12.4. Squid Authentication

For authentication, the Squid source code connects with a few authentication back ends, also called helpers, such as SMB (SMB server like Windows NT or Samba), DB (an SQL database), or LDAP (Lightweight Directory Access Protocol). Users are authenticated if Squid is configured to use proxy_auth ACLs.
Instruct Squid which authentication helper program to use with the auth_param directive in /etc/squid/squid.conf. Specify the name of the program and any command line options if necessary.
auth_param scheme parameter [setting]

Example 12.6. Adding proxy_auth ACLs

Add proxy_auth ACL entries to your Squid configuration by specifying individual user names. In this example, users named lisa, sarah, joe, and frank are allowed to use the proxy at all times. Other users are allowed only during daytime hours.
acl foo proxy_auth REQUIRED
acl bar proxy_auth lisa sarah frank joe
acl daytime time 08:00-17:00
http_access allow foo daytime
http_access allow bar
http_access deny all

12.4.1. Authentication with LDAP

In this setup, Squid uses LDAP to authenticate users before allowing them to surf the Internet. The Squid source code connects to an authentication back end (LDAP) for authentication. Users then need to enter their user name and password before they are allowed to proceed to web pages. Squid makes use of the Squid LDAP authentication helper, squid_ldap_auth, which allows Squid to connect to an LDAP directory to validate the user name and password of basic HTTP authentication.
Edit /etc/squid/squid.conf as follows to connect Squid to ldap.example.com:
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -c 2 -t 2 -h ldap.example.com otherldap.example.com
In case you wish to authenticate Squid users on an LDAP server through a SSL/TLS secure channel, pass the -ZZ argument to the squid_ldap_auth program.
auth_param basic program /usr/lib64/squid/basic_ldap_auth -v 3 -ZZ -b "dc=yourcompany,dc=com" -D uid=some-user,ou=People,dc=yourcompany,dc=com  -w password -f uid=%s ldap.yourcompany.com
If you want to authenticate against multiple OpenLDAP servers, for example TLS and SSL, you need to specify auth_param in the /etc/squid/squid.conf file:
  1. Edit the /etc/squid/squid.conf for TLS:
    auth_param basic program /usr/lib64/squid/basic_ldap_auth -Z -b "dc=example,dc=com" -f "uid=%s" -c 2 -t 2 -h ldap.example.com
    and for SSL:
    auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "dc=example,dc=com" -f "uid=%s" -c 2 -t 2 -H ldaps://ldap.example.com
    Where
    -b - Specifies the base DN under which the users are located.
    -f - Specifies LDAP search filter to locate the user DN.
    -c - Specifies timeout used when connecting to LDAP servers.
    -t - Specifies time limit on LDAP search operations.
    -h - Specifies the LDAP server to connect to.
    -H - Specities the LDAP server to connect to by LDAP URI
  2. Restart the Squid service
    ~]# systemctl restart squid

12.4.2. Authentication with Kerberos

Follow the procedure to configure Squid proxy on Red Hat Enterprise Linux 7 to use Kerberos authentication. Also, as a prerequisite, first install Samba, Common Internet File System (CIFS) file server for Red Hat Enterprise Linux. For more information on installing Samba, see section Samba in the Red Hat Enterprise Linux 7 System Administrator's Guide.

Procedure 12.4. Configure Squid on Red Hat Enterprise Linux 7 to use Kerberos authentication

  1. Configure Squid to join an Active Directory (AD) domain.
    1. Edit the /etc/krb5.conf file:
      [libdefaults]
                default_realm = EXAMPLE.COM
                dns_lookup_kdc = no
                dns_lookup_realm = no
                default_keytab_name = /etc/krb5.keytab
          ; for Windows 2003
                default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
                default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
                permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      
          ; for Windows 2008 with AES
          ;      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
          ;      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
          ;      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      
          [realms]
           EXAMPLE.COM = {
            kdc = 192.168.0.1
            admin_server = 192.168.0.1
           }
      
          [domain_realm]
           example.com = EXAMPLE.COM
           .example.com = EXAMPLE.COM
      
          [logging]
            kdc = FILE:/var/log/kdc.log
            admin_server = FILE:/var/log/kadmin.log
            default = FILE:/var/log/krb5lib.log
    2. Verify with the kinit command:
      ~]# kinit testuser1
      ~]# kinit administrator
    3. Edit the /etc/samba/smb.conf file as follows:
      [global]
      workgroup = EXAMPLE
      password server = 192.168.0.1
      # Remember to put the realm all in CAPS:
      realm = EXAMPLE.COM
      security = ads
      idmap uid = 16777216-33554431
      idmap gid = 16777216-33554431
      template shell = /bin/bash
      winbind use default domain = true
      winbind offline logon = false
      winbind enum users = yes
      winbind enum groups = yes
      encrypt passwords = yes
      log file = /var/log/samba/log.%m
      max log size = 50
      passdb backend = tdbsam
      load printers = yes
      cups options = raw
      kerberos method = system keytab
    4. Join the AD domain
      ~]# net ads join -U Administrator
  2. Create keytab for HTTP/fqdn with the net ads keytab command
    ~]# kinit administrator
    ~]# export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
    ~]# net ads keytab CREATE
    ~]# net ads keytab ADD HTTP
    and verify the keytab file
    ~]# klist -k /etc/squid/HTTP.keytab

    Note

    Make sure host name is properly set in /etc/hosts file
  3. Make sure the files are included in Squid.
    ~]# rpm -q squid
        squid-3.1.10-1.el6.x86_64
    ~]# rpm -ql squid | grep kerb
    /usr/lib64/squid/negotiate_kerberos_auth
        /usr/lib64/squid/negotiate_kerberos_auth_test
        /usr/lib64/squid/squid_kerb_auth
        /usr/lib64/squid/squid_kerb_auth_test
  4. Modify /etc/squid/squid.conf as follows
    auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s HTTP/squid.example.com@EXAMPLE.COM
    auth_param negotiate children 10
    auth_param negotiate keep_alive on
    acl kerb_auth proxy_auth REQUIRED
    (content truncated)
    
    http_access allow kerb_auth
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localnet
    http_access allow localhost
    http_access deny all
    (content truncated)
  5. Set the .keytab file readable by the Squid process owner:
    ~]# chgrp squid /etc/squid/HTTP.keytab
    ~]# chmod g+r /etc/squid/HTTP.keytab
  6. Add the below lines to the /etc/sysconfig/squid file:
    KRB5_KTNAME="/etc/squid/HTTP.keytab "
    export KRB5_KTNAME
  7. Start the Squid service
    ~]# service squid start
  8. Configure a Kerberos client, and configure your web browser to use the Squid proxy. Get a Kerberos ticket from Key Distribution Center (KDC).
    ~]# kinit testuser1
    Try to access any website. The web browser should not prompt for any user name or password.