[squid-users] Squid will not authenticate NTLM/Kerberos when behind a haproxy load balancer

Brendan Kearney bpk678 at gmail.com
Fri Mar 20 01:43:18 UTC 2015


On Thu, 2015-03-19 at 19:32 -0600, Samuel Anderson wrote:
> Hey, I actually just figured it out. literally about 2 minutes ago.
> 
> 
> I changed the mode from (http) to (tcp) in the HAPROXY.CFG
> 
> 
> It looks like its able to authenticate again. Thanks for the
> response.  
> 
> On Thu, Mar 19, 2015 at 7:27 PM, Brendan Kearney <bpk678 at gmail.com>
> wrote:
>         On Thu, 2015-03-19 at 19:01 -0600, Samuel Anderson wrote:
>         > Hello All,
>         >
>         >
>         > I have 2 squid servers that authenticate correctly when you
>         point your
>         > browser to either of them. I'm using a negotiate_wrapper. I
>         set it up
>         > following this
>         >
>         (http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory)
>         >
>         >
>         > I would like to set both servers behind a haproxy load
>         balancer,
>         > however when you try to utilize the haproxy load balancer,
>         it will not
>         > authenticate anymore. It just gives an error asking to
>         authenticate.
>         >
>         >
>         > Any ideas?
>         >
>         >
>         > Thanks in advance.
>         >
>         >
>         >
>         >
>         >
>         >
>         > ##HAPROXY.CFG##
>         >
>         >
>         > global
>         > log /dev/log local0
>         > log /dev/log local1 notice
>         > chroot /var/lib/haproxy
>         > user haproxy
>         > group haproxy
>         > daemon
>         >
>         >
>         > defaults
>         > log global
>         > mode http
>         > option httplog
>         > option dontlognull
>         >         contimeout 5000
>         >         clitimeout 50000
>         >         srvtimeout 50000
>         >
>         >
>         > # reverse proxy-squid
>         > listen  proxy 10.10.0.254:3128
>         > mode http
>         >         cookie  SERVERID insert indirect nocache
>         >         balance roundrobin
>         >         option httpclose
>         >         option forwardfor header X-Client
>         >         server  squid1 10.10.0.253:3128 check inter 2000
>         rise 2 fall 5
>         >         server  squid2 10.10.0.252:3128 check inter 2000
>         rise 2 fall 5
>         >
>         >
>         >
>         >
>         >
>         >
>         >
>         >
>         > ##SQUID.CONF##
>         >
>         >
>         >
>         >
>         > #Kerberos and NTLM authentication
>         > auth_param negotiate
>         program /usr/local/bin/negotiate_wrapper
>         > --ntlm /usr/bin/ntlm_auth --diagnostics
>         > --helper-protocol=squid-2.5-ntlmssp --domain=****.LOCAL
>         > --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s
>         GSS_C_NO_NAME
>         > auth_param negotiate children 30
>         > auth_param negotiate keep_alive off
>         >
>         >
>         > # LDAP authentication
>         > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R
>         -b
>         > "DC=****,DC=local" -D "CN=SQUID,OU=Service
>         Accounts,DC=****,DC=local"
>         > -w "****" -f sAMAccountName=%s -h
>         > 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193
>         > auth_param basic children 150
>         > auth_param basic realm Please enter your Domain credentials
>         to
>         > continue
>         > auth_param basic credentialsttl 1 hour
>         >
>         >
>         > # AD group membership commands
>         > external_acl_type ldap_group ttl=60 children-startup=10
>         > children-max=50 children-idle=2 %
>         > LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
>         > "DC=****,DC=local" -D "CN=SQUID,OU=Service
>         Accounts,DC=****,DC=local"
>         > -w "****" -f "(&(objectclass=person) (sAMAccountname=%
>         v)(memberof=CN=%
>         > a,OU=PROXY,ou=ALL  Groups,DC=****,DC=local))" -h
>         > dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local
>         >
>         >
>         > acl auth proxy_auth REQUIRED
>         >
>         >
>         >
>         > acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE
>         > PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE
>         PROXY-UNRESTRICTED
>         > PROXY-DEV PROXY-SALES
>         >
>         >
>         > http_access deny !auth all
>         > http_access deny !REQGROUPS all
>         >
>         >
>         >
>         >
>         >
>         >
>         >
>         >
>         >
>         > --
>         > Samuel Anderson  |  Information Technology Administrator  |
>         >  International Document Services
>         >
>         >
>         > IDS  |  11629 South 700 East, Suite 200  |  Draper, UT
>         84020-4607
>         >
>         >
>         >
>         
>         > CONFIDENTIALITY NOTICE:
>         > This e-mail and any attachments are confidential. If you are
>         not an
>         > intended recipient, please contact the sender to report the
>         error and
>         > delete all copies of this message from your system.  Any
>         unauthorized
>         > review, use, disclosure or distribution is prohibited.
>         
>         how did you create and distribute the keytab for the proxies?
>         you must
>         create one keytab and put the same exact one on each of the
>         proxies.
>         the KVNO numbers must match on every proxy.  run "klist
>         -Kket /path/to/the.keytab" on the proxies to check.
>         
>         kerberos is heavily dependent on DNS.  the keytab should
>         contain
>         PRIMARY/instance.domain.tld at REALM where PRIMARY is HTTP,
>         instance.domain.tld is the FQDN of the 10.10.0.254 IP, not
>         either or
>         both of the individual proxies, and REALM should be the
>         Kerberos REALM.
>         
>         did you export the environment variable for the keytab?  on
>         fedora, i
>         put the following in /etc/sysconfig/squid:
>         
>         KRB5_KTNAME=/etc/squid/squid.keytab
>         export KRB5_KTNAME
>         
>         do you get a HTTP ticket from the directory?  from a command
>         prompt,
>         what does "klist tickets" show?  you can also install the XP
>         resource
>         kit and run kerbtray.exe to get that info.  win7 and newer may
>         have it
>         built in.
>         
> 
> 
> 
> 
> -- 
> Samuel Anderson  |  Information Technology Administrator  |
>  International Document Services
> 
> 
> IDS  |  11629 South 700 East, Suite 200  |  Draper, UT 84020-4607
> 
> 
> 
> CONFIDENTIALITY NOTICE:
> This e-mail and any attachments are confidential. If you are not an
> intended recipient, please contact the sender to report the error and
> delete all copies of this message from your system.  Any unauthorized
> review, use, disclosure or distribution is prohibited.

