Squid configuration to allow internet access to specific AD group

Squid Kerberos Authentication

Squid is a caching web proxy server helps in speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic.

This article provides a step by step approach configuring Squid proxy server to allow internet access to specific AD group using external_acl_type.


Topic

  • Squid configuration to allow internet access to specific AD group.
  • How to configure Squid proxy to allow internet access to specific AD group?


Squid access policy Requirement

Squid must allow internet access to prod_it group in example.com domain and block internet access to all other users.

Prerequisites for Squid AD group access configuration

Refer to the following article to enable Kerberos authentication on Squid proxy.

Squid AD group access configuration

Squid provides external_acl_type access control list which uses a wrapper script or program to fulfill this purpose. Refer squid official documentation on external_acl_type.

  • Declare an external acl name prod_users.

    external_acl_type prod_users ttl=3600 negative_ttl=3600 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl  -g prod_it -a -i ldaps://winkrb.example.com  -u squid_svc -p password -D  EXAMPLE.COM

  • In the above command replace winkrb.example.com with your AD server FQDN , replace prod_it group with your AD group name, replace squid_svc account with a valid AD account, replace password with valid password of squid_svc account and replace EXAMPLE.COM with valid AD domain.

  • Understand the syntax used with external_acl_type:

/usr/lib64/squid/ext_kerberos_ldap_group_acl: invalid option -- '-'
kerberos_ldap_group.cc(274): pid=21844 :2020/05/10 12:20:30| kerberos_ldap_group: WARNING: unknown option: -?.
Usage: 
squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]
-d full debug
-i informational messages
-g group list
-t group list (only group name hex UTF-8 format)
-T group list (all in hex UTF-8 format - except seperator @)
-D default domain
-N netbios to dns domain map
-S ldap server to dns domain map
-u ldap user
-p ldap user password
-l ldap url
-b ldap bind path
-s use SSL encryption with Kerberos authentication
-a allow SSL without cert verification
-m maximal depth for recursive searches
-h help
The ldap url, ldap user and ldap user password details are only used if the kerberised
access fails(e.g. unknown domain) or if the username does not contain a domain part
and no default domain is provided.
If the ldap url starts with ldaps:// it is either start_tls or simple SSL
The group list can be:
group   - In this case group can be used for all keberised and non kerberised ldap servers
group@  - In this case group can be used for all keberised ldap servers
group@domain  - In this case group can be used for ldap servers of domain domain
group1@domain1:group2@domain2:group3@:group4  - A list is build with a colon as seperator
Group membership is determined with AD servers through the users memberof attribute which
is followed to the top (e.g. if the group is a member of a group)
Group membership is determined with non AD servers through the users memberuid (assuming
PosixGroup) or primary group membership (assuming PosixAccount)
The ldap server list can be:
server - In this case server can be used for all Kerberos domains
server@  - In this case server can be used for all Kerberos domains
server@domain  - In this case server can be used for Kerberos domain domain
server1a@domain1:server1b@domain1:server2@domain2:server3@:server4 - A list is build with a colon as seperator


  • Now create an internal ACL to map the external ACL
    acl ad_group external prod_users

  • Define access allow deny policy

     http_access allow ad_group
     http_access deny all


You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *