{"id":28226114,"url":"https://github.com/senseunit/basic_hmac_auth","last_synced_at":"2026-02-23T02:32:55.088Z","repository":{"id":265673853,"uuid":"896125762","full_name":"SenseUnit/basic_hmac_auth","owner":"SenseUnit","description":"HMAC auth helper for Squid","archived":false,"fork":false,"pushed_at":"2024-12-01T15:20:31.000Z","size":37,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-10-27T20:14:57.191Z","etag":null,"topics":["addon","auth","auth-helper","authentication","authentication-backend","authorization","authorization-handler","helper","hmac-authentication","squid","squid-helper","squid-proxy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SenseUnit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-11-29T15:44:26.000Z","updated_at":"2024-12-01T15:19:50.000Z","dependencies_parsed_at":"2024-12-01T16:47:13.833Z","dependency_job_id":null,"html_url":"https://github.com/SenseUnit/basic_hmac_auth","commit_stats":null,"previous_names":["senseunit/basic_hmac_auth"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/SenseUnit/basic_hmac_auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SenseUnit%2Fbasic_hmac_auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SenseUnit%2Fbasic_hmac_auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SenseUnit%2Fbasic_hmac_auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SenseUnit%2Fbasic_hmac_auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SenseUnit","download_url":"https://codeload.github.com/SenseUnit/basic_hmac_auth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SenseUnit%2Fbasic_hmac_auth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29735759,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-23T02:24:00.660Z","status":"ssl_error","status_checked_at":"2026-02-23T02:22:56.087Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["addon","auth","auth-helper","authentication","authentication-backend","authorization","authorization-handler","helper","hmac-authentication","squid","squid-helper","squid-proxy"],"created_at":"2025-05-18T11:10:49.685Z","updated_at":"2026-02-23T02:32:55.066Z","avatar_url":"https://github.com/SenseUnit.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# basic\\_hmac\\_auth\n\nHMAC auth helper for Squid.\n\nAuthentication with [HMAC signatures](https://en.wikipedia.org/wiki/HMAC) essentially allows fleet of proxies to use centralized authentication without the need for proxies to communicate with any central server directly. It works like this: some entity (e.g. API server) issues HMAC-signed token with limited validity time to the users. Users can't forge HMAC-signed token because they don't know secret key, while proxy can validate signature sent by user as credentials and decide to allow access immediately, without any need to communicate with central server or database to check user's password and status. All relevant information to allow access is already carried by users within their requests.\n\nbasic\\_hmac\\_auth helper enables Squid basic authentication with HMAC-signatures passed as username and password, leveraging classic login-password scheme to carry HMAC signatures. In that scheme username represents user login as usual and password should be constructed as follows:\n\n*password := urlsafe\\_base64\\_without\\_padding(expire\\_timestamp || hmac\\_sha256(secret, \"dumbproxy grant token v1\" || username || expire\\_timestamp))*\n\nwhere *expire_timestamp* is 64-bit big-endian UNIX timestamp and *||* is a concatenation operator. [This Python script](https://gist.github.com/Snawoot/2b5acc232680d830f0f308f14e540f1d) can be used as a reference implementation of signing.\n\n## Usage\n\nThis auth helper can be used with Squid configuration like this:\n\n```\nauth_param basic program /usr/local/bin/basic_hmac_auth -secret \u003cINSERT YOUR SECRET HERE\u003e\nauth_param basic children 8 startup=8 idle=8 concurrency=50\nauth_param basic credentialsttl 15 minutes\nauth_param basic casesensitive on\nacl authenticated proxy_auth REQUIRED\nhttp_access allow authenticated\nhttp_access deny all\n```\n\nSecret key can be generated with following command: `openssl rand -hex 32`\n\n\u003e [!IMPORTANT]  \n\u003e Note that this helper works **only** with concurrent helper protocol, so `concurrency=` parameter **must** be greater than zero.\n\n\u003e [!TIP]\n\u003e HMAC shared secret can be also specified in file referenced by `-secret-file` command line option or with `BASIC_AUTH_HMAC_SECRET` environment variable.\n\n## Synopsis\n\n```\n$ basic_hmac_auth -h\nUsage of /usr/local/bin/basic_hmac_auth:\n  -buffer-size int\n    \tinitial buffer size for stream parsing\n  -cpu-profile string\n    \twrite CPU profile to file\n  -secret string\n    \thex-encoded HMAC secret value\n  -secret-file string\n    \tfile containing single line with hex-encoded secret\n  -strict\n    \trequire shortest possible, invariant form of encoding (default true)\n  -version\n    \tshow program version and exit\n```\n\n## See also\n\n* This HMAC auth format was ported to Squid from [dumbproxy](https://github.com/SenseUnit/dumbproxy) project. dumbproxy is a modern lightweight, performant and easy to use proxy server.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsenseunit%2Fbasic_hmac_auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsenseunit%2Fbasic_hmac_auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsenseunit%2Fbasic_hmac_auth/lists"}