[squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication
Service MV
service.mv at gmail.com
Thu Jul 23 15:36:07 UTC 2020
Hi, everybody.
I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration
authenticating and browsing without problems:
cache.log
squid_kerb_auth: User some.user authenticated
access.log
10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443
some.user HIER_DIRECT/172.217.162.3 -
The problem starts when I try to configure a HAProxy 1.8 load balancer to
which by redundancy I configured a virtual IP with the keepalived service.
When I point my browser to the DNS A record (balancer.mydomain.local) which
in turn points to the keepalived virtual IP, the authentication stops
working:
cache.log
no records
access.log
10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 -
HIER_NONE/- text/
In the client browser a prompt appears requesting authentication.
I find it strange that the IP registered by SQUID is 10.10.8.207, which is
the physical IP of my VM, instead of the virtual IP configured in HAProxy,
which is the IP 10.10.8.213.
I send you all the configurations that I have made to see if you can help
me to find where my configuration error is.
keepalived.conf
global_defs {
notification_email {
some.user at mydomain.local
}
notification_email_from balancer1 at mydomain.local
smtp_server smtp. mydomain.local
smtp_connect_timeout 60
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 101
priority 101
advert_int 1
authentication {
auth_type PASS
auth_pass somepass123
}
virtual_ipaddress {
10.10.8.213
}
}
haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
server=haproxy
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
balance source
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
### statistics
listen stats
bind 10.10.8.213:1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy?stats
stats auth haproxy:somepass123
### balancer
listen squid
bind 10.10.8.213:3128
mode http
option httplog
balance source
hash-type consistent
option httpclose
cookie SERVERID insert indirect nocache
option forwardfor header X-Client
server proxy1 10.10.8.205:3128 check inter 2000 rise 2 fall 5
server proxy2 10.10.8.206:3128 check inter 2000 rise 2 fall 5
squid.conf
# minimal configuration for testing
visible_hostname proxy1.mydomain.local
http_port 3128
debug_options ALL, 1 33, 2 28, 9
maximum_object_size 8192 KB
error_directory /opt/squid411/share/errors/es-ar
shutdown_lifetime 0 seconds
forwarded_for on
auth_param negotiate program /usr/local/bin/squid_kerb_auth -i -r -s
GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow auth
acl SSL_ports port 443
acl Safe_ports port 80
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
squid -v
Squid Cache: Version 4.11
Service Name: squid
This binary uses OpenSSL 1.0.2u 20 Dec 2019. For legal restrictions on
distribution see https://www.openssl.org/source/license.html
configure options: '--prefix=/opt/squid411' '--includedir=/include'
'--mandir=/share/man' '--infodir=/share/info'
'--localstatedir=/opt/squid411/var' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' '--enable-inline'
'--enable-async-io' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-digest-auth-helpers' '--enable-negotiate-auth-helpers'
'--enable-auth-ntlm' '--enable-arp-acl' '--enable-esi--disable-translation'
'--with-logdir=/var/log/squid411' '--with-pidfile=/var/run/squid411.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'--enable-ltdl-convenience' '--with-openssl' '--enable-ssl'
'--enable-ssl-crtd'
env
KRB5_KTNAME=/opt/squid411/etc/PROXY.keytab
KRB5RCACHETYPE=none
/etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_kdc = yes
dns_lookup_realm = yes
ticket_lifetime = 24h
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
[realms]
MYDOMAIN.LOCAL = {
kdc = s-dc00.mydomain.local
kdc = s-dc01.mydomain.local
kdc = s-dc02.mydomain.local
admin_server = s-dc00.mydomain.local
}
[domain_realm]
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL
msktutil -c -b "OU=SERVIDORES" -s HTTP/debian-proxy.mydomain.local -k
/opt/squid411/etc/PROXY.keytab --computer-name DEBIAN-PROXY --upn
HTTP/debian-proxy.mydomain.local --server s-dc00.mydomain.local --verbose
--enctypes 28
# permissions for kaytab file
chgrp proxy /opt/squid411/etc/PROXY.keytab
chmod g+r /opt/squid411/etc/PROXY.keytab
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: some.user at MYDOMAIN.LOCAL
Valid starting Expires Service principal
07/23/2020 11:59:45 07/23/2020 21:59:45
krbtgt/MYDOMAIN.LOCAL at MYDOMAIN.LOCAL
renew until 07/24/2020 11:59:40
One thing I didn't quite understand is the procedure to authenticate from
HAProxy. According to the documentation I read, I did the following:
I created a DNS A record and its PTR in my DNS server pointing to the
virtual IP of the keepalived (10.10.8.213) in the HAProxy.
Then I created a "HTTP_inet" user account in Active Directory.
Then on my domain controller, in a CMD with administrator permissions, I
ran:
setspn -S HTTP/inet.mydomain.local HTTP_inet
setspn -S HTTP/inet HTTP_inet
In both cases the message was: object updated.
Then in my SQUID servers, I executed:
kinit HTTP_inet at MYDOMAIN.LOCAL
It asks for the user's password.
Start the ktutil tool
That's where I write:
addent -password -p HTTP/inet.mydomain.local -k 2 -e rc4-hmac
Ask the user password
addent -password -p HTTP/inet -k 2 -e rc4-hmac
Ask the user password
wkt /opt/squid411/etc/PROXY.keytab
quit
list the keys in keytab:
ktutil
read_kt /opt/squid411/etc/PROXY.keytab
1 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
2 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
3 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
4 1 HTTP/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
5 1 HTTP/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
6 1 HTTP/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
7 1 host/DEBIAN-PROXY at MYDOMAIN.LOCAL
8 1 host/DEBIAN-PROXY at MYDOMAIN.LOCAL
9 1 host/DEBIAN-PROXY at MYDOMAIN.LOCAL
10 1 host/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
11 1 host/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
12 1 host/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
13 2 HTTP/inet.mydomain.local at MYDOMAIN.LOCAL
14 2 HTTP/inet at MYDOMAIN.LOCAL
It's this last part I understand the least, maybe the mistake is there. Or
somewhere else.
I appreciate any help you can offer me.
Best regards,
Gabriel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200723/5c2ed207/attachment-0001.html>
More information about the squid-users
mailing list