How to Setup Squid as a Caching Proxy with LDAP Authentication

How to Setup Squid as a Caching Proxy with LDAP Authentication

In web hosting, server administrators often face the challenge of managing network traffic efficiently. One solution to this problem is the use of a proxy server. A proxy server acts as an intermediary between clients seeking resources and the server providing those resources. This not only helps manage network traffic but also provides an additional layer of security.

One of the most popular proxy server software is Squid. Squid is a caching proxy that supports HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid also offers a variety of features such as LDAP authentication, which adds another layer of security by requiring users to authenticate before they can use the proxy.

In this tutorial, we will guide you through the process of setting up Squid as a caching proxy with LDAP authentication on a Red Hat Enterprise Linux server.

Step 1: Install the Squid Package

The first step in setting up Squid as a caching proxy with LDAP authentication is to install the Squid package. This can be done using the package manager of your Linux distribution.

# yum install squid

This command will install the Squid package on your server.

Step 2: Edit the Squid Configuration File

After installing Squid, the next step is to edit the Squid configuration file, which is located at /etc/squid/squid.conf.

# vi /etc/squid/squid.conf

This command will open the Squid configuration file in the vi text editor. If you prefer to use a different text editor, replace “vi” with the name of your preferred text editor.

Step 3: Configure the basic_ldap_auth Helper Utility

Squid uses helper utilities to handle authentication. For LDAP authentication, we will use the basic_ldap_auth helper utility. To configure this utility, add the following configuration entry to the top of /etc/squid/squid.conf:

auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "cn=users,cn=accounts,dc=example,dc=com" -D "uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W /etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -ZZ -H ldap://ldap_server.example.com:389

This configuration entry tells Squid to use the basic_ldap_auth helperutility for LDAP authentication. The parameters passed to the basic_ldap_auth helper utility are explained below:

  • -b “cn=users,cn=accounts,dc=example,dc=com”: This sets the LDAP search base.
  • -D “uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com”: This sets the distinguished name (DN) of the account Squid uses to search for the authenticating user in the directory.
  • -W /etc/squid/ldap_password: This sets the path to the file that contains the password of the proxy service user. Using a password file prevents the password from being visible in the operating system’s process list.
  • -f “(&(objectClass=person)(uid=%s))”: This specifies the LDAP search filter. Squid replaces the %s variable with the username provided by the authenticating user.
  • -ZZ: This enforces a TLS-encrypted connection over the LDAP protocol using the STARTTLS command. If your LDAP server does not support encrypted connections or if the port specified in the URL uses the LDAPS protocol, you can omit this parameter.
  • -H ldap://ldap_server.example.com:389: This specifies the protocol, hostname or IP address, and port of the LDAP server in URL format.
See also  How to Restrict Web Access By Time Using Squid Proxy Server on CentOS 6.2

Step 4: Configure Squid to Allow Only Authenticated Users

Next, we need to configure Squid to allow only authenticated users to use the proxy. This can be done by adding the following Access Control List (ACL) and rule to the Squid configuration file:

acl ldap-auth proxy_auth REQUIRED
http_access allow ldap-auth

These settings should be specified before the http_access deny all rule in the configuration file.

Step 5: Disable Bypassing of Proxy Authentication

By default, Squid allows bypassing of proxy authentication from IP ranges specified in localnet ACLs. To disable this, remove the following rule from the Squid configuration file:

http_access allow localnet

Step 6: Configure Ports for HTTPS Protocol

If users should be able to use the HTTPS protocol on ports other than 443, you need to add an ACL for each of these ports. For example, to add port 8443, you would add the following line to the Squid configuration file:

acl SSL_ports port 8443

Step 7: Configure Access to Safe Ports

Next, update the list of acl Safe_ports rules to configure which ports Squid can establish a connection to. For example, to configure that clients using the proxy can only access resources on ports 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration:

acl Safe_ports port 21
acl Safe_ports port 80
acl Safe_ports port 443

By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs.

See also  How to Uninstall OpenLDAP on Ubuntu

Step 8: Configure the Cache

Squid uses a cache to store and quickly retrieve frequently-requested web pages. You can configure the cache type, the path to the cache directory, the cache size, and other cache-specific settings using the cache_dir parameter. For example:

cache_dir ufs /var/spool/squid 10000 16 256

With these settings:

  • Squid uses the ufs cache type.
  • Squid stores its cache in the /var/spool/squid/ directory.
  • The cache can grow up to 10,000 MB.
  • Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory.
  • Squid creates 256 sub-directories in each level-1 directory.

