[squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

L.P.H. van Belle belle at bazuin.nl
Fri Jul 24 08:46:09 UTC 2020

i would recommend to ..
1) use debian buster,
2) use squid 4.12
3) use samba (winbind). 
needed  in smb.conf ( only shown whats really needed ), there is more offcourse. 

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    # renew the kerberos ticket
    winbind refresh tickets = yes

    # Added for freeradius support
    #ntlm auth = mschapv2-and-ntlmv2-only

apt install winbind krb5-user should be sufficient. 

samba joins the domain. 
/etc/krb5.keytab contains the default part and refreshed the server kerberos passworks/tickes. 

And for squid its keytab. 

kinit Administrator
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab add_update_ads HTTP/$(hostname -f) -U Administrator

# alias name to keytab
net ads keytab ADD HTTP/CNAME.FQDN 

# check keytab file.
klist -ke /etc/squid/HTTP-$(hostname -s).keytab

# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab

And i use  in squid 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP-hostname.keytab \
    -s HTTP/hostname.fqdn at REALM -s HTTP/CNAME.FQDN at REALM 
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM 

Point to think about. 

server IP's needs A + PTR 
use CNAMEs in the DNS. 
and make sure the resolving is setup correctly. 

Add a caching DNS to the proxy. ( and let squid use it also ) 

I had this working (without HAproxy) but with keepalived. 

As far i can tel, your problem is in how the hostnames and ip are used. 
but above might give you ideas. 




Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Service MV
Verzonden: donderdag 23 juli 2020 17:36
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

Hi, everybody.
I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration authenticating and browsing without problems:
squid_kerb_auth: User some.user authenticated
access.log TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443 some.user HIER_DIRECT/MailScanner warning: numerical links are often malicious: -

The problem starts when I try to configure a HAProxy 1.8 load balancer to which by redundancy I configured a virtual IP with the keepalived service. When I point my browser to the DNS A record (balancer.mydomain.local) which in turn points to the keepalived virtual IP, the authentication stops working:
cache.log no records
access.log TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 - HIER_NONE/- text/

In the client browser a prompt appears requesting authentication.

I find it strange that the IP registered by SQUID is, which is the physical IP of my VM, instead of the virtual IP configured in HAProxy, which is the IP

I send you all the configurations that I have made to see if you can help me to find where my configuration error is.

keepalived.conf   global_defs {
     notification_email {
       some.user at mydomain.local
     notification_email_from balancer1 at mydomain.local
     smtp_server smtp. mydomain.local 
     smtp_connect_timeout 60

  vrrp_instance VI_1 {
      state MASTER
      interface eth0
      virtual_router_id 101
      priority 101
      advert_int 1
      authentication {
          auth_type PASS
          auth_pass somepass123
      virtual_ipaddress {


log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
maxconn 4000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-options no-sslv3

balance source
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except MailScanner warning: numerical links are often malicious:
timeout connect 5000
timeout client 50000
timeout server 50000

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

### statistics
listen stats
bind MailScanner warning: numerical links are often malicious:
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy?stats
stats auth haproxy:somepass123

### balancer
listen squid
bind MailScanner warning: numerical links are often malicious:
  mode http
  option httplog
  balance source
  hash-type consistent
  option httpclose
  cookie SERVERID insert indirect nocache
  option forwardfor header X-Client
  server proxy1 MailScanner warning: numerical links are often malicious: check inter 2000 rise 2 fall 5

  server proxy2 MailScanner warning: numerical links are often malicious: check inter 2000 rise 2 fall 5

# minimal configuration for testing
visible_hostname proxy1.mydomain.local
http_port 3128
debug_options ALL, 1 33, 2 28, 9
maximum_object_size 8192 KB
error_directory /opt/squid411/share/errors/es-ar
shutdown_lifetime 0 seconds
forwarded_for on
auth_param negotiate program /usr/local/bin/squid_kerb_auth -i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow auth
acl SSL_ports port 443
acl Safe_ports port 80
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

squid -v
Squid Cache: Version 4.11
Service Name: squid

This binary uses OpenSSL 1.0.2u  20 Dec 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/opt/squid411' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--localstatedir=/opt/squid411/var' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--enable-inline' '--enable-async-io' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-digest-auth-helpers' '--enable-negotiate-auth-helpers' '--enable-auth-ntlm' '--enable-arp-acl' '--enable-esi--disable-translation' '--with-logdir=/var/log/squid411' '--with-pidfile=/var/run/squid411.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' '--enable-ltdl-convenience' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd'


    default_realm = MYDOMAIN.LOCAL
    dns_lookup_kdc = yes
    dns_lookup_realm = yes 
    ticket_lifetime = 24h

        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

        kdc = s-dc00.mydomain.local
        kdc = s-dc01.mydomain.local
        kdc = s-dc02.mydomain.local
        admin_server = s-dc00.mydomain.local

    .mydomain.local = MYDOMAIN.LOCAL
    mydomain.local = MYDOMAIN.LOCAL

msktutil -c -b "OU=SERVIDORES" -s HTTP/debian-proxy.mydomain.local -k /opt/squid411/etc/PROXY.keytab --computer-name DEBIAN-PROXY --upn HTTP/debian-proxy.mydomain.local --server s-dc00.mydomain.local --verbose --enctypes 28

# permissions for kaytab file
chgrp proxy /opt/squid411/etc/PROXY.keytab
chmod g+r /opt/squid411/etc/PROXY.keytab

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: some.user at MYDOMAIN.LOCAL

Valid starting       Expires              Service principal
07/23/2020 11:59:45  07/23/2020 21:59:45  krbtgt/MYDOMAIN.LOCAL at MYDOMAIN.LOCAL
        renew until 07/24/2020 11:59:40

One thing I didn't quite understand is the procedure to authenticate from HAProxy. According to the documentation I read, I did the following:

I created a DNS A record and its PTR in my DNS server pointing to the virtual IP of the keepalived ( in the HAProxy. 
Then I created a "HTTP_inet" user account in Active Directory.
Then on my domain controller, in a CMD with administrator permissions, I ran:
setspn -S HTTP/inet.mydomain.local HTTP_inet
setspn -S HTTP/inet HTTP_inet 
In both cases the message was: object updated.
Then in my SQUID servers, I executed:
It asks for the user's password.
Start the ktutil tool
That's where I write:
addent -password -p HTTP/inet.mydomain.local -k 2 -e rc4-hmac
Ask the user password
addent -password -p HTTP/inet -k 2 -e rc4-hmac
Ask the user password
wkt /opt/squid411/etc/PROXY.keytab

list the keys in keytab:
read_kt /opt/squid411/etc/PROXY.keytab
   4 1 HTTP/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
   5 1 HTTP/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
   6 1 HTTP/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
  10 1 host/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
  11 1 host/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
  12 1 host/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
  13 2 HTTP/inet.mydomain.local at MYDOMAIN.LOCAL
  14 2 HTTP/inet at MYDOMAIN.LOCAL

It's this last part I understand the least, maybe the mistake is there. Or somewhere else.
I appreciate any help you can offer me. 

Best regards,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200724/7434a12f/attachment-0001.html>

More information about the squid-users mailing list