[squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

Rafael Akchurin rafael.akchurin at diladele.com
Fri Jul 24 09:39:08 UTC 2020

Hello Klaus, Brett, all list members,

This is the scheme with haproxy and Squid we use all the time in our test lab for Web Safety - we need to constantly add/remove test nodes to the cluster without breaking/changing anything in Kerberos settings for the constantly running client pool - https://docs.diladele.com/administrator_guide_stable/active_directory_extra/redundancy/haproxy_proxy_protocol.html

And yes we do *not* use computer account, we use *user* account instead.
See the reasoning  in the tutorial.

Best regards,
Rafael Akchurin
Diladele B.V.


-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Brett Lymn
Sent: Friday, July 24, 2020 2:23 AM
To: Klaus Brandl <klaus_brandl at genua.de>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> But if anyone knows a solution, i will spread my ears :)

What we do is:

1) create a user account in AD that will be used for the HA front end, set a password and export the keytab for this user
2) Use ktadmin to import the keytab entries for the user created in step
1 into the keytab for squid on the squid servers.
3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user created in 1

The SPN (service principal name) tells kerberos to use the user details set up in step 1 to authenticate http requests.  This works for us, has been for years.

One thing, if you want to know the IP addresses of your clients in the squid logs you will need to do some extra stuff because all accesses will appear to come from the HA loadbalancer.  We have configured our load balancers to insert the X-Forwarded-For header into the http traffic and then modified the logging to log both the loadblancer and client IP.

Brett Lymn
This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies:

BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 ASC Shipbuilding Pty Limited - Australian Company Number 051 899 864

BAE Systems Australia's registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edindurgh, South Australia, 5111.
ASC Shipbuilding's registered office is Level 2, 80 Flinders Street, Adelaide, South Australia, 5000.
If the identity of the sending company is not clear from the content of this email, please contact the sender.

This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message.

squid-users mailing list
squid-users at lists.squid-cache.org

More information about the squid-users mailing list