Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

16.2. Setting up Squid as a Caching Proxy With LDAP Authentication

This section describes a basic configuration of Squid as a caching proxy that uses LDAP to authenticate users. The procedure configures that only authenticated users can use the proxy.

Prerequisites

  • The procedure assumes that the /etc/squid/squid.conf file is as provided by the squid package. If you edited this file before, remove the file and reinstall the package.
  • An service user, such as uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com exists in the LDAP directory. Squid uses this account only to search for the authenticating user. If the authenticating user exists, Squid binds as this user to the directory to verify the authentication.

Procedure

  1. Install the squid package: 
    # yum install squid
    Copy to Clipboard Toggle word wrap
  2. Edit the /etc/squid/squid.conf file:
    1. To configure the basic_ldap_auth helper utility, add the following configuration entry to the top of /etc/squid/squid.conf: 
      auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "cn=users,cn=accounts,dc=example,dc=com" -D "uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W /etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -ZZ -H ldap://ldap_server.example.com:389
      Copy to Clipboard Toggle word wrap
      The following describes the parameters passed to the basic_ldap_auth helper utility in the example above:
      • -B base_DN sets the LDAP search base.
      • -D proxy_service_user_DN sets the distinguished name (DN) of the account Squid uses to search for the authenticating user in the directory.
      • -W path_to_password_file sets the path to the file that contains the password of the proxy service user. Using a password file prevents that the password is visible in the operating system's process list.
      • -f LDAP_filter specifies the LDAP search filter. Squid replaces the %s variable with the user name provided by the authenticating user.
        The (&(objectClass=person)(uid=%s)) filter in the example defines that the user name must match the value set in the uid attribute and that the directory entry contains the person object class.
      • -ZZ enforces a TLS-encrypted connection over the LDAP protocol using the STARTTLS command. Omit the -ZZ in the following situations:
        • The LDAP server does not support encrypted connections.
        • The port specified in the URL uses the LDAPS protocol.
      • The -H LDAP_URL parameter specifies the protocol, the host name or IP address, and the port of the LDAP server in URL format.
    2. Add the following ACL and rule to configure that Squid allows only authenticated users to use the proxy: 
      acl ldap-auth proxy_auth REQUIRED
http_access allow ldap-auth
      Copy to Clipboard Toggle word wrap

      Important

      Specify these settings before the http_access deny all rule.
    3. Remove the following rule to disable bypassing the proxy authentication from IP ranges specified in localnet ACLs: 
      http_access allow localnet
      Copy to Clipboard Toggle word wrap
    4. The following ACL exists in the default configuration and defines 443 as a port that uses the HTTPS protocol: 
      acl SSL_ports port 443
      Copy to Clipboard Toggle word wrap
      If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port: 
      acl SSL_ports port port_number
      Copy to Clipboard Toggle word wrap
    5. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration: 
      acl Safe_ports port 21
acl Safe_ports port 80
acl Safe_ports port 443
      Copy to Clipboard Toggle word wrap
      By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs.
    6. Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the cache_dir parameter: 
      cache_dir ufs /var/spool/squid 10000 16 256
      Copy to Clipboard Toggle word wrap
      With these settings:
      • Squid uses the ufs cache type.
      • Squid stores its cache in the /var/spool/squid/ directory.
      • The cache grows up to 10000 MB.
      • Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory.
      • Squid creates 256 sub-directories in each level-1 directory.
      If you do not set a cache_dir directive, Squid stores the cache in memory.
  3. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:
    1. Create the cache directory: 
      # mkdir -p path_to_cache_directory
      Copy to Clipboard Toggle word wrap
    2. Configure the permissions for the cache directory: 
      # chown squid:squid path_to_cache_directory
      Copy to Clipboard Toggle word wrap
    3. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache directory: 
      # semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?"
# restorecon -Rv path_to_cache_directory
      Copy to Clipboard Toggle word wrap
      If the semanage utility is not available on your system, install the policycoreutils-python-utils package.
  4. Store the password of the LDAP service user in the /etc/squid/ldap_password file, and set appropriate permissions for the file: 
    # echo "password" > /etc/squid/ldap_password
# chown root:squid /etc/squid/ldap_password
# chmod 640 /etc/squid/ldap_password
    Copy to Clipboard Toggle word wrap
  5. Open the 3128 port in the firewall: 
    # firewall-cmd --permanent --add-port=3128/tcp
# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap
  6. Start the squid service: 
    # systemctl start squid
    Copy to Clipboard Toggle word wrap
  7. Enable the squid service to start automatically when the system boots: 
    # systemctl enable squid
    Copy to Clipboard Toggle word wrap

Verification Steps

To verify that the proxy works correctly, download a web page using the curl utility: 
# curl -O -L "https://www.redhat.com/index.html" -x "user_name:password@proxy.example.com:3128"
Copy to Clipboard Toggle word wrap
If curl does not display any error and the index.html file was downloaded to the current directory, the proxy works.

Troubleshooting Steps

To verify that the helper utility works correctly:
  1. Manually start the helper utility with the same settings you used in the auth_param parameter: 
    # /usr/lib64/squid/basic_ldap_auth -b "cn=users,cn=accounts,dc=example,dc=com" -D "uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W /etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -ZZ -H ldap://ldap_server.example.com:389
    Copy to Clipboard Toggle word wrap
  2. Enter a valid user name and password, and press Enter: 
    user_name password
    Copy to Clipboard Toggle word wrap
    If the helper utility returns OK, authentication succeeded.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat