[squid-users] Squid will not authenticate NTLM/Kerberos when behind a haproxy load balancer
Brendan Kearney
bpk678 at gmail.com
Fri Mar 20 01:43:18 UTC 2015
On Thu, 2015-03-19 at 19:32 -0600, Samuel Anderson wrote:
> Hey, I actually just figured it out. literally about 2 minutes ago.
>
>
> I changed the mode from (http) to (tcp) in the HAPROXY.CFG
>
>
> It looks like its able to authenticate again. Thanks for the
> response.
>
> On Thu, Mar 19, 2015 at 7:27 PM, Brendan Kearney <bpk678 at gmail.com>
> wrote:
> On Thu, 2015-03-19 at 19:01 -0600, Samuel Anderson wrote:
> > Hello All,
> >
> >
> > I have 2 squid servers that authenticate correctly when you
> point your
> > browser to either of them. I'm using a negotiate_wrapper. I
> set it up
> > following this
> >
> (http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory)
> >
> >
> > I would like to set both servers behind a haproxy load
> balancer,
> > however when you try to utilize the haproxy load balancer,
> it will not
> > authenticate anymore. It just gives an error asking to
> authenticate.
> >
> >
> > Any ideas?
> >
> >
> > Thanks in advance.
> >
> >
> >
> >
> >
> >
> > ##HAPROXY.CFG##
> >
> >
> > global
> > log /dev/log local0
> > log /dev/log local1 notice
> > chroot /var/lib/haproxy
> > user haproxy
> > group haproxy
> > daemon
> >
> >
> > defaults
> > log global
> > mode http
> > option httplog
> > option dontlognull
> > contimeout 5000
> > clitimeout 50000
> > srvtimeout 50000
> >
> >
> > # reverse proxy-squid
> > listen proxy 10.10.0.254:3128
> > mode http
> > cookie SERVERID insert indirect nocache
> > balance roundrobin
> > option httpclose
> > option forwardfor header X-Client
> > server squid1 10.10.0.253:3128 check inter 2000
> rise 2 fall 5
> > server squid2 10.10.0.252:3128 check inter 2000
> rise 2 fall 5
> >
> >
> >
> >
> >
> >
> >
> >
> > ##SQUID.CONF##
> >
> >
> >
> >
> > #Kerberos and NTLM authentication
> > auth_param negotiate
> program /usr/local/bin/negotiate_wrapper
> > --ntlm /usr/bin/ntlm_auth --diagnostics
> > --helper-protocol=squid-2.5-ntlmssp --domain=****.LOCAL
> > --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s
> GSS_C_NO_NAME
> > auth_param negotiate children 30
> > auth_param negotiate keep_alive off
> >
> >
> > # LDAP authentication
> > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R
> -b
> > "DC=****,DC=local" -D "CN=SQUID,OU=Service
> Accounts,DC=****,DC=local"
> > -w "****" -f sAMAccountName=%s -h
> > 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193
> > auth_param basic children 150
> > auth_param basic realm Please enter your Domain credentials
> to
> > continue
> > auth_param basic credentialsttl 1 hour
> >
> >
> > # AD group membership commands
> > external_acl_type ldap_group ttl=60 children-startup=10
> > children-max=50 children-idle=2 %
> > LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
> > "DC=****,DC=local" -D "CN=SQUID,OU=Service
> Accounts,DC=****,DC=local"
> > -w "****" -f "(&(objectclass=person) (sAMAccountname=%
> v)(memberof=CN=%
> > a,OU=PROXY,ou=ALL Groups,DC=****,DC=local))" -h
> > dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local
> >
> >
> > acl auth proxy_auth REQUIRED
> >
> >
> >
> > acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE
> > PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE
> PROXY-UNRESTRICTED
> > PROXY-DEV PROXY-SALES
> >
> >
> > http_access deny !auth all
> > http_access deny !REQGROUPS all
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Samuel Anderson | Information Technology Administrator |
> > International Document Services
> >
> >
> > IDS | 11629 South 700 East, Suite 200 | Draper, UT
> 84020-4607
> >
> >
> >
>
> > CONFIDENTIALITY NOTICE:
> > This e-mail and any attachments are confidential. If you are
> not an
> > intended recipient, please contact the sender to report the
> error and
> > delete all copies of this message from your system. Any
> unauthorized
> > review, use, disclosure or distribution is prohibited.
>
> how did you create and distribute the keytab for the proxies?
> you must
> create one keytab and put the same exact one on each of the
> proxies.
> the KVNO numbers must match on every proxy. run "klist
> -Kket /path/to/the.keytab" on the proxies to check.
>
> kerberos is heavily dependent on DNS. the keytab should
> contain
> PRIMARY/instance.domain.tld at REALM where PRIMARY is HTTP,
> instance.domain.tld is the FQDN of the 10.10.0.254 IP, not
> either or
> both of the individual proxies, and REALM should be the
> Kerberos REALM.
>
> did you export the environment variable for the keytab? on
> fedora, i
> put the following in /etc/sysconfig/squid:
>
> KRB5_KTNAME=/etc/squid/squid.keytab
> export KRB5_KTNAME
>
> do you get a HTTP ticket from the directory? from a command
> prompt,
> what does "klist tickets" show? you can also install the XP
> resource
> kit and run kerbtray.exe to get that info. win7 and newer may
> have it
> built in.
>
>
>
>
>
> --
> Samuel Anderson | Information Technology Administrator |
> International Document Services
>
>
> IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail and any attachments are confidential. If you are not an
> intended recipient, please contact the sender to report the error and
> delete all copies of this message from your system. Any unauthorized
> review, use, disclosure or distribution is prohibited.
you will benefit from using the HTTP profile in HAProxy. if HTTP vs TCP
is causing you grief, then you may want to review the config.
i am using (mind the wrap):
global
#debug
daemon
log localhost local1 notice
log-send-hostname router
#uid 996
#gid 995
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy.sock level admin
stats maxconn 2
defaults
balance leastconn
log global
mode http
option httplog
option http-server-close
option forwardfor except 127.0.0.0/8
stats enable
stats hide-version
stats refresh 5s
stats scope .
stats show-legends
stats uri /admin?stats
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
listen proxy 192.168.37.1:8080
# option to HTTP/1.1 should be on one line
option httpchk GET /squid-internal-periodic/store_digest
HTTP/1.1
server proxy1 192.168.88.1:3128 check inter 10000
server proxy2 192.168.88.2:3128 check inter 10000
listen proxy1 192.168.37.1:8081
# option to HTTP/1.1 should be on one line
option httpchk GET /squid-internal-periodic/store_digest
HTTP/1.1
server proxy1 192.168.88.1:3128 check inter 10000
listen proxy2 192.168.37.1:8082
# option to HTTP/1.1 should be on one line
option httpchk GET /squid-internal-periodic/store_digest
HTTP/1.1
server proxy2 192.168.88.2:3128 check inter 10000
by using the HTTP mode, you can get more intelligent service checking,
and more reliably determine a devices status.
More information about the squid-users
mailing list