Squid 3.5 forward proxy on CentOS

-
I've been looking into providing a good proxy server to replace the old stalwart Threat Management Gateway which is now out of support and development from Microsoft.

 Having recently passed my Redhat exam I thought I would look for something a bit LINUX based to run the proxy.  This led me to find SQUID.

 http://www.squid-cache.org

 There is plenty of documentation around how to set up the proxy.  

 Typically with LINUX, the documentation is written assuming that the reader knows what is going on 
and is not a beginner.

 I got the basic proxy up and running pretty quickly.  I even had WPAD working correctly!  

 The defaults all worked!

 However the sticking point was how to get Squid to use an Active Directory group to determine who has 
access to the Internet.

 Here's how I implemented the whole thing.  From start to finish.  As much as I can remember.  

 Obviously I'll omit the days of effort pursuing failures and just present the successes so it looks like I know 
what I am talking about rather than the hunt and peck style used in reality :)

 Oh and as I am a RedHat certified engineer I used CentOS 6 (running on VMPlayer).
  1. AD Config
    1. Create a group to control internet access
  2. CENTOS Config
    1. Using yum install httpd, ntp, squid, samba, samba-common, winbind, gcc,  kerberos (server and client) and msktutil
    2. IP ADDRESS : 10.20.30.40
    3. HOSTNAME : squid
    4. DOMAIN : contoso.com
  3. NTP Config
    1. [root@squid ~]# vi /etc/ntp.conf
    2. [root@squid ~]# service ntpd start
    3. [root@squid ~]# chkconfig ntpd on
  4. APACHE Config
    1. [root@squid ~]# service httpd start
    2. [root@squid ~]# chkconfig httpd on
    3. [root@squid ~]# vi /var/www/http/wpad.dat
  5. SAMBA Config
    1. [root@squid ~]# vi /etc/samba/smb.conf
  6. KERBEROS Config 
    1. [root@squid ~]# vi /etc/krb5.conf
    2. [root@squid ~]# vi /var/kerberos/krb5kdc/kdc.conf
    3. Check you progress!
    4. [root@squid ~]# kinit admin@CONTOSO.COM
    5. The next command takes a while to complete so be patient!
    6. [root@squid ~]# kdb5_util create -s
    7. [root@squid ~]# net ads join -U admin@CONTOSO.COM
    8. [root@squid ~]# service smb start
    9. [root@squid ~]# service winbind start
    10. [root@squid ~]# service krb5kdc start
    11. [root@squid ~]# chkconfig smb on
    12. [root@squid ~]# chkconfig winbind on
    13. [root@squid ~]# chkconfig krb5kdc on
    14. Check your progress!
    15. [root@squid ~]# wbinfo -u
  7. SQUID Config
    1. [root@squid ~]# vi /etc/squid/squid.conf
I can't figure out a nice way to embed the config files in the main text so here they are:

ntp.conf - edit the lines shown:


# Use public servers from the pool.ntp.org project.
# Please consider joining the pool http://www.pool.ntp.org/join.html).
server ntp-server.contoso.com
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst

wpad.dat


// WPAD File

function FindProxyForURL(url, host){
//If they have only specified a hostname, go directly
if (isPlainHostName(host)
return "DIRECT"
// Go direct to intranet site    
if (shExpMatch( host, "intranet*"))            
return "DIRECT";
//Connect directly to our domains
if (dnsDomainIs( host,"*.contoso.com"))
return "DIRECT";
// If not resolvable send direct to get correct error messages
if (!isResolvable(host))
return "DIRECT";// Only cache http, ftp and gopher
// Go direct if PROXY not available
if (url.substring(0, 5) == "http:" ||
url.substring(0,6) == "https:" ||
url.substring(0, 4) == "ftp:" ||
url.substring(0, 7) == "gopher:")
return "PROXY 10.20.30.40:3128; DIRECT";
// In all other cases go direct      
else              
return "DIRECT";
}

smb.conf


workgroup = CONTOSO
security = ads
realm = CONTOSO.COM
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes

winbind enum groups = yes

krb5.conf


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CONTOSO.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
CONTOSO.COM = {
kdc = ad-server.contoso.com:88
admin_server = ad-server.contoso.com:749
}

[domain_realm]
.contoso.com = CONTOSO.COM
contoso.com = CONTOSO.COM

kdc.conf


 [kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

 [realms]
 CONTOSO.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

 }
squid.conf - I am using a 64bit version of CentOS so needed to use lib64 not lib

squid.conf - I am now using CentOS 7 and squid 3 so I need the line:external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl



 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on

 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

 external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib64/squid/wbinfo_group.pl -d

 acl manager proto cache_object

 acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

 acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

 acl CONNECT method CONNECT
http_access allow manager localhost

 http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

 visible_hostname squid.contoso.com

 acl AuthUsers external nt_group CONTOSO\Group_AllUsers

http_access allow AuthUsers all
http_access deny all

 http_port 3128
hierarchy_stoplist cgi-bin ?

 # Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

Comments

Post a Comment

Popular posts from this blog

PXE booting, MDT and 802.1x

-
Image
Oh dear. We implemented site wide 802.1x when we moved. This has caused numerous issues which we are still tracking down and killing with fire. Again "only-when-we-needed-it" struck as we had a new starter and need to build a machine. Ah.   No PXE.  However thankfully we were able to make a bootable USB using 802.1x and get our build working again from MDT in our 802.1 environment. Here's how we did it.   Caveats:  I'm assuming you know MDT and how PXE works. We use Computer certificates as the 8021x auth method. 802.1x is working in our environment GPO is used to start the wired 802.1x service on built machines. GPO is used to configure the network profile to use 802.1x What you need Get a USB stick to take your WinPE 4GB may be enough Make sure you are running an up to date working MDT installation! Create a machine certificate which has a long expiry date, you don't want to be making USB WinPE images every month!! Export the machine ...
Read more

NetScaler VPX and Exchange 2010

-
Image
From the title you can guess that we have Exchange 2010 (SP1 CU6 - with Hotfix for EVault) and we are using NetScaler VPX to load balance the services.  I used the excellent document from Citrix to configure the NetScalers (we have two in active/active - sort of using VMACs to split the traffic RPC to one, HTTP(S) and SMTP to the other). However I found a document from Microsoft which points out that there is "significant performance penalty" if we configure incorrect persistence for EAS.  The Microsoft document is here: http://technet.microsoft.com/en-us/library/ff625248.aspx This put us in a pickle and no mistake.  This is because in a NetScaler persistence is per vServer.  We have one vServer for HTTPS as we have one IP address for all HTTP traffic.  This vServer would then deal with all HTTPS traffic including OWA,ECP,EWS,RPC over HTTPS and EAS.  OWA requires cookie based persistence, this is also the method the Citrix doc...
Read more

Security Policy 1001

-
We had an annoying warning showing every 5 minutes on our Read Only Domain Controllers.  This didn't affect service but meant we were losing our logs of important events (should the have occurred) "Security policy cannot be propagated. Security Configuration Server (in services.exe) is not ready. This is probably in system reboot. Policy will be tried again in the next propagation." Source: SceCli Event: ID 101 We tracked this down to a GPO which was populating the local Administrators group. Obviously a Domain Controller has no local users or groups so this was causing the issue. Ensuring that the GPO did not apply to the Domain Controllers - yes the GPO was linked at the root! fixed the issue. It is strange that we did not see the warnings on our main Domain Controllers only on the Read Only DC's as this would have affected all DCs the same (I would have thought)
Read more