16.3. Setting up Squid as a Caching Proxy With Kerberos Authentication
This section describes a basic configuration of Squid as a caching proxy that authenticates users to an Active Directory (AD) using Kerberos. The procedure configures that only authenticated users can use the proxy.
Prerequisites
- The procedure assumes that the
/etc/squid/squid.conffile is as provided by the squid package. If you edited this file before, remove the file and reinstall the package. - The server on which you want to install Squid is a member of the AD domain. For details, see Setting up Samba as a Domain Member in the Red Hat Enterprise Linux 7 System Administrator's Guide.
Procedure
- Install the following packages:
# yum install squid krb5-workstation
- Authenticate as the AD domain administrator:
# kinit administrator@AD.EXAMPLE.COM
- Create a keytab for Squid and store it in the
/etc/squid/HTTP.keytabfile:# export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab # net ads keytab CREATE -U administrator
- Add the
HTTPservice principal to the keytab:# net ads keytab ADD HTTP -U administrator
- Set the owner of the keytab file to the
squiduser:# chown squid /etc/squid/HTTP.keytab
- Optionally, verify that the keytab file contains the
HTTPservice principal for the fully-qualified domain name (FQDN) of the proxy server:# klist -k /etc/squid/HTTP.keytab Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Principal ---- -------------------------------------------------------------------------- ... 2 HTTP/proxy.ad.example.com@AD.EXAMPLE.COM ...
- Edit the
/etc/squid/squid.conffile:- To configure the
negotiate_kerberos_authhelper utility, add the following configuration entry to the top of/etc/squid/squid.conf:auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/proxy.ad.example.com@AD.EXAMPLE.COM
The following describes the parameters passed to thenegotiate_kerberos_authhelper utility in the example above:-k filesets the path to the key tab file. Note that thesquiduser must have read permissions on this file.-s HTTP/host_name@kerberos_realmsets the Kerberos principal that Squid uses.
Optionally, you can enable logging by passing one or both of the following parameters to the helper utility:-ilogs informational messages, such as the authenticating user.-denables debug logging.
Squid logs the debugging information from the helper utility to the/var/log/squid/cache.logfile. - Add the following ACL and rule to configure that Squid allows only authenticated users to use the proxy:
acl kerb-auth proxy_auth REQUIRED http_access allow kerb-auth
Important
Specify these settings before thehttp_access deny allrule. - Remove the following rule to disable bypassing the proxy authentication from IP ranges specified in
localnetACLs:http_access allow localnet
- The following ACL exists in the default configuration and defines
443as a port that uses the HTTPS protocol:acl SSL_ports port 443
If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port:acl SSL_ports port port_number
- Update the list of
acl Safe_portsrules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the followingacl Safe_portsstatements in the configuration:acl Safe_ports port 21 acl Safe_ports port 80 acl Safe_ports port 443
By default, the configuration contains thehttp_access deny !Safe_portsrule that defines access denial to ports that are not defined inSafe_portsACLs. - Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the
cache_dirparameter:cache_dir ufs /var/spool/squid 10000 16 256
With these settings:- Squid uses the
ufscache type. - Squid stores its cache in the
/var/spool/squid/directory. - The cache grows up to
10000MB. - Squid creates
16level-1 sub-directories in the/var/spool/squid/directory. - Squid creates
256sub-directories in each level-1 directory.
If you do not set acache_dirdirective, Squid stores the cache in memory.
- If you set a different cache directory than
/var/spool/squid/in thecache_dirparameter:- Create the cache directory:
# mkdir -p path_to_cache_directory
- Configure the permissions for the cache directory:
# chown squid:squid path_to_cache_directory
- If you run SELinux in
enforcingmode, set thesquid_cache_tcontext for the cache directory:# semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?" # restorecon -Rv path_to_cache_directory
If thesemanageutility is not available on your system, install the policycoreutils-python-utils package.
- Open the
3128port in the firewall:# firewall-cmd --permanent --add-port=3128/tcp # firewall-cmd --reload
- Start the
squidservice:# systemctl start squid
- Enable the
squidservice to start automatically when the system boots:# systemctl enable squid
Verification Steps
To verify that the proxy works correctly, download a web page using the
curl utility:
# curl -O -L "https://www.redhat.com/index.html" --proxy-negotiate -u : -x "proxy.ad.example.com:3128"
If
curl does not display any error and the index.html file exists in the current directory, the proxy works.
Troubleshooting Steps
To manually test Kerberos authentication:
- Obtain a Kerberos ticket for the AD account:
# kinit user@AD.EXAMPLE.COM
- Optionally, display the ticket:
# klist
- Use the
negotiate_kerberos_auth_testutility to test the authentication:# /usr/lib64/squid/negotiate_kerberos_auth_test proxy.ad.example.com
If the helper utility returns a token, the authentication succeeded.Token: YIIFtAYGKwYBBQUCoIIFqDC...