you will benefit from using the HTTP profile in HAProxy.  if HTTP vs TCP
is causing you grief, then you may want to review the config.

i am using (mind the wrap):

global
        #debug
        daemon
        log localhost local1 notice
        log-send-hostname router
        #uid 996
        #gid 995
        pidfile /var/run/haproxy.pid
        stats socket /var/run/haproxy.sock level admin
        stats maxconn 2

defaults
        balance leastconn

        log global

        mode http

        option httplog
        option http-server-close
        option forwardfor except 127.0.0.0/8

        stats enable
        stats hide-version
        stats refresh 5s
        stats scope   .
        stats show-legends
        stats uri     /admin?stats

        timeout http-request    10s
        timeout queue           1m
        timeout connect         10s
        timeout client          1m
        timeout server          1m
        timeout http-keep-alive 10s
        timeout check           10s

listen proxy 192.168.37.1:8080
	# option to HTTP/1.1 should be on one line
        option httpchk GET /squid-internal-periodic/store_digest
HTTP/1.1
        server proxy1 192.168.88.1:3128 check inter 10000
        server proxy2 192.168.88.2:3128 check inter 10000

listen proxy1 192.168.37.1:8081
	# option to HTTP/1.1 should be on one line
        option httpchk GET /squid-internal-periodic/store_digest
HTTP/1.1
        server proxy1 192.168.88.1:3128 check inter 10000

listen proxy2 192.168.37.1:8082
	# option to HTTP/1.1 should be on one line
        option httpchk GET /squid-internal-periodic/store_digest
HTTP/1.1
        server proxy2 192.168.88.2:3128 check inter 10000

by using the HTTP mode, you can get more intelligent service checking,
and more reliably determine a devices status.



More information about the squid-users mailing list