Squid is a caching web proxy, provides a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. This article provides a step by step approach to configure a SQUID server to support kerberos authentication.
How to configure squid proxy to support Kerberos authentication.
Kerberos configuration on squid proxy.
Squid kerberos authentication on Linux/Debian/Ubuntu/CentOS.
Linux squid proxy kerberos authentication.
AD Domain: example.com
Squid server name: proxysrv.example.com
Make sure Squid server has a valid FQDN which must resolve using
All client system must join to the AD domain in order to access the internet through
Create a HTTP
HTTP Host Principalon the windows AD system which will be used for Kerberos authentication. Click here for the steps to create a HTTP service principal.
Once the keytab is created transfer the keytab file to the Linux Squid system. In our case, we’ll store the keytab file in
Content of keytab should look as following.
# ktutil ktutil: rkt /etc/squid/krb/proxysrv.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 16 HTTP/proxysrv.example.com@EXAMPLE.COM
Squid Kerberos Configuration
Add the following configuration in
visible proxysrv.example.com auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/krb/proxysrv.keytab -d -s HTTP/proxysrv.example.com@EXAMPLE.COM auth_param negotiate children 10 auth_param negotiate keep_alive on
- Following are meaning of above options.
squid_kerb_auth [-d] [-i] [-s SPN] [-k keytab] [-c rcdir] [-t rctype] -d full debug -i informational messages -r remove realm from username -s service principal name -k keytab name -c replay cache directory -t replay cache type The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab default SPN is HTTP/fqdn@DEFAULT_REALM
ACLfor AD or Kerberos authentication in the
squid.conffile. Here the ACL name is
acl kerb proxy_auth REQUIRED
Now force internet access with Kerberos authentication only by adding the following configuration in
http_access allow kerb ## Allow AD auth to kerberos users http_access deny all ## Deny all other users
Squid Kerberos Authentication testing
In the proxy setting of web browser, mention proxy server
FQDNin the server field instead of proxy server IP address.
Make sure the client system has been joined to the AD domain and has a valid kerberos ticket. This ticket will be used for kerberos authentication.
Now access internet
/var/log/squid/cache.log file to view authentication logs. You can also debug squid by the following confirmation in
## Squid debug debug_options ALL,3