Quantcast

Setting Up Squid - my scenario

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Setting Up Squid - my scenario

Hareesh
Hi,

I have a requirement to setup Squid behind a corporate proxy. The corporate proxy uses Kerberos for authentication and people will need to set their systems/laptops/desktops to use a specified port and host name of that proxy to connect to internet.

However to make our applications on various platforms connect to internet seamlessly as needed, we decided to configure a proxy that forwards the requests to corporate proxy with out taking any creds from its users. I am looking for something similar to CNTLM but which can also support Kerberos and be more stable. I am assuming that by using specific directives it is possible to set a http proxy using squid that doesn't take user's details but authenticates with parent proxy using its own creds and provide access to internet.

Is this feasible to be implemented using Squid at the first place? If yes, how can this be achieved? What are the directives that can be used as an example? As a first time user, its highly confusing to understand how these directives can be used in specific scenarios.

Thanks!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting Up Squid - my scenario

Hareesh
Any help?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting Up Squid - my scenario

Hareesh
In reply to this post by Hareesh
On top of the conf file from default setup on Windows, I added the following line in the conf. I added the dns servers and allowed localhost.


cache_peer <corporate_proxy> parent 80 0 default connection-auth=on proxy-only


never_direct allow all


When I point my browser to this proxy, it gives me 407, auth required. 


Also, configured squid service on windows to run with a service account that has access to Internet/corp proxy.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting Up Squid - my scenario

Amos Jeffries
Administrator
On 10/03/2017 5:19 a.m., S V Hareesh wrote:
> On top of the conf file from default setup on Windows, I added the following line in the conf. I added the dns servers and allowed localhost.
>
> cache_peer <corporate_proxy> parent 80 0 default connection-auth=on proxy-only
>
> never_direct allow all
>
> When I point my browser to this proxy, it gives me 407, auth required.
>
> Also, configured squid service on windows to run with a service account that has access to Internet/corp proxy.

Squid cannot authenticate to a cache_peer using NTLM. It can only do
Nagotiate/Kerberos to the parent proxy, and only when "login=NEGOTIATE"
is added (with or without a named keytab file).

NOTE: 'connection-auth=on' is about allowing the browser to use NTLM or
Negotiate/Kerberos through the cache_peer. It needs to also have
"login=PASSTHRU" if that peer is a proxy (as opposed to a web or
Exchange server).

See the 'AUTHENTICATION OPTIONS' section of
<http://www.squid-cache.org/Doc/config/cache_peer/>

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting Up Squid - my scenario

Hareesh
Ok, I tried that but it didnt work. I can put a conf file here. As a start I am currently in a scenario trying to replace a simple CNTLM HTTP proxy with Squid. I want to configure one account which authenticates with parent proxy send the downstream requests with out taking any creds.


On Thu, Mar 9, 2017 at 4:50 PM, Amos Jeffries
On 10/03/2017 5:19 a.m., S V Hareesh wrote:

> On top of the conf file from default setup on Windows, I added the following line in the conf. I added the dns servers and allowed localhost.
>
> cache_peer <corporate_proxy> parent 80 0 default connection-auth=on proxy-only
>
> never_direct allow all
>
> When I point my browser to this proxy, it gives me 407, auth required.
>
> Also, configured squid service on windows to run with a service account that has access to Internet/corp proxy.


Squid cannot authenticate to a cache_peer using NTLM. It can only do
Nagotiate/Kerberos to the parent proxy, and only when "login=NEGOTIATE"
is added (with or without a named keytab file).

NOTE: 'connection-auth=on' is about allowing the browser to use NTLM or
Negotiate/Kerberos through the cache_peer. It needs to also have
"login=PASSTHRU" if that peer is a proxy (as opposed to a web or
Exchange server).

See the 'AUTHENTICATION OPTIONS' section of
<http://www.squid-cache.org/Doc/config/cache_peer/>

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting Up Squid - my scenario

Amos Jeffries
Administrator
On 10/03/2017 6:00 a.m., S V Hareesh wrote:
> Ok, I tried that but it didnt work. I can put a conf file here. As a
> start I am currently in a scenario trying to replace a simple CNTLM
> HTTP proxy with Squid. I want to configure one account which
> authenticates with parent proxy send the downstream requests with out
> taking any creds.

