[squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

Service MV service.mv at gmail.com
Fri Jul 24 13:13:55 UTC 2020

Thanks, Brett, for the answer. I did exactly the same thing and it's
working for me now.
I only have to decrypt how to see the client's IP in SQUID's logs. I will
follow your instructions to try to achieve it.

Best regards,


El jue., 23 de jul. de 2020 a la(s) 21:23, Brett Lymn (
brett.lymn at baesystems.com) escribió:

> On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> >
> > But if anyone knows a solution, i will spread my ears :)
> >
> What we do is:
> 1) create a user account in AD that will be used for the HA front end,
> set a password and export the keytab for this user
> 2) Use ktadmin to import the keytab entries for the user created in step
> 1 into the keytab for squid on the squid servers.
> 3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user
> created in 1
> The SPN (service principal name) tells kerberos to use the user details
> set up in step 1 to authenticate http requests.  This works for us, has
> been for years.
> One thing, if you want to know the IP addresses of your clients in the
> squid logs you will need to do some extra stuff because all accesses
> will appear to come from the HA loadbalancer.  We have configured our
> load balancers to insert the X-Forwarded-For header into the http
> traffic and then modified the logging to log both the loadblancer and
> client IP.
> --
> Brett Lymn
> This email has been sent on behalf of one of the following companies
> within the BAE Systems Australia group of companies:
> BAE Systems Australia Limited - Australian Company Number 008 423 005
> BAE Systems Australia Defence Pty Limited - Australian Company Number 006
> 870 846
> ASC Shipbuilding Pty Limited - Australian Company Number 051 899 864
> BAE Systems Australia's registered office is Evans Building, Taranaki
> Road, Edinburgh Parks, Edindurgh, South Australia, 5111.
> ASC Shipbuilding's registered office is Level 2, 80 Flinders Street,
> Adelaide, South Australia, 5000.
> If the identity of the sending company is not clear from the content of
> this email, please contact the sender.
> This email and any attachments may contain confidential and legally
> privileged information. If you are not the intended recipient, do not copy
> or disclose its content, but please reply to this email immediately and
> highlight the error to the sender and then immediately delete the message.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200724/c4d123a9/attachment.html>

More information about the squid-users mailing list