other proxy port (with a GPO) with authentification enabled.

    Thanks a lot for your help !

    ReplyDelete