Squid is a caching web proxy server helps in speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic.
This article provides a step by step approach configuring Squid proxy server to allow internet access to specific AD group using external_acl_type.
Topic
-
Squid configuration to allow internet access to specific AD group.
-
How to configure Squid proxy to allow internet access to specific AD group?
Squid access policy Requirement
Squid must allow internet access to prod_it group in example.com domain and block internet access to all other users.
Prerequisites for Squid AD group access configuration
Refer to the following article to enable Kerberos authentication on Squid proxy.
Squid AD group access configuration
Squid provides external_acl_type access control list which uses a wrapper script or program to fulfill this purpose. Refer squid official documentation on external_acl_type.
-
Declare an external acl name
prod_users.external_acl_type prod_users ttl=3600 negative_ttl=3600 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g prod_it -a -i ldaps://winkrb.example.com -u squid_svc -p password -D EXAMPLE.COM -
In the above command replace
winkrb.example.comwith your AD server FQDN , replaceprod_itgroup with your AD group name, replacesquid_svcaccount with a valid AD account, replacepasswordwith valid password ofsquid_svcaccount and replaceEXAMPLE.COMwith valid AD domain. -
Understand the syntax used with
external_acl_type:
/usr/lib64/squid/ext_kerberos_ldap_group_acl: invalid option -- '-'
kerberos_ldap_group.cc(274): pid=21844 :2020/05/10 12:20:30| kerberos_ldap_group: WARNING: unknown option: -?.
Usage:
squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]
-d full debug
-i informational messages
-g group list
-t group list (only group name hex UTF-8 format)
-T group list (all in hex UTF-8 format - except seperator @)
-D default domain
-N netbios to dns domain map
-S ldap server to dns domain map
-u ldap user
-p ldap user password
-l ldap url
-b ldap bind path
-s use SSL encryption with Kerberos authentication
-a allow SSL without cert verification
-m maximal depth for recursive searches
-h help
The ldap url, ldap user and ldap user password details are only used if the kerberised
access fails(e.g. unknown domain) or if the username does not contain a domain part
and no default domain is provided.
If the ldap url starts with ldaps:// it is either start_tls or simple SSL
The group list can be:
group - In this case group can be used for all keberised and non kerberised ldap servers
group@ - In this case group can be used for all keberised ldap servers
group@domain - In this case group can be used for ldap servers of domain domain
group1@domain1:group2@domain2:group3@:group4 - A list is build with a colon as seperator
Group membership is determined with AD servers through the users memberof attribute which
is followed to the top (e.g. if the group is a member of a group)
Group membership is determined with non AD servers through the users memberuid (assuming
PosixGroup) or primary group membership (assuming PosixAccount)
The ldap server list can be:
server - In this case server can be used for all Kerberos domains
server@ - In this case server can be used for all Kerberos domains
server@domain - In this case server can be used for Kerberos domain domain
server1a@domain1:server1b@domain1:server2@domain2:server3@:server4 - A list is build with a colon as seperator
-
Now create an internal ACL to map the external ACL
acl ad_group external prod_users -
Define access allow deny policy
http_access allow ad_group http_access deny all
