[squid-users] Squid will not authenticate NTLM/Kerberos when behind a haproxy load balancer

Samuel Anderson sam at idsdoc.com
Fri Mar 20 01:01:46 UTC 2015 

Hello All,

I have 2 squid servers that authenticate correctly when you point your
browser to either of them. I'm using a negotiate_wrapper. I set it up
following this (
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
)

I would like to set both servers behind a haproxy load balancer, however
when you try to utilize the haproxy load balancer, it will not authenticate
anymore. It just gives an error asking to authenticate.

Any ideas?

Thanks in advance.



##HAPROXY.CFG##

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon

defaults
log global
mode http
option httplog
option dontlognull
        contimeout 5000
        clitimeout 50000
        srvtimeout 50000

# reverse proxy-squid
listen  proxy 10.10.0.254:3128
mode http
        cookie  SERVERID insert indirect nocache
        balance roundrobin
        option httpclose
        option forwardfor header X-Client
        server  squid1 10.10.0.253:3128 check inter 2000 rise 2 fall 5
        server  squid2 10.10.0.252:3128 check inter 2000 rise 2 fall 5




##SQUID.CONF##


#Kerberos and NTLM authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=****.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d
-s GSS_C_NO_NAME
auth_param negotiate children 30
auth_param negotiate keep_alive off

# LDAP authentication
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
"DC=****,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=****,DC=local" -w
"****" -f sAMAccountName=%s -h 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193
auth_param basic children 150
auth_param basic realm Please enter your Domain credentials to continue
auth_param basic credentialsttl 1 hour

# AD group membership commands
external_acl_type ldap_group ttl=60 children-startup=10 children-max=50
children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
"DC=****,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=****,DC=local" -w
"****" -f "(&(objectclass=person)
(sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL
 Groups,DC=****,DC=local))" -h
dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local

acl auth proxy_auth REQUIRED

acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE
PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE PROXY-UNRESTRICTED
PROXY-DEV PROXY-SALES

http_access deny !auth all
http_access deny !REQGROUPS all





-- 
Samuel Anderson  |  Information Technology Administrator  |  International
Document Services

IDS  |  11629 South 700 East, Suite 200  |  Draper, UT 84020-4607

-- 
CONFIDENTIALITY NOTICE:
This e-mail and any attachments are confidential. If you are not an 
intended recipient, please contact the sender to report the error and 
delete all copies of this message from your system.  Any unauthorized 
review, use, disclosure or distribution is prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150319/6cfe6b22/attachment.html>

More information about the squid-users mailing list