![\"How](\"https:\/\/webhostinggeeks.com\/howto\/wp-content\/uploads\/2023\/07\/How-to-Setup-Squid-as-a-Caching-Proxy-with-Kerberos-Authentication-1024x768.jpg\")
<\/p>\n<\/p>\n
Setting up a proxy server can be a complex task, especially when it involves authentication and caching. However, the benefits of having a proxy server in place are numerous. It can help improve your network’s performance, provide a layer of security, and even manage internet access for users. One of the most popular proxy server software is Squid, which can be configured as a caching proxy that authenticates users to an Active Directory (AD) using Kerberos.<\/p>\n
In this tutorial, we will guide you through the process of setting up Squid as a caching proxy with Kerberos authentication on a Red Hat Enterprise Linux server. This configuration ensures that only authenticated users can use the proxy, enhancing the security of your network.<\/p>\n
Before we begin, it’s important to note that this tutorial assumes that the server on which you want to install Squid is a member of the AD domain<\/a>.<\/p>\n By following this guide, you will be able to leverage the benefits of a proxy server<\/a> and enhance the security and performance of your network.<\/p>\n Let’s get started!<\/p>\n The first step in setting up Squid as a caching proxy with Kerberos authentication is to install the necessary packages. In this case, you will need to install the Squid and krb5-workstation packages. You can do this by running the following command:<\/p>\n After installing the required packages, you need to authenticate as the AD domain administrator. You can do this by running the following command:<\/p>\n Next, you need to create a keytab for Squid and store it in the \/etc\/squid\/HTTP.keytab file. You can do this by running the following commands:<\/p>\n After creating the keytab for Squid, you need to add the HTTP service principal to the keytab. You can do this by running the following command:<\/p>\n Next, you need to set the owner of the keytab file to the squid user. You can do this by running the following command:<\/p>\n Optionally, you can verify that the keytab file contains the HTTP service principal for the fully-qualified domain name (FQDN) of the proxy server. You can do this by running the following command:<\/p>\n The output should include the HTTP service principal for the FQDN of the proxy server.<\/p>\n The next step is to edit the \/etc\/squid\/squid.conf file. This file contains the configuration settings for Squid. You need to add the following configuration entry to the top of \/etc\/squid\/squid.conf to configure the negotiate_kerberos_auth helper utility:<\/p>\n This command configures the negotiate_kerberos_auth helper utility with the path to the keytab file and the Kerberos principal that Squid uses.<\/p>\n Next, you need to add the following ACL and rule to configure that Squid allows only authenticated users to use the proxy:<\/p>\n These settings should be specified before the http_access deny all rule.<\/p>\n To enhance the security of your network, you should disable bypassing the proxy authentication from IP ranges specified in localnet ACLs. You can do this by removing the following rule:<\/p>\n By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs. If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these ports:<\/p>\n Update the list of acl Safe_ports rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration:<\/p>\n Next, you need to configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the cache_dir parameter:<\/p>\n With these settings, Squid uses the ufs cache type, stores its cache in the \/var\/spool\/squid\/ directory, the cache grows up to 10000 MB, it creates 16 level-1 sub-directories in the \/var\/spool\/squid\/ directory, and creates 256 sub-directories in each level-1 directory.<\/p>\n To allow traffic to pass through the proxy server, you need to open the 3128 port in the firewall. You can do this by running the following commands:<\/p>\n Finally, you need to start the squid service and enable it to start automatically when the system boots. You can do this by running the following commands:<\/p>\n In this tutorial, we walked you through the process of setting up Squid as a caching proxy with Kerberos authentication on a Red Hat Enterprise Linux server. This configuration enhances the security of your network by ensuring that only authenticated users can use the proxy. It also improves your network’s performance by caching frequently accessed content.<\/p>\n We hope you found this guide helpful. If you have any questions or comments, please feel free to leave them below.<\/p>\n For more information on proxy servers and web servers, you can check out our articles on Squid Proxy Server<\/a>, Proxy Sites<\/a>, Web Servers<\/a>, and Apache HTTP Server<\/a>.