Squid Proxy integration with FreeIPA authenticated users (With Kerberos/Single Sign On)

I have also posted this article on the FreeIPA.org project wiki which is linked here

Before I start, I would like to give a great deal of thanks to Mallapadi Niranjan at Red Hat for assisting me with the troubleshooting of this setup. Without his help, I would not have been able to provide this level of detail in this document.
The below details will walk you through how to add a Red Hat Enterprise Linux 6.2 system to an IPA domain, and then configure Squid to allow single sign on web caching.

Details of this example are as follows

  1. Domain name: example.com
  2. IPA Server: ds01.example.com
  3. Squid Server: squid01.example.com
  4. IPA Client: workstation01.example.com
  5. IPA User: user1

 

Add system to IPA Domain (ensure DNS is working correctly otherwise this step will fail)

# ipa-client-install -U -p admin -w mysecretpassword

 

Install Squid and set service to start on boot

# yum install squid
# chkconfig squid on

 

Edit /etc/squid/squid.conf to configure kerberos authentication

add the below lines to the top of /etc/squid/squid.conf

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s HTTP/squid01.example.com
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED

Change the below text:

http_access allow localnet
http_access allow localhost

And finally deny all other access to this proxy

http_access deny all

to look like this:

http_access allow localnet
http_access allow localhost
http_access deny !auth
http_access allow auth

And finally deny all other access to this proxy

http_access deny all

Generate a kerberos keytab for Squid HTTP access

On the IPA server run:

# kinit admin
Password for admin@EXAMPLE.COM:
# ipa service-add HTTP/squid01.example.com

If successful, you will see the below output

----------------------------------------------------
Added service "HTTP/squid01.example.com@EXAMPLE.COM"
----------------------------------------------------
  Principal: HTTP/squid01.example.com@EXAMPLE.COM
  Managed by: squid01.example.com

On the Squid server run:

# ipa-getkeytab -s ds01.example.com -p HTTP/squid01.example.com -k /etc/squid/krb5.keytab

if successful, you will see the below output:

Keytab successfully retrieved and stored in: /etc/squid/krb5.keytab

 

Change the permissions of the keytab to allow Squid to read the file (Note, this should be kept secure, so only grant enough privileges as absolutely necessary.)

# chown root:squid /etc/squid/krb5.keytab
# chmod 640 /etc/squid/krb5.keytab

 

Load kerberos keytab into Squid startup.

Add the below lines to the end of the /etc/sysconfig/squid file.

KRB5_KTNAME=/etc/squid/krb5.keytab
export KRB5_KTNAME

 

Restart squid

# service squid restart
Stopping squid: ................                           [  OK  ]
Starting squid: .                                          [  OK  ]

Open Port 3128 in IPTables

# iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
# service iptables save

Configure browser on IPA Client

  1. Log into a Desktop Environment on your IPA client with an IPA user account. (My tests involved using RHEL with Gnome Desktop.)
  2. Launch Firefox, and open the Firefox preferences.
  3. Select Advanced and click the Network tab
  4. Click Settings
  5. Select the “Manual proxy configuration” radio button
  6. In the HTTP Proxy: field, enter squid01.example.com, and enter 3128 in the Port field.
  7. Check the tickbox that says “Use this proxy server for all protocols”
  8. Click Ok, then click Close.

Verify your configuration

On the Squid server, tail your squid access logs

# tail -f /var/log/squid/access.log

On the IPA Client, browse to a website, (I went to www.redhat.com)

Watch the logs on your server appear as the web request is made.

If everything is working as expected, you will see messages similar to the below.

 

1328722977.370     31 192.168.122.91 TCP_MISS/200 34444 GET http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/5337fdf20a0526027ecb0b4331b2b334/2/jcr:frozenNode/rh:homepageBground user1@EXAMPLE.COM DIRECT/2.19.215.214 image/png
1328722979.315      7 192.168.122.91 TCP_REFRESH_UNMODIFIED/304 546 GET

whitedot.png

 user1@EXAMPLE.COM DIRECT/2.19.215.214 image/png
1328722984.326     18 192.168.122.91 TCP_MISS/200 34444 GET http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/5337fdf20a0526027ecb0b4331b2b334/2/jcr:frozenNode/rh:homepageBground user1@EXAMPLE.COM DIRECT/2.19.215.214 image/png

Note that the requests will be showing up in the logs as user1@EXAMPLE.COM (my IPA test user).

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>