How to Setup Squid as a Caching Proxy with Kerberos Authentication

How to Setup Squid as a Caching Proxy with Kerberos Authentication

Setting up a proxy server can be a complex task, especially when it involves authentication and caching. However, the benefits of having a proxy server in place are numerous. It can help improve your network’s performance, provide a layer of security, and even manage internet access for users. One of the most popular proxy server software is Squid, which can be configured as a caching proxy that authenticates users to an Active Directory (AD) using Kerberos.

In this tutorial, we will guide you through the process of setting up Squid as a caching proxy with Kerberos authentication on a Red Hat Enterprise Linux server. This configuration ensures that only authenticated users can use the proxy, enhancing the security of your network.

Before we begin, it’s important to note that this tutorial assumes that the server on which you want to install Squid is a member of the AD domain.

By following this guide, you will be able to leverage the benefits of a proxy server and enhance the security and performance of your network.

Let’s get started!

Step 1: Install the Required Packages

The first step in setting up Squid as a caching proxy with Kerberos authentication is to install the necessary packages. In this case, you will need to install the Squid and krb5-workstation packages. You can do this by running the following command:

# yum install squid krb5-workstation

Step 2: Authenticate as the AD Domain Administrator

After installing the required packages, you need to authenticate as the AD domain administrator. You can do this by running the following command:

# kinit administrator@AD.EXAMPLE.COM

Step 3: Create a Keytab for Squid

Next, you need to create a keytab for Squid and store it in the /etc/squid/HTTP.keytab file. You can do this by running the following commands:

# export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
# net ads keytab CREATE -U administrator

Step 4: Add the HTTP Service Principal to the Keytab

After creating the keytab for Squid, you need to add the HTTP service principal to the keytab. You can do this by running the following command:

# net ads keytab ADD HTTP -U administrator

Step 5: Set the Owner of the Keytab File to the Squid User

Next, you need to set the owner of the keytab file to the squid user. You can do this by running the following command:

# chown squid /etc/squid/HTTP.keytab

Step 6: Verify the Keytab File

Optionally, you can verify that the keytab file contains the HTTP service principal for the fully-qualified domain name (FQDN) of the proxy server. You can do this by running the following command:

# klist -k /etc/squid/HTTP.keytab

The output should include the HTTP service principal for the FQDN of the proxy server.

See also  How to Setup Squid as a Caching Proxy with LDAP Authentication

Step 7: Edit the /etc/squid/squid.conf File

The next step is to edit the /etc/squid/squid.conf file. This file contains the configuration settings for Squid. You need to add the following configuration entry to the top of /etc/squid/squid.conf to configure the negotiate_kerberos_auth helper utility:

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/proxy.ad.example.com@AD.EXAMPLE.COM

This command configures the negotiate_kerberos_auth helper utility with the path to the keytab file and the Kerberos principal that Squid uses.

Step 8: Configure Squid to Allow Only Authenticated Users

Next, you need to add the following ACL and rule to configure that Squid allows only authenticated users to use the proxy:

acl kerb-auth proxy_auth REQUIRED
http_access allow kerb-auth

These settings should be specified before the http_access deny all rule.

Step 9: Disable Bypassing the Proxy Authentication

To enhance the security of your network, you should disable bypassing the proxy authentication from IP ranges specified in localnet ACLs. You can do this by removing the following rule:

http_access allow localnet

Step 10: Configure the Ports

By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs. If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these ports:

acl SSL_ports port port_number

Update the list of acl Safe_ports rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration:

acl Safe_ports port 21
acl Safe_ports port 80
acl Safe_ports port 443

Step 11: Configure the Cache

Next, you need to configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the cache_dir parameter:

cache_dir ufs /var/spool/squid 10000 16 256

With these settings, Squid uses the ufs cache type, stores its cache in the /var/spool/squid/ directory, the cache grows up to 10000 MB, it creates 16 level-1 sub-directories in the /var/spool/squid/ directory, and creates 256 sub-directories in each level-1 directory.

See also  How to Setup Squid Proxy Server on Linux CentOS 6.3

Step 12: Open the 3128 Port in the Firewall

To allow traffic to pass through the proxy server, you need to open the 3128 port in the firewall. You can do this by running the following commands:

# firewall-cmd --permanent --add-port=3128/tcp
# firewall-cmd --reload

Step 13: Start and Enable the Squid Service

Finally, you need to start the squid service and enable it to start automatically when the system boots. You can do this by running the following commands:

# systemctl start squid
# systemctl enable squid

Commands Mentioned:

  • yum install squid krb5-workstation: This command installs the necessary packages for setting up Squid as a caching proxy with Kerberos authentication.
  • kinit administrator@AD.EXAMPLE.COM: This command authenticates you as the AD domain administrator.
  • export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab and net ads keytab CREATE -U administrator: These commands create a keytab for Squid and store it in the /etc/squid/HTTP.keytab file.
  • net ads keytab ADD HTTP -U administrator: This command adds the HTTP service principal to the keytab.
  • chown squid /etc/squid/HTTP.keytab: This command sets the owner of the keytab file to the squid user.
  • klist -k /etc/squid/HTTP.keytab: This command verifies that the keytab file contains the HTTP service principal for the fully-qualified domain name (FQDN) of the proxy server.

Conclusion

In this tutorial, we walked you through the process of setting up Squid as a caching proxy with Kerberos authentication on a Red Hat Enterprise Linux server. This configuration enhances the security of your network by ensuring that only authenticated users can use the proxy. It also improves your network’s performance by caching frequently accessed content.

See also  How to Configure Squid Proxy Server for Geo-Blocking

We hope you found this guide helpful. If you have any questions or comments, please feel free to leave them below.

For more information on proxy servers and web servers, you can check out our articles on Squid Proxy Server, Proxy Sites, Web Servers, and Apache HTTP Server.

FAQ

  1. What is a keytab file and why is it necessary for Squid?

    A keytab file is a key table file that stores pairs of Kerberos principals and encrypted keys. It is used by Squid to authenticate to the Kerberos Key Distribution Center (KDC) without the need for entering a password. This is crucial for the automatic startup of the Squid service.

  2. Why do we need to open the 3128 port in the firewall?

    Port 3128 is the default port used by Squid for listening to incoming proxy requests. Opening this port in the firewall allows traffic to pass through the proxy server, enabling clients to connect to the internet through the Squid proxy.

  3. What is the role of the negotiate_kerberos_auth helper utility in Squid?

    The negotiate_kerberos_auth helper utility in Squid is used to authenticate users to an Active Directory using Kerberos. It verifies the Kerberos tickets presented by the clients and informs Squid whether the authentication was successful or not.

  4. What is the benefit of setting up Squid as a caching proxy?

    Setting up Squid as a caching proxy can significantly improve the performance of your network. It does this by storing frequently accessed web content and serving it to clients from the cache. This reduces bandwidth usage and speeds up web access for users.

  5. Can I use a different port for Squid instead of the default 3128?

    Yes, you can configure Squid to listen on a different port. This can be done by changing the ‘http_port’ directive in the Squid configuration file. However, you must also update your firewall rules and client configurations to use the new port.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *