[squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

Markus Moeller huaraz at moeller.plus.com
Sat Jul 25 16:11:12 UTC 2020


Hi 


Maybe some general comments about LB, CNAMEs and Squid Kerberos will help.  The kerberos client will try to request a ticket based on the used hostname. e.g. if you configure in your browser the proxy name as  ha-proxy.slb.example.com then the client will look for a serviceprincipal of HTTP/ha-proxy.slb.example.com. If this is a Cname then you may have browser dependencies e.g. 

  ha-proxy.slb.example.com CNAME HA-server1.real.example.com 

Some browsers will use HTTP/ha-proxy.slb.example.com  and some will use HTTP/HA-server1.real.example.com  

Now if your squid server name is squid1.real.example.com you will have probably only HTTP/squid1.real.example.com  in your keytab.  


There are now 2 Options:

1 ) Create one entry in AD for all squid servers  i.e. the AD entry will have at least number of servers + 2  service principals associated to it, extract the key to a keytab and use the option –s GSS_C_NO_NAME with the negotiate_kerberos_auth helper 
     .e.g HTTP/squid1.real.example.com , HTTP/squid2.real.example.com , HTTP/HA-server1.real.example.com  ,  HTTP/ha-proxy.slb.example.com  
2) Create separate entries in AD for each squid server, the LB and the CNAMEs and then merge the keys into one keytab to be used on all squid servers.

Kind Regards
Markus



"L.P.H. van Belle" <belle at bazuin.nl> wrote in message news:vmime.5f1aa165.2c44.7eb4bc368baef35 at ms249-lin-003.rotterdam.bazuin.nl...
forgot 1 thing. (sorry) 
# 
adduser proxyuser winbind_priv 

or things might not work. 

 



------------------------------------------------------------------------------
  Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens L.P.H. van Belle
  Verzonden: vrijdag 24 juli 2020 10:46
  Aan: squid-users at lists.squid-cache.org
  Onderwerp: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication


  i would recommend to ..
  1) use debian buster,
  2) use squid 4.12
  3) use samba (winbind). 

  needed  in smb.conf ( only shown whats really needed ), there is more offcourse. 

      dedicated keytab file = /etc/krb5.keytab
      kerberos method = secrets and keytab

      # renew the kerberos ticket
      winbind refresh tickets = yes

      # Added for freeradius support
      #ntlm auth = mschapv2-and-ntlmv2-only


  apt install winbind krb5-user should be sufficient. 

  samba joins the domain. 
  /etc/krb5.keytab contains the default part and refreshed the server kerberos passworks/tickes. 

  And for squid its keytab. 

  kinit Administrator
  export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
  net ads keytab add_update_ads HTTP/$(hostname -f) -U Administrator

  # alias name to keytab
  net ads keytab ADD HTTP/CNAME.FQDN 

  # check keytab file.
  klist -ke /etc/squid/HTTP-$(hostname -s).keytab
  unset KRB5_KTNAME

  # set rights.
  chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
  chmod g+r /etc/squid/HTTP-$(hostname -s).keytab

  And i use  in squid 
  auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
      --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP-hostname.keytab \
      -s HTTP/hostname.fqdn at REALM -s HTTP/CNAME.FQDN at REALM 
      --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM 

  Point to think about. 

  server IP's needs A + PTR 
  use CNAMEs in the DNS. 
  and make sure the resolving is setup correctly. 

  Add a caching DNS to the proxy. ( and let squid use it also ) 

  I had this working (without HAproxy) but with keepalived. 

  As far i can tel, your problem is in how the hostnames and ip are used. 
  but above might give you ideas. 


  Greetz, 

  Louis






----------------------------------------------------------------------------
    Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Service MV
    Verzonden: donderdag 23 juli 2020 17:36
    Aan: squid-users at lists.squid-cache.org
    Onderwerp: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication


    Hi, everybody.
    I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration authenticating and browsing without problems:
    cache.log
    squid_kerb_auth: User some.user authenticated
    access.log
    10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443 some.user HIER_DIRECT/MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 172.217.162.3 -

    The problem starts when I try to configure a HAProxy 1.8 load balancer to which by redundancy I configured a virtual IP with the keepalived service. When I point my browser to the DNS A record (balancer.mydomain.local) which in turn points to the keepalived virtual IP, the authentication stops working:
    cache.log 
    no records
    access.log
    10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 - HIER_NONE/- text/

    In the client browser a prompt appears requesting authentication.

    I find it strange that the IP registered by SQUID is 10.10.8.207, which is the physical IP of my VM, instead of the virtual IP configured in HAProxy, which is the IP 10.10.8.213.

    I send you all the configurations that I have made to see if you can help me to find where my configuration error is.

    keepalived.conf 
      global_defs {
         notification_email {
           some.user at mydomain.local
         }
         notification_email_from balancer1 at mydomain.local
         smtp_server smtp. mydomain.local 
         smtp_connect_timeout 60
      }

      vrrp_instance VI_1 {
          state MASTER
          interface eth0
          virtual_router_id 101
          priority 101
          advert_int 1
          authentication {
              auth_type PASS
              auth_pass somepass123
          }
          virtual_ipaddress {
              10.10.8.213
          }
      }



    haproxy.conf
    global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    maxconn 4000
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private
    server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

    defaults
    balance source
    log global
    mode http
    option httplog
    option dontlognull
    option http-server-close
    option forwardfor except MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 127.0.0.0/8
    timeout connect 5000
    timeout client 50000
    timeout server 50000

