Show Table of Contents
12.4. Squid Authentication
For authentication, the
Squid
source code connects with a few authentication back ends, also called helpers
, such as SMB (SMB server like Windows NT or Samba), DB (an SQL database), or LDAP (Lightweight Directory Access Protocol). Users are authenticated if Squid
is configured to use proxy_auth
ACLs.
Instruct
Squid
which authentication helper program to use with the auth_param
directive in /etc/squid/squid.conf
. Specify the name of the program and any command line options if necessary.
auth_param scheme parameter [setting]
Example 12.6. Adding proxy_auth ACLs
Add
proxy_auth
ACL entries to your Squid
configuration by specifying individual user names. In this example, users named lisa, sarah, joe, and frank are allowed to use the proxy at all times. Other users are allowed only during daytime hours.
acl foo proxy_auth REQUIRED acl bar proxy_auth lisa sarah frank joe acl daytime time 08:00-17:00 http_access allow foo daytime http_access allow bar http_access deny all
12.4.1. Authentication with LDAP
In this setup,
Squid
uses LDAP to authenticate users before allowing them to surf the Internet. The Squid
source code connects to an authentication back end (LDAP) for authentication. Users then need to enter their user name and password before they are allowed to proceed to web pages. Squid
makes use of the Squid
LDAP authentication helper, squid_ldap_auth
, which allows Squid
to connect to an LDAP directory to validate the user name and password of basic HTTP authentication.
Edit
/etc/squid/squid.conf
as follows to connect Squid
to ldap.example.com:
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -c 2 -t 2 -h ldap.example.com otherldap.example.com
In case you wish to authenticate
Squid
users on an LDAP server through a SSL/TLS secure channel, pass the -ZZ
argument to the squid_ldap_auth
program.
auth_param basic program /usr/lib64/squid/basic_ldap_auth -v 3 -ZZ -b "dc=yourcompany,dc=com" -D uid=some-user,ou=People,dc=yourcompany,dc=com -w password -f uid=%s ldap.yourcompany.com
If you want to authenticate against multiple OpenLDAP servers, for example TLS and SSL, you need to specify
auth_param
in the /etc/squid/squid.conf
file:
- Edit the
/etc/squid/squid.conf
for TLS:auth_param basic program /usr/lib64/squid/basic_ldap_auth -Z -b "dc=example,dc=com" -f "uid=%s" -c 2 -t 2 -h ldap.example.com
and for SSL:auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -c 2 -t 2 -H ldaps://ldap.example.com
Where-b - Specifies the base DN under which the users are located. -f - Specifies LDAP search filter to locate the user DN. -c - Specifies timeout used when connecting to LDAP servers. -t - Specifies time limit on LDAP search operations. -h - Specifies the LDAP server to connect to. -H - Specities the LDAP server to connect to by LDAP URI
- Restart the
Squid
service~]#
systemctl restart squid
12.4.2. Authentication with Kerberos
Follow the procedure to configure
Squid
proxy on Red Hat Enterprise Linux 7 to use Kerberos
authentication. Also, as a prerequisite, first install Samba, Common Internet File System (CIFS) file server for Red Hat Enterprise Linux. For more information on installing Samba, see section Samba in the Red Hat Enterprise Linux 7 System Administrator's Guide.
Procedure 12.4. Configure Squid on Red Hat Enterprise Linux 7 to use Kerberos authentication
- Configure
Squid
to join an Active Directory (AD) domain.- Edit the
/etc/krb5.conf
file:[libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = no dns_lookup_realm = no default_keytab_name = /etc/krb5.keytab ; for Windows 2003 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] EXAMPLE.COM = { kdc = 192.168.0.1 admin_server = 192.168.0.1 } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log
- Verify with the
kinit
command:~]#
kinit testuser1
~]#
kinit administrator
- Edit the
/etc/samba/smb.conf
file as follows:[global] workgroup = EXAMPLE password server = 192.168.0.1 # Remember to put the realm all in CAPS: realm = EXAMPLE.COM security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind enum users = yes winbind enum groups = yes encrypt passwords = yes log file = /var/log/samba/log.%m max log size = 50 passdb backend = tdbsam load printers = yes cups options = raw kerberos method = system keytab
- Join the AD domain
~]#
net ads join -U Administrator
- Create keytab for HTTP/fqdn with the
net ads keytab
command~]#
kinit administrator
~]#export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
~]#net ads keytab CREATE
~]#net ads keytab ADD HTTP
and verify the keytab file~]#
klist -k /etc/squid/HTTP.keytab
Note
Make sure host name is properly set in/etc/hosts
file - Make sure the files are included in
Squid
.~]#
rpm -q squid
squid-3.1.10-1.el6.x86_64~]#
rpm -ql squid | grep kerb
/usr/lib64/squid/negotiate_kerberos_auth /usr/lib64/squid/negotiate_kerberos_auth_test /usr/lib64/squid/squid_kerb_auth /usr/lib64/squid/squid_kerb_auth_test
- Modify
/etc/squid/squid.conf
as followsauth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s HTTP/squid.example.com@EXAMPLE.COM auth_param negotiate children 10 auth_param negotiate keep_alive on acl kerb_auth proxy_auth REQUIRED (content truncated) http_access allow kerb_auth http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all (content truncated)
- Set the .keytab file readable by the
Squid
process owner:~]#
chgrp squid /etc/squid/HTTP.keytab
~]#
chmod g+r /etc/squid/HTTP.keytab
- Add the below lines to the
/etc/sysconfig/squid
file:KRB5_KTNAME="/etc/squid/HTTP.keytab " export KRB5_KTNAME
- Start the
Squid
service~]#
service squid start
- Configure a Kerberos client, and configure your web browser to use the
Squid
proxy. Get a Kerberos ticket from Key Distribution Center (KDC).~]#
kinit testuser1
Try to access any website. The web browser should not prompt for any user name or password.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.