Setting up a proxy server can be a complex task, especially when it involves authentication and caching. However, the benefits of having a proxy server in place are numerous. It can help improve your network’s performance, provide a layer of security, and even manage internet access for users. One of the most popular proxy server software is Squid, which can be configured as a caching proxy that authenticates users to an Active Directory (AD) using Kerberos.
In this tutorial, we will guide you through the process of setting up Squid as a caching proxy with Kerberos authentication on a Red Hat Enterprise Linux server. This configuration ensures that only authenticated users can use the proxy, enhancing the security of your network.
Before we begin, it’s important to note that this tutorial assumes that the server on which you want to install Squid is a member of the AD domain.
By following this guide, you will be able to leverage the benefits of a proxy server and enhance the security and performance of your network.
Let’s get started!
Step 1: Install the Required Packages
The first step in setting up Squid as a caching proxy with Kerberos authentication is to install the necessary packages. In this case, you will need to install the Squid and krb5-workstation packages. You can do this by running the following command:
# yum install squid krb5-workstation
Step 2: Authenticate as the AD Domain Administrator
After installing the required packages, you need to authenticate as the AD domain administrator. You can do this by running the following command:
# kinit administrator@AD.EXAMPLE.COM
Step 3: Create a Keytab for Squid
Next, you need to create a keytab for Squid and store it in the /etc/squid/HTTP.keytab file. You can do this by running the following commands:
# export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab # net ads keytab CREATE -U administrator
Step 4: Add the HTTP Service Principal to the Keytab
After creating the keytab for Squid, you need to add the HTTP service principal to the keytab. You can do this by running the following command:
# net ads keytab ADD HTTP -U administrator
Step 5: Set the Owner of the Keytab File to the Squid User
Next, you need to set the owner of the keytab file to the squid user. You can do this by running the following command:
# chown squid /etc/squid/HTTP.keytab
Step 6: Verify the Keytab File
Optionally, you can verify that the keytab file contains the HTTP service principal for the fully-qualified domain name (FQDN) of the proxy server. You can do this by running the following command:
# klist -k /etc/squid/HTTP.keytab
The output should include the HTTP service principal for the FQDN of the proxy server.
Step 7: Edit the /etc/squid/squid.conf File
The next step is to edit the /etc/squid/squid.conf file. This file contains the configuration settings for Squid. You need to add the following configuration entry to the top of /etc/squid/squid.conf to configure the negotiate_kerberos_auth helper utility:
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/proxy.ad.example.com@AD.EXAMPLE.COM
This command configures the negotiate_kerberos_auth helper utility with the path to the keytab file and the Kerberos principal that Squid uses.
Step 8: Configure Squid to Allow Only Authenticated Users
Next, you need to add the following ACL and rule to configure that Squid allows only authenticated users to use the proxy:
acl kerb-auth proxy_auth REQUIRED http_access allow kerb-auth
These settings should be specified before the http_access deny all rule.
Step 9: Disable Bypassing the Proxy Authentication
To enhance the security of your network, you should disable bypassing the proxy authentication from IP ranges specified in localnet ACLs. You can do this by removing the following rule:
http_access allow localnet
Step 10: Configure the Ports
By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs. If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these ports:
acl SSL_ports port port_number
Update the list of acl Safe_ports rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration:
acl Safe_ports port 21 acl Safe_ports port 80 acl Safe_ports port 443
Step 11: Configure the Cache
Next, you need to configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the cache_dir parameter:
cache_dir ufs /var/spool/squid 10000 16 256
With these settings, Squid uses the ufs cache type, stores its cache in the /var/spool/squid/ directory, the cache grows up to 10000 MB, it creates 16 level-1 sub-directories in the /var/spool/squid/ directory, and creates 256 sub-directories in each level-1 directory.
Step 12: Open the 3128 Port in the Firewall
To allow traffic to pass through the proxy server, you need to open the 3128 port in the firewall. You can do this by running the following commands:
# firewall-cmd --permanent --add-port=3128/tcp # firewall-cmd --reload
Step 13: Start and Enable the Squid Service
Finally, you need to start the squid service and enable it to start automatically when the system boots. You can do this by running the following commands:
# systemctl start squid # systemctl enable squid
- yum install squid krb5-workstation: This command installs the necessary packages for setting up Squid as a caching proxy with Kerberos authentication.
- kinit administrator@AD.EXAMPLE.COM: This command authenticates you as the AD domain administrator.
- export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab and net ads keytab CREATE -U administrator: These commands create a keytab for Squid and store it in the /etc/squid/HTTP.keytab file.
- net ads keytab ADD HTTP -U administrator: This command adds the HTTP service principal to the keytab.
- chown squid /etc/squid/HTTP.keytab: This command sets the owner of the keytab file to the squid user.
- klist -k /etc/squid/HTTP.keytab: This command verifies that the keytab file contains the HTTP service principal for the fully-qualified domain name (FQDN) of the proxy server.
In this tutorial, we walked you through the process of setting up Squid as a caching proxy with Kerberos authentication on a Red Hat Enterprise Linux server. This configuration enhances the security of your network by ensuring that only authenticated users can use the proxy. It also improves your network’s performance by caching frequently accessed content.
We hope you found this guide helpful. If you have any questions or comments, please feel free to leave them below.
What is a keytab file and why is it necessary for Squid?
A keytab file is a key table file that stores pairs of Kerberos principals and encrypted keys. It is used by Squid to authenticate to the Kerberos Key Distribution Center (KDC) without the need for entering a password. This is crucial for the automatic startup of the Squid service.
Why do we need to open the 3128 port in the firewall?
Port 3128 is the default port used by Squid for listening to incoming proxy requests. Opening this port in the firewall allows traffic to pass through the proxy server, enabling clients to connect to the internet through the Squid proxy.
What is the role of the negotiate_kerberos_auth helper utility in Squid?
The negotiate_kerberos_auth helper utility in Squid is used to authenticate users to an Active Directory using Kerberos. It verifies the Kerberos tickets presented by the clients and informs Squid whether the authentication was successful or not.
What is the benefit of setting up Squid as a caching proxy?
Setting up Squid as a caching proxy can significantly improve the performance of your network. It does this by storing frequently accessed web content and serving it to clients from the cache. This reduces bandwidth usage and speeds up web access for users.
Can I use a different port for Squid instead of the default 3128?
Yes, you can configure Squid to listen on a different port. This can be done by changing the ‘http_port’ directive in the Squid configuration file. However, you must also update your firewall rules and client configurations to use the new port.