    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

    ### statistics
    listen stats
    bind MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.8.213:1936
    mode http
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /haproxy?stats
    stats auth haproxy:somepass123

    ### balancer
    listen squid
    bind MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.8.213:3128
      mode http
      option httplog
      balance source
      hash-type consistent
      option httpclose
      cookie SERVERID insert indirect nocache
      option forwardfor header X-Client
      server proxy1 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.8.205:3128 check inter 2000 rise 2 fall 5

      server proxy2 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.8.206:3128 check inter 2000 rise 2 fall 5



    squid.conf
    # minimal configuration for testing
    visible_hostname proxy1.mydomain.local
    http_port 3128
    debug_options ALL, 1 33, 2 28, 9
    maximum_object_size 8192 KB
    error_directory /opt/squid411/share/errors/es-ar
    shutdown_lifetime 0 seconds
    forwarded_for on
    auth_param negotiate program /usr/local/bin/squid_kerb_auth -i -r -s GSS_C_NO_NAME
    auth_param negotiate children 300 startup=150 idle=10
    auth_param negotiate keep_alive on
    acl auth proxy_auth REQUIRED
    http_access allow auth
    acl SSL_ports port 443
    acl Safe_ports port 80
    acl CONNECT method CONNECT
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access deny all



    squid -v
    Squid Cache: Version 4.11
    Service Name: squid

    This binary uses OpenSSL 1.0.2u  20 Dec 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html

    configure options:  '--prefix=/opt/squid411' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--localstatedir=/opt/squid411/var' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--enable-inline' '--enable-async-io' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-digest-auth-helpers' '--enable-negotiate-auth-helpers' '--enable-auth-ntlm' '--enable-arp-acl' '--enable-esi--disable-translation' '--with-logdir=/var/log/squid411' '--with-pidfile=/var/run/squid411.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' '--enable-ltdl-convenience' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd'



    env
    KRB5_KTNAME=/opt/squid411/etc/PROXY.keytab
    KRB5RCACHETYPE=none



    /etc/krb5.conf
    [libdefaults]
        default_realm = MYDOMAIN.LOCAL
        dns_lookup_kdc = yes
        dns_lookup_realm = yes 
        ticket_lifetime = 24h

            default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
            permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

    [realms]
        MYDOMAIN.LOCAL = {
            kdc = s-dc00.mydomain.local
            kdc = s-dc01.mydomain.local
            kdc = s-dc02.mydomain.local
            admin_server = s-dc00.mydomain.local
        }

    [domain_realm]
        .mydomain.local = MYDOMAIN.LOCAL
        mydomain.local = MYDOMAIN.LOCAL



    msktutil -c -b "OU=SERVIDORES" -s HTTP/debian-proxy.mydomain.local -k /opt/squid411/etc/PROXY.keytab --computer-name DEBIAN-PROXY --upn HTTP/debian-proxy.mydomain.local --server s-dc00.mydomain.local --verbose --enctypes 28



    # permissions for kaytab file
    chgrp proxy /opt/squid411/etc/PROXY.keytab
    chmod g+r /opt/squid411/etc/PROXY.keytab



    klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: some.user at MYDOMAIN.LOCAL

    Valid starting       Expires              Service principal
    07/23/2020 11:59:45  07/23/2020 21:59:45  krbtgt/MYDOMAIN.LOCAL at MYDOMAIN.LOCAL
            renew until 07/24/2020 11:59:40



    One thing I didn't quite understand is the procedure to authenticate from HAProxy. According to the documentation I read, I did the following:

    I created a DNS A record and its PTR in my DNS server pointing to the virtual IP of the keepalived (10.10.8.213) in the HAProxy. 
    Then I created a "HTTP_inet" user account in Active Directory.
    Then on my domain controller, in a CMD with administrator permissions, I ran:
    setspn -S HTTP/inet.mydomain.local HTTP_inet
    setspn -S HTTP/inet HTTP_inet 
    In both cases the message was: object updated.
    Then in my SQUID servers, I executed:
    kinit HTTP_inet at MYDOMAIN.LOCAL
    It asks for the user's password.
    Start the ktutil tool
    That's where I write:
    addent -password -p HTTP/inet.mydomain.local -k 2 -e rc4-hmac
    Ask the user password
    addent -password -p HTTP/inet -k 2 -e rc4-hmac
    Ask the user password
    wkt /opt/squid411/etc/PROXY.keytab
    quit

    list the keys in keytab:
    ktutil
    read_kt /opt/squid411/etc/PROXY.keytab
       1 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
       2 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
       3 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
       4 1 HTTP/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
       5 1 HTTP/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
       6 1 HTTP/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
       7 1 host/DEBIAN-PROXY at MYDOMAIN.LOCAL
       8 1 host/DEBIAN-PROXY at MYDOMAIN.LOCAL
       9 1 host/DEBIAN-PROXY at MYDOMAIN.LOCAL
      10 1 host/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
      11 1 host/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
      12 1 host/debian-proxy.mydomain.local at MYDOMAIN.LOCAL
      13 2 HTTP/inet.mydomain.local at MYDOMAIN.LOCAL
      14 2 HTTP/inet at MYDOMAIN.LOCAL

    It's this last part I understand the least, maybe the mistake is there. Or somewhere else.
    I appreciate any help you can offer me. 

    Best regards,

    Gabriel




--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200725/781b0d0f/attachment-0001.htm>


More information about the squid-users mailing list