16.2. Setting up Squid as a Caching Proxy With LDAP Authentication
This section describes a basic configuration of Squid as a caching proxy that uses LDAP to authenticate users. The procedure configures that only authenticated users can use the proxy.
Prerequisites
- The procedure assumes that the
/etc/squid/squid.conf
file is as provided by the squid package. If you edited this file before, remove the file and reinstall the package. - An service user, such as
uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com
exists in the LDAP directory. Squid uses this account only to search for the authenticating user. If the authenticating user exists, Squid binds as this user to the directory to verify the authentication.
Procedure
- Install the squid package:
# yum install squid
- Edit the
/etc/squid/squid.conf
file:- To configure the
basic_ldap_auth
helper utility, add the following configuration entry to the top of/etc/squid/squid.conf
:auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "cn=users,cn=accounts,dc=example,dc=com" -D "uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W /etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -ZZ -H ldap://ldap_server.example.com:389
The following describes the parameters passed to thebasic_ldap_auth
helper utility in the example above:-B base_DN
sets the LDAP search base.-D proxy_service_user_DN
sets the distinguished name (DN) of the account Squid uses to search for the authenticating user in the directory.-W path_to_password_file
sets the path to the file that contains the password of the proxy service user. Using a password file prevents that the password is visible in the operating system's process list.-f LDAP_filter
specifies the LDAP search filter. Squid replaces the%s
variable with the user name provided by the authenticating user.The(&(objectClass=person)(uid=%s))
filter in the example defines that the user name must match the value set in theuid
attribute and that the directory entry contains theperson
object class.-ZZ
enforces a TLS-encrypted connection over the LDAP protocol using theSTARTTLS
command. Omit the-ZZ
in the following situations:- The LDAP server does not support encrypted connections.
- The port specified in the URL uses the LDAPS protocol.
- The
-H LDAP_URL
parameter specifies the protocol, the host name or IP address, and the port of the LDAP server in URL format.
- Add the following ACL and rule to configure that Squid allows only authenticated users to use the proxy:
acl ldap-auth proxy_auth REQUIRED http_access allow ldap-auth
Important
Specify these settings before thehttp_access deny all
rule. - Remove the following rule to disable bypassing the proxy authentication from IP ranges specified in
localnet
ACLs:http_access allow localnet
- The following ACL exists in the default configuration and defines
443
as a port that uses the HTTPS protocol:acl SSL_ports port 443
If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port:acl SSL_ports port port_number
- Update the list of
acl Safe_ports
rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the followingacl Safe_ports
statements in the configuration:acl Safe_ports port 21 acl Safe_ports port 80 acl Safe_ports port 443
By default, the configuration contains thehttp_access deny !Safe_ports
rule that defines access denial to ports that are not defined inSafe_ports
ACLs. - Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the
cache_dir
parameter:cache_dir ufs /var/spool/squid 10000 16 256
With these settings:- Squid uses the
ufs
cache type. - Squid stores its cache in the
/var/spool/squid/
directory. - The cache grows up to
10000
MB. - Squid creates
16
level-1 sub-directories in the/var/spool/squid/
directory. - Squid creates
256
sub-directories in each level-1 directory.
If you do not set acache_dir
directive, Squid stores the cache in memory.
- If you set a different cache directory than
/var/spool/squid/
in thecache_dir
parameter:- Create the cache directory:
# mkdir -p path_to_cache_directory
- Configure the permissions for the cache directory:
# chown squid:squid path_to_cache_directory
- If you run SELinux in
enforcing
mode, set thesquid_cache_t
context for the cache directory:# semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?" # restorecon -Rv path_to_cache_directory
If thesemanage
utility is not available on your system, install the policycoreutils-python-utils package.
- Store the password of the LDAP service user in the
/etc/squid/ldap_password
file, and set appropriate permissions for the file:# echo "password" > /etc/squid/ldap_password # chown root:squid /etc/squid/ldap_password # chmod 640 /etc/squid/ldap_password
- Open the
3128
port in the firewall:# firewall-cmd --permanent --add-port=3128/tcp # firewall-cmd --reload
- Start the
squid
service:# systemctl start squid
- Enable the
squid
service to start automatically when the system boots:# systemctl enable squid
Verification Steps
To verify that the proxy works correctly, download a web page using the
curl
utility:
# curl -O -L "https://www.redhat.com/index.html" -x "user_name:password@proxy.example.com:3128"
If
curl
does not display any error and the index.html
file was downloaded to the current directory, the proxy works.
Troubleshooting Steps
To verify that the helper utility works correctly:
- Manually start the helper utility with the same settings you used in the
auth_param
parameter:# /usr/lib64/squid/basic_ldap_auth -b "cn=users,cn=accounts,dc=example,dc=com" -D "uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W /etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -ZZ -H ldap://ldap_server.example.com:389
- Enter a valid user name and password, and press Enter:
user_name password
If the helper utility returnsOK
, authentication succeeded.