Authentication
SafeSquid identifies users through multiple authentication methods to enable identity-based access control and audit trails. Methods can be used individually or in combination to suit enterprise requirements.
SafeSquid itself does not provide MFA prompts. To enforce MFA, integrate with directory services (Active Directory with MFA-enabled accounts) or use PAM with MFA modules (e.g., Google Authenticator PAM). SafeSquid enforces the authentication decision but delegates credential validation to the backend system.
Choose your authentication method
| Method | Use When | User Experience | Infrastructure Required |
|---|---|---|---|
| BASIC Authentication | No directory service available | Browser login prompt | None |
| Network Signature | IP-based policy needed (devices, legacy apps) | Transparent (no login) | Static IP addressing or DHCP reservations |
| Directory Services | Centralized identity required | Browser prompt or SSO | Active Directory or OpenLDAP |
| PAM Authentication | OS credentials should apply to proxy | Browser login prompt | PAM-capable OS |
| Bypass Authentication | Some apps cannot authenticate | Transparent for bypassed apps | None |
Authentication methods
BASIC Authentication
BASIC authentication (RFC 7617) with credentials stored locally in SafeSquid. Browser-prompt authentication with no directory infrastructure required; credentials managed locally. Use when you need identity-based policies without Active Directory or LDAP.
Network Signature
Maps source IPs or subnets to user-groups for group-based access restriction and reporting. No user login required; policy applies by IP. Use when user identity is unavailable (device-only, legacy apps) but you need group-based rules.
Directory Services
Integrates with Active Directory or OpenLDAP to leverage existing user accounts and group memberships. Supports simple authentication (browser prompt with directory credentials) and SSO (Kerberos with AD for transparent authentication). Use when you need centralized identity management and don't want to duplicate user accounts in SafeSquid.
PAM Authentication
Validates proxy users via the system PAM stack so OS and proxy share credentials. Use when you want a single credential set for both OS login and proxy access in PAM-based environments (Linux, Unix).
Bypass Authentication
Allows specific destinations or request types to skip authentication while other traffic remains authenticated. Use for automatic updates or apps that cannot send proxy credentials.
Combining authentication methods
SafeSquid evaluates authentication rules in the order they appear in the policy. The first matching rule applies (no fall-through). Common combinations:
- Directory + Bypass: AD/LDAP for users, bypass for OS updates and app sync
- Network Signature + Directory: IP-based groups for IoT/devices, AD for user workstations
- PAM + Bypass: OS credentials for interactive users, bypass for service accounts
Apply authentication rules from most specific to most general. Place narrow bypass rules before broader authentication requirements.
Verification
After configuring authentication:
- Test login flow: Browse through the proxy from a client; confirm authentication prompt appears (or SSO succeeds)
- Check identity logs: Verify
/var/log/safesquid/identity.logshows authenticated usernames for proxied requests - Test bypass (if configured): Confirm bypassed destinations work without prompts
Next steps
- Choose an authentication method above and configure it
- Combine with Access Restriction for identity-based policies
- Enable SSL Inspection to decrypt HTTPS traffic — without it, SafeSquid can only authenticate based on CONNECT requests, not actual HTTPS content