[squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

Brett Lymn brett.lymn at baesystems.com
Fri Jul 24 00:23:03 UTC 2020

On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> But if anyone knows a solution, i will spread my ears :)

What we do is:

1) create a user account in AD that will be used for the HA front end,
set a password and export the keytab for this user
2) Use ktadmin to import the keytab entries for the user created in step
1 into the keytab for squid on the squid servers.
3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user
created in 1

The SPN (service principal name) tells kerberos to use the user details
set up in step 1 to authenticate http requests.  This works for us, has
been for years.

One thing, if you want to know the IP addresses of your clients in the
squid logs you will need to do some extra stuff because all accesses
will appear to come from the HA loadbalancer.  We have configured our
load balancers to insert the X-Forwarded-For header into the http
traffic and then modified the logging to log both the loadblancer and
client IP.

Brett Lymn
This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies:

BAE Systems Australia Limited - Australian Company Number 008 423 005
BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846
ASC Shipbuilding Pty Limited - Australian Company Number 051 899 864

BAE Systems Australia's registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edindurgh, South Australia, 5111.
ASC Shipbuilding's registered office is Level 2, 80 Flinders Street, Adelaide, South Australia, 5000.
If the identity of the sending company is not clear from the content of this email, please contact the sender.

This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message.

More information about the squid-users mailing list