[squid-users] Squid - AD kerberos auth and Linux Server proxy access not working

Wed Oct 5 17:03:09 UTC 2016

On 6/10/2016 5:31 a.m., Nilesh Gavali wrote:
> <<NILESH>> here is the compete squid.conf for your reference-
> 
> #
> # Recommended minimum configuration:
> ####  AD SSO Integration  #####
> #auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s 
> GSS_C_NO_NAME
> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s 
> HTTP/proxy02.CUST.IN at CUST.IN
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
> 
> acl ad_auth proxy_auth REQUIRED
> 
> ####  AD Group membership  ####
> 
> 
> external_acl_type AD_Group ttl=300 negative_ttl=0 children=10 %LOGIN 
> /usr/lib64/squid/squid_ldap_group -P -R -b "DC=CUST,DC=IN" -D svcproxy -W 
> /etc/squid/pswd/pswd -f 
> "(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=InternetAccess,ou=Groups,dc=cust,dc=in))" 
> -h CUST.IN -s sub -v 3
> 
> acl AVWSUS external AD_Group lgOnlineUpdate
> acl windowsupdate dstdomain "/etc/squid/sitelist/infra_update_site"
> 
> acl custUSER external AD_Group lgInternetAccess_custUsers
> acl custallowedsite dstdomain "/etc/squid/sitelist/cust_allowed_site"
> 
> #acl SHAVLIK external AD_Group lgShavlikUpdate
> acl shavlikupdate dstdomain "/etc/squid/sitelist/shavlik_update_site"
> 
<snip defaults>

> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl AVSRVR src 10.50.2.107      # Cloud SEPM Servr
> acl SHAVLIK_SRVR src 10.50.2.112     # Shavlik Server(NTLM Only Access)
> acl IWCCP01 src 10.55.15.103   # Application access to Worldpay/bottomline 
> Payment test site.

<snip defaults>
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> 
> #http_access allow test shavlikupdate
> http_access allow SHAVLIK_SRVR shavlikupdate
> http_access allow AVSRVR windowsupdate

The "AVWSUS" ACL below requires authentication in order to check the
group membership. That is what triggers the 407 response to happen.

Move the IWCCP01 line up to here and it should stop.

To make your configuration clearer about which lines need auth and which
lines do not you could place the following line right here:

 http_access deny !ad_auth

All things that do need auth or group names should always go below it.
Things that need to avoid auth should always go above it.

> http_access allow AVWSUS windowsupdate
> http_access allow IWCCP01
> #http_access allow IWCCP01 custallowedsite
> http_access allow custUSER custallowedsite
> http_access allow ad_auth
> # And finally deny all other access to this proxy
> http_access deny all
> 

Amos