If your CNTLM was running on the Squid machine and using the credentials
for the service account you have setup Squid to use now - then the
cache_peer login=NEGOTIATE should make Squid operate as equivalent to
what CNTLM was doing.

The config file would be useful for anyone who follows up (not just me,
who will be out of time shortly for another few days).

Also, if you can track what HTTP messages are happening and whether the
Kerberos is working properly for the Squid->parent messages it would be
useful.

The current Squid can provide HTTP details in cache.log with
"debug_options 11,2". I'm not sure how you would test the Kerberos on a
Windows installation, but the Negotiate auth headers in those messages
might give a few clues anyway.

HTH
Amos


>   On Thu, Mar 9, 2017 at 4:50 PM, Amos Jeffrieswrote:
>>     On 10/03/2017 5:19 a.m., S V Hareesh wrote:
>> On top of the conf file from default setup on Windows, I added the following line in the conf. I added the dns servers and allowed localhost.
>>
>> cache_peer <corporate_proxy> parent 80 0 default connection-auth=on proxy-only
>>
>> never_direct allow all
>>
>> When I point my browser to this proxy, it gives me 407, auth required.
>>
>> Also, configured squid service on windows to run with a service account that has access to Internet/corp proxy.
>
> Squid cannot authenticate to a cache_peer using NTLM. It can only do
> Nagotiate/Kerberos to the parent proxy, and only when "login=NEGOTIATE"
> is added (with or without a named keytab file).
>
> NOTE: 'connection-auth=on' is about allowing the browser to use NTLM or
> Negotiate/Kerberos through the cache_peer. It needs to also have
> "login=PASSTHRU" if that peer is a proxy (as opposed to a web or
> Exchange server).
>
> See the 'AUTHENTICATION OPTIONS' section of
> <http://www.squid-cache.org/Doc/config/cache_peer/>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>  
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting Up Squid - my scenario

Hareesh
Here is the conf file.

http_port 3128
cache_peer <corp_proxy_IP> parent <Parent_proxy_port> 0 no-query default proxy-only login=NEGOTIATE 

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
http_access allow all
never_direct allow all
icp_access deny all

cache_effective_user squid
#cache_effective_group wheel

max_filedescriptors 3200
 
I am not sure what is it that I am missing. I have been wire sharking both the resultant packets when using CNTLM and when using squid, I can see the proxy auth header piece in the Squid packet missing.



On Thursday, 9 March 2017 5:20 PM, Amos Jeffries <[hidden email]> wrote:


On 10/03/2017 6:00 a.m., S V Hareesh wrote:
> Ok, I tried that but it didnt work. I can put a conf file here. As a
> start I am currently in a scenario trying to replace a simple CNTLM
> HTTP proxy with Squid. I want to configure one account which
> authenticates with parent proxy send the downstream requests with out
> taking any creds.

If your CNTLM was running on the Squid machine and using the credentials
for the service account you have setup Squid to use now - then the
cache_peer login=NEGOTIATE should make Squid operate as equivalent to
what CNTLM was doing.

The config file would be useful for anyone who follows up (not just me,
who will be out of time shortly for another few days).

Also, if you can track what HTTP messages are happening and whether the
Kerberos is working properly for the Squid->parent messages it would be
useful.

The current Squid can provide HTTP details in cache.log with
"debug_options 11,2". I'm not sure how you would test the Kerberos on a
Windows installation, but the Negotiate auth headers in those messages
might give a few clues anyway.

