[squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

Rafael Akchurin rafael.akchurin at diladele.com
Fri Jul 24 09:44:48 UTC 2020

Sorry forgot to add to Amos'es answer - use haproxy to handle *tcp* connections and let the sslbump/authentication run on the cluster of squids - thus you would get working auth on squid side and use keepalived/haproxy on the client side.

I do not see any reason why it cannot work unless you specifically desire to use some haproxy's features for l7 loadbalancing.

Best regards,
Rafael Akchurin
Diladele B.V.

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Klaus Brandl
Sent: Friday, July 24, 2020 10:45 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

Hi Brett,

but then you have a single point of failure, if your loadbalancer is down, 
nothing will work. We need a solution, that each system can work by itself. So 
at the moment we merge the keytabs of each system together, and we are able to 
takeover the addresses of the other systems. Then we have no loadbalancing, 
but a fallback solution, what is more important on our systems.

On Friday 24 July 2020 09:53:03 Brett Lymn wrote:
> On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> > But if anyone knows a solution, i will spread my ears :)
> What we do is:
> 1) create a user account in AD that will be used for the HA front end,
> set a password and export the keytab for this user
> 2) Use ktadmin to import the keytab entries for the user created in step
> 1 into the keytab for squid on the squid servers.
> 3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user
> created in 1
> The SPN (service principal name) tells kerberos to use the user details
> set up in step 1 to authenticate http requests.  This works for us, has
> been for years.
> One thing, if you want to know the IP addresses of your clients in the
> squid logs you will need to do some extra stuff because all accesses
> will appear to come from the HA loadbalancer.  We have configured our
> load balancers to insert the X-Forwarded-For header into the http
> traffic and then modified the logging to log both the loadblancer and
> client IP.



genua GmbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de

Geschaeftsfuehrer: Matthias Ochs, Marc Tesch
Amtsgericht Muenchen HRB 98238
genua ist ein Unternehmen der Bundesdruckerei-Gruppe.
squid-users mailing list
squid-users at lists.squid-cache.org

More information about the squid-users mailing list