<\/p>\n What is a keytab file and why is it necessary for Squid?<\/p>\n \nA keytab file is a key table file that stores pairs of Kerberos principals and encrypted keys. It is used by Squid to authenticate to the Kerberos Key Distribution Center (KDC) without the need for entering a password. This is crucial for the automatic startup of the Squid service.<\/span>\n<\/p>\n<\/li>\n Why do we need to open the 3128 port in the firewall?<\/p>\n \nPort 3128 is the default port used by Squid for listening to incoming proxy requests. Opening this port in the firewall allows traffic to pass through the proxy server, enabling clients to connect to the internet through the Squid proxy.<\/span>\n<\/p>\n<\/li>\n What is the role of the negotiate_kerberos_auth helper utility in Squid?<\/p>\n \nThe negotiate_kerberos_auth helper utility in Squid is used to authenticate users to an Active Directory using Kerberos. It verifies the Kerberos tickets presented by the clients and informs Squid whether the authentication was successful or not.<\/span>\n<\/p>\n<\/li>\n What is the benefit of setting up Squid as a caching proxy?<\/p>\n \nSetting up Squid as a caching proxy can significantly improve the performance of your network. It does this by storing frequently accessed web content and serving it to clients from the cache. This reduces bandwidth usage and speeds up web access for users.<\/span>\n<\/p>\n<\/li>\n Can I use a different port for Squid instead of the default 3128?<\/p>\n \nYes, you can configure Squid to listen on a different port. This can be done by changing the ‘http_port’ directive in the Squid configuration file. However, you must also update your firewall rules and client configurations to use the new port.<\/span>\n<\/p>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":" Setting up a proxy server can be a complex task, especially when it involves authentication and caching. However, the benefits of having a proxy server in place are numerous. It…<\/p>\n","protected":false},"author":6,"featured_media":17260,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"wds_primary_category":0,"footnotes":""},"categories":[1057],"tags":[2076,2089,2100,1678,1793],"class_list":["post-17259","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-squid-server","tag-cache","tag-configuration","tag-kerberos","tag-proxy","tag-squid"],"_links":{"self":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts\/17259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/comments?post=17259"}],"version-history":[{"count":0,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts\/17259\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/media\/17260"}],"wp:attachment":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/media?parent=17259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/categories?post=17259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/tags?post=17259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Step 1: Install the Required Packages<\/h2>\n
\r\n# yum install squid krb5-workstation\r\n<\/pre>\n
Step 2: Authenticate as the AD Domain Administrator<\/h2>\n
\r\n# kinit administrator@AD.EXAMPLE.COM\r\n<\/pre>\n
Step 3: Create a Keytab for Squid<\/h2>\n
\r\n# export KRB5_KTNAME=FILE:\/etc\/squid\/HTTP.keytab\r\n# net ads keytab CREATE -U administrator\r\n<\/pre>\n
Step 4: Add the HTTP Service Principal to the Keytab<\/h2>\n
\r\n# net ads keytab ADD HTTP -U administrator\r\n<\/pre>\n
Step 5: Set the Owner of the Keytab File to the Squid User<\/h2>\n
\r\n# chown squid \/etc\/squid\/HTTP.keytab\r\n<\/pre>\n
Step 6: Verify the Keytab File<\/h2>\n
\r\n# klist -k \/etc\/squid\/HTTP.keytab\r\n<\/pre>\n
Step 7: Edit the \/etc\/squid\/squid.conf File<\/h2>\n
\r\nauth_param negotiate program \/usr\/lib64\/squid\/negotiate_kerberos_auth -k \/etc\/squid\/HTTP.keytab -s HTTP\/proxy.ad.example.com@AD.EXAMPLE.COM\r\n<\/pre>\n
Step 8: Configure Squid to Allow Only Authenticated Users<\/h2>\n
\r\nacl kerb-auth proxy_auth REQUIRED\r\nhttp_access allow kerb-auth\r\n<\/pre>\n
Step 9: Disable Bypassing the Proxy Authentication<\/h2>\n
\r\nhttp_access allow localnet\r\n<\/pre>\n
Step 10: Configure the Ports<\/h2>\n
\r\nacl SSL_ports port port_number\r\n<\/pre>\n
\r\nacl Safe_ports port 21\r\nacl Safe_ports port 80\r\nacl Safe_ports port 443\r\n<\/pre>\n
Step 11: Configure the Cache<\/h2>\n
\r\ncache_dir ufs \/var\/spool\/squid 10000 16 256\r\n<\/pre>\n
Step 12: Open the 3128 Port in the Firewall<\/h2>\n
\r\n# firewall-cmd --permanent --add-port=3128\/tcp\r\n# firewall-cmd --reload\r\n<\/pre>\n
Step 13: Start and Enable the Squid Service<\/h2>\n
\r\n# systemctl start squid\r\n# systemctl enable squid\r\n<\/pre>\n
Commands Mentioned:<\/h2>\n
\n
Conclusion<\/h2>\n
FAQ<\/h2>\n
\n