HTH
Amos


>  On Thu, Mar 9, 2017 at 4:50 PM, Amos Jeffrieswrote:

>>    On 10/03/2017 5:19 a.m., S V Hareesh wrote:
>> On top of the conf file from default setup on Windows, I added the following line in the conf. I added the dns servers and allowed localhost.
>>
>> cache_peer <corporate_proxy> parent 80 0 default connection-auth=on proxy-only
>>
>> never_direct allow all
>>
>> When I point my browser to this proxy, it gives me 407, auth required.
>>
>> Also, configured squid service on windows to run with a service account that has access to Internet/corp proxy.
>
> Squid cannot authenticate to a cache_peer using NTLM. It can only do
> Nagotiate/Kerberos to the parent proxy, and only when "login=NEGOTIATE"
> is added (with or without a named keytab file).
>
> NOTE: 'connection-auth=on' is about allowing the browser to use NTLM or
> Negotiate/Kerberos through the cache_peer. It needs to also have
> "login=PASSTHRU" if that peer is a proxy (as opposed to a web or
> Exchange server).
>
> See the 'AUTHENTICATION OPTIONS' section of
> <http://www.squid-cache.org/Doc/config/cache_peer/>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

>




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Setting Up Squid - my scenario

Hareesh
I have put login=PASS and configured Squid service to run with a service account that has internet account, it started working.
 
Cheers
S.V.Hareesh
 
Say no to plastic & pollution.... go environment friendly


On Thursday, 9 March 2017 5:30 PM, S V Hareesh <[hidden email]> wrote:


Here is the conf file.

http_port 3128
cache_peer <corp_proxy_IP> parent <Parent_proxy_port> 0 no-query default proxy-only login=NEGOTIATE 

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
http_access allow all
never_direct allow all
icp_access deny all

cache_effective_user squid
#cache_effective_group wheel

max_filedescriptors 3200
 
I am not sure what is it that I am missing. I have been wire sharking both the resultant packets when using CNTLM and when using squid, I can see the proxy auth header piece in the Squid packet missing.



On Thursday, 9 March 2017 5:20 PM, Amos Jeffries <[hidden email]> wrote:


On 10/03/2017 6:00 a.m., S V Hareesh wrote:
> Ok, I tried that but it didnt work. I can put a conf file here. As a
> start I am currently in a scenario trying to replace a simple CNTLM
> HTTP proxy with Squid. I want to configure one account which
> authenticates with parent proxy send the downstream requests with out
> taking any creds.

If your CNTLM was running on the Squid machine and using the credentials
for the service account you have setup Squid to use now - then the
cache_peer login=NEGOTIATE should make Squid operate as equivalent to
what CNTLM was doing.

The config file would be useful for anyone who follows up (not just me,
who will be out of time shortly for another few days).

Also, if you can track what HTTP messages are happening and whether the
Kerberos is working properly for the Squid->parent messages it would be
useful.

The current Squid can provide HTTP details in cache.log with
"debug_options 11,2". I'm not sure how you would test the Kerberos on a
Windows installation, but the Negotiate auth headers in those messages
might give a few clues anyway.

HTH
Amos


>  On Thu, Mar 9, 2017 at 4:50 PM, Amos Jeffrieswrote:

>>    On 10/03/2017 5:19 a.m., S V Hareesh wrote:
>> On top of the conf file from default setup on Windows, I added the following line in the conf. I added the dns servers and allowed localhost.
>>
>> cache_peer <corporate_proxy> parent 80 0 default connection-auth=on proxy-only
>>
>> never_direct allow all
>>
>> When I point my browser to this proxy, it gives me 407, auth required.
>>
>> Also, configured squid service on windows to run with a service account that has access to Internet/corp proxy.
>
> Squid cannot authenticate to a cache_peer using NTLM. It can only do
> Nagotiate/Kerberos to the parent proxy, and only when "login=NEGOTIATE"
> is added (with or without a named keytab file).
>
> NOTE: 'connection-auth=on' is about allowing the browser to use NTLM or
> Negotiate/Kerberos through the cache_peer. It needs to also have
> "login=PASSTHRU" if that peer is a proxy (as opposed to a web or
> Exchange server).
>
> See the 'AUTHENTICATION OPTIONS' section of
> <http://www.squid-cache.org/Doc/config/cache_peer/>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

>






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...