If you do not set a cache_dir directive, Squid stores the cache in memory. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter, you will need to create the cache directory and configure the appropriate permissions.

Step 9: Store the LDAP Service User Password

Next, store the password of the LDAP service user in the /etc/squid/ldap_password file and set appropriate permissions for the file:

# echo "password" > /etc/squid/ldap_password
# chown root:squid /etc/squid/ldap_password
# chmod 640 /etc/squid/ldap_password

Step 10: Open the Squid Port in the Firewall

By default, Squid listens on port 3128. You need to open this port in your firewall to allow incoming connections:

# firewall-cmd --permanent --add-port=3128/tcp
# firewall-cmd --reload

Step 11: Start and Enable the Squid Service

Finally, start the Squid service and enable it to start automatically when the system boots:

# systemctl start squid
# systemctl enable squid

Commands Mentioned:

  • yum install squid – This command installs the Squid package on your server.
  • vi /etc/squid/squid.conf – This command opens the Squid configuration file in the vi text editor.
  • echo “password” > /etc/squid/ldap_password – This command stores the password of the LDAP service user in the /etc/squid/ldap_password file.
  • chown root:squid /etc/squid/ldap_password – This command changes the ownership of the /etc/squid/ldap_password file to the root user and the squid group.
  • chmod 640 /etc/squid/ldap_password – This command sets the permissions of the /etc/squid/ldap_password file to 640 (read and write permissions for the owner, read permissions for the group, and no permissions for others).
  • firewall-cmd –permanent –add-port=3128/tcp – This command opens port 3128 in the firewall to allow incoming connections.
  • firewall-cmd –reload – This command reloads the firewall configuration to apply the changes.
  • systemctl start squid – This command starts the Squid service.
  • systemctl enable squid – This command enables the Squid service to start automatically when the system boots.
See also  How to Setup Squid Proxy Server on Google Cloud Platform (GCP)

Conclusion

Congratulations! You have successfully set up Squid as a caching proxy with LDAP authentication on a Red Hat Enterprise Linux server. This setup will help you manage your network traffic more efficiently and improve your server’s security.

Remember, whether you’re using a proxy server or a web server, understanding how to configure and manage your server is crucial for maintaining a secure and efficient network.

By following this guide, you will be able to enhance your server’s performance and security. Whether you’re using dedicated hosting, VPS hosting, or cloud hosting, this guide will be beneficial for you.

I hope you found this guide helpful. If you have any questions or comments, please feel free to leave them below.

FAQ

  1. What is Squid?

    Squid is a popular proxy server software. It is a caching proxy that supports HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid also offers a variety of features such as LDAP authentication, which adds another layer of security.

  2. What is LDAP authentication?

    LDAP (Lightweight Directory Access Protocol) authentication is a method of validating users based on their credentials stored in an LDAP server. It adds an extra layer of security by requiring users to authenticate before they can use the proxy.

  3. Why should I use a proxy server?

    A proxy server acts as an intermediary between clients seeking resources and the server providing those resources. This helps manage network traffic, provides an additional layer of security, and can improve server performance by caching frequently-requested web pages.

  4. What is the default port for Squid?

    By default, Squid listens on port 3128. However, this can be changed in the Squid configuration file.

  5. What types of hosting can benefit from using Squid?

    Whether you’re using dedicated hosting, VPS hosting, or cloud hosting, Squid can be beneficial. It helps manage network traffic, improves server performance, and adds an extra layer of security with features like LDAP authentication.

Comments

1 Comment

  • Avatar Asiye Bayrak says:

    Hi Dimitri. Thank you for your article. I cannot query manuelly with auth_param basic program /usr/lib64/squid/basic_ldap_auth…. on squid server successfully. But when try to use same credentials over we browsers proxy connection, it always give 407 TCP DENIED error.
    proxy port is open on firewall, i can telnet connection but LDAP authentication doesnt work. Could yo help me?

Leave a Reply

Your email address will not be published. Required fields are marked *