[squid-users] MFA with squid, is it possible?

[Tony Albers]

On 3 December 2025 14:31:46 CET, NgTech LTD <ngtech1ltd at gmail.com> wrote:
>I was wondering if it's possible to use 2fa with squid?
>If so, how?
>The authentication of squid is based on a couple methods, but, by what I
>can identify the 2fa? Is there any option to use some kind of token which
>can be acquired via some external authentication service?
>I am unsure if it's doable or not.
>I have seen a couple VPN services which offer 2fa, but all of these have
>connection based authentication.
>
>The only service I have seen which has a nice concept of 2fa is Defguard.
>It uses Wireguard combined with psk.
>The flow is that the app contacts a management service and the 2fa
>authentication is done against this service.
>Then this service generates the WG config PSK and pushes it to the WG
>service.
>The app then connects with a combination of KEY+PSK.
>The detection of connection invalidation ("disconnection") is when there is
>no activity after 3 minutes on the WG peer(or by disconnection in the app).
>Then the PSK is automatically being revoked/changed in the peer config
>which blocks it' usage.
>It's not a perfect solution but it's a nice enough implementation.
>
>The issue with a proxy connection is that the client-to-service connection
>is in plain text.
>So my assumption is that if we can secure the client-to-proxy and the
>generated config delivery to the client we can kind of consider it "secure
>enough".
>
>I am wondering to myself about the available options in the proxy market.
>
>Thanks,
>Eliezer

Check out privacyidea.org

HTH

/tony