15.4. Squid Authentication

For authentication, the Squid source code connects with a few authentication back ends, also called helpers, such as SMB (SMB server like Windows NT or Samba), DB (an SQL database), or LDAP (Lightweight Directory Access Protocol). Users are authenticated if Squid is configured to use proxy_auth ACLs.
Instruct Squid which authentication helper program to use with the auth_param directive in /etc/squid/squid.conf. Specify the name of the program and any command line options if necessary. 
auth_param scheme parameter [setting]

Example 15.6. Adding proxy_auth ACLs

Add proxy_auth ACL entries to your Squid configuration by specifying individual user names. In this example, users named lisa, sarah, joe, and frank are allowed to use the proxy at all times. Other users are allowed only during daytime hours. 
acl foo proxy_auth REQUIRED
acl bar proxy_auth lisa sarah frank joe
acl daytime time 08:00-17:00
http_access allow foo daytime
http_access allow bar
http_access deny all

15.4.1. Authentication with LDAP

In this setup, Squid uses LDAP to authenticate users before allowing them to surf the Internet. The Squid source code connects to an authentication back end (LDAP) for authentication. Users then need to enter their user name and password before they are allowed to proceed to web pages. Squid makes use of the Squid LDAP authentication helper, squid_ldap_auth, which allows Squid to connect to an LDAP directory to validate the user name and password of basic HTTP authentication.
Edit /etc/squid/squid.conf as follows to connect Squid to ldap.example.com: 
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -c 2 -t 2 -h ldap.example.com otherldap.example.com
In case you wish to authenticate Squid users on an LDAP server through a SSL/TLS secure channel, pass the -ZZ argument to the squid_ldap_auth program. 
auth_param basic program /usr/lib64/squid/basic_ldap_auth -v 3 -ZZ -b "dc=yourcompany,dc=com" -D uid=some-user,ou=People,dc=yourcompany,dc=com  -w password -f uid=%s ldap.yourcompany.com
If you want to authenticate against multiple OpenLDAP servers, for example TLS and SSL, you need to specify auth_param in the /etc/squid/squid.conf file:
  1. Edit the /etc/squid/squid.conf for TLS: 
    auth_param basic program /usr/lib64/squid/basic_ldap_auth -Z -b "dc=example,dc=com" -f "uid=%s" -c 2 -t 2 -h ldap.example.com
    and for SSL: 
    auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -c 2 -t 2 -H ldaps://ldap.example.com
    Where 
    -b - Specifies the base DN under which the users are located.
-f - Specifies LDAP search filter to locate the user DN.
-c - Specifies timeout used when connecting to LDAP servers.
-t - Specifies time limit on LDAP search operations.
-h - Specifies the LDAP server to connect to.
-H - Specities the LDAP server to connect to by LDAP URI
  2. Restart the Squid service 
    ~]# systemctl restart squid

15.4.2. Authentication with Kerberos

Follow the procedure to configure Squid proxy on Red Hat Enterprise Linux 7 to use Kerberos authentication. Also, as a prerequisite, first install Samba, Common Internet File System (CIFS) file server for Red Hat Enterprise Linux. For more information on installing Samba, see section Samba in the Red Hat Enterprise Linux 7 System Administrator's Guide.

Procedure 15.4. Configure Squid on Red Hat Enterprise Linux 7 to use Kerberos authentication

  1. Configure Squid to join an Active Directory (AD) domain.
    1. Edit the /etc/krb5.conf file: 
      [libdefaults]
          default_realm = EXAMPLE.COM
          dns_lookup_kdc = no
          dns_lookup_realm = no
          default_keytab_name = /etc/krb5.keytab
    ; for Windows 2003
          default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
          default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
          permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

    ; for Windows 2008 with AES
    ;      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    ;      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    ;      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

    [realms]
     EXAMPLE.COM = {
      kdc = 192.168.0.1
      admin_server = 192.168.0.1
     }

    [domain_realm]
     example.com = EXAMPLE.COM
     .example.com = EXAMPLE.COM

    [logging]
      kdc = FILE:/var/log/kdc.log
      admin_server = FILE:/var/log/kadmin.log
      default = FILE:/var/log/krb5lib.log
    2. Verify with the kinit command: 
      ~]# kinit testuser1
      ~]# kinit administrator
    3. Edit the /etc/samba/smb.conf file as follows: 
      [global]
workgroup = EXAMPLE
password server = 192.168.0.1
# Remember to put the realm all in CAPS:
realm = EXAMPLE.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam
load printers = yes
cups options = raw
kerberos method = system keytab
    4. Join the AD domain 
      ~]# net ads join -U Administrator
  2. Create keytab for HTTP/fqdn with the net ads keytab command 
    ~]# kinit administrator
~]# export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
~]# net ads keytab CREATE
~]# net ads keytab ADD HTTP
    and verify the keytab file 
    ~]# klist -k /etc/squid/HTTP.keytab

    Note

    Make sure host name is properly set in /etc/hosts file
  3. Make sure the files are included in Squid. 
    ~]# rpm -q squid
    squid-3.1.10-1.el6.x86_64
    ~]# rpm -ql squid | grep kerb
    /usr/lib64/squid/negotiate_kerberos_auth
    /usr/lib64/squid/negotiate_kerberos_auth_test
    /usr/lib64/squid/squid_kerb_auth
    /usr/lib64/squid/squid_kerb_auth_test
  4. Modify /etc/squid/squid.conf as follows 
    auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s HTTP/squid.example.com@EXAMPLE.COM
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl kerb_auth proxy_auth REQUIRED
(content truncated)

http_access allow kerb_auth
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
(content truncated)
  5. Set the .keytab file readable by the Squid process owner: 
    ~]# chgrp squid /etc/squid/HTTP.keytab
    ~]# chmod g+r /etc/squid/HTTP.keytab
  6. Add the below lines to the /etc/sysconfig/squid file: 
    KRB5_KTNAME="/etc/squid/HTTP.keytab "
export KRB5_KTNAME
  7. Start the Squid service 
    ~]# service squid start
  8. Configure a Kerberos client, and configure your web browser to use the Squid proxy. Get a Kerberos ticket from Key Distribution Center (KDC). 
    ~]# kinit testuser1
    Try to access any website. The web browser should not prompt for any user name or password.