Squid in CENTOS 7 and its integration with Windows Server 2012R2 Active Directory

Posted: July 13, 2015 in Linux

Proxy servers operate as an intermediary between a local network and Internet. Requests from local clients for web services can be handled by the proxy server.Squid is a high-performance HTTP and FTP caching proxy server.

In this article we will join Squid server (Centos7) into windows domain and configure AD authentification on proxy server,and when domain user request web access Squid can authenticate that user (based on security group) and if user is member of group which has internet access,he/she can access the internet,otherwise,request will be denied.

In one of my previous article i configured DNS and DHCP server and installed AD Domain controller.

Our network:

Domain controller with IP address 192.168.122.100

CENTOS DNS and DHCP server 192.168.122.200

Another CENTOS7 (core) where SQUID will be installed 192.168.122.90

Windows XP client   192.168.122.X (one of IP range address)

I will add one linux machine,join it to the domain,install SQUID on it,add another XP machine which serves as Web proxy client

Install  VM guest (client) Windows XP on KVM host:

virt-install --name client --ram=2048 --vcpus=2 --file=/disk/client.qcow2 --file-size=4 --cdrom /home/godon/Downloads/Windows_XP.iso --os-type=windows

Starting install...
Allocating 'client.qcow2' | 4.0 GB 01:40
Creating domain...

Untitled

Because we have DHCP server configured on Centos7 machine (see  this article  for more details),XP client will get proper IP address (192.168.122.13),Default gateway and DNS server (192.168.122.200) and we can join it to the domain.I installed netdom utility from http://www.microsoft.com/de-de/download/details.aspx?id=18546 on XP machine.

But first,create OU for our computer on DC from Powershell promt:

new-adorganizationalunit “machines”

Prestage computer account in AD:

I did it from client computer because i get “WMI access denied error” when run from DC (i found on net that SP3 disables WMI),in order to not wasting time i run next 2 commands from XP machine (/s-domain controller)

netdom add client /d:example.com /ud:administrator /pd:Zemun2013 /s:dc /ou:ou=machines,dc=example,dc=com

Join XP machine (named client) to windows domain:

netdom join client /d:example.com /ud:administrator /pd:Zemun2013 /ou:ou=machines,dc=example,dc=com

Create OU for groups which wil be authenticated through Squid server.(Squid will check if user is member of groups stored in this OU).Run following commands on Domain Controller:

new-adorganizationalunit “squid”

Squid needs an windows account which has access to all users information.We’ll create account named squid,store that account in squid OU,and delegate  that account rights to see all user informations and Read All interOrgPerson Information

new-aduser -name “squid” -userpincipalname “squid@example.com” -samaccountname "squid" -accountpassword (convertto-secure string “Passw0rd01″ -asplaintxt -force) -changepasswordatlogon $false -path “ou=squid,dc=example,dc=com” -enabled $true

Untitled

Untitled1

Create users with which web access will be tested (OU “test” i created in this article)

new-aduser -name “test” -userpincipalname “test@example.com” -samaccountname "test" -accountpassword (convertto-secure string “Passw0rd01″ -asplaintxt -force) -changepasswordatlogon $false -path “ou=test,dc=example,dc=com” -enabled $true
new-aduser -name “don” -userpincipalname “don@example.com” -samaccountname "don" -accountpassword (convertto-secure string “Passw0rd01″ -asplaintxt -force) -changepasswordatlogon $false -path “ou=test,dc=example,dc=com” -enabled $true

Now create groups which users will be members of:

User in group unrestricted will have unlimted internet access (user don will be in that group).Remember,all groups for users which need limited/unlimited access must be in squid Organizational Unit:

new-adgroup -name “unlimited” -groupscope “Global” -Groupcategory “Security” -path “ou=squid,dc=example,dc=com”
add-adgroupmember -identity “unlimited” -members “don”

In the same way we’ll create group called restricted for user which will have limited net access (test)

new-adgroup -name “restricted” -groupscope “Global” -Groupcategory “Security” -path “ou=squid,dc=example,dc=com”
add-adgroupmember -identity “restricted” -members “test”

Joining CENTOS7 machine to the Domain and installing SQUID

I set hostname to squid.example.com,IP address 192.168.122.90 and DNS server with 192.168.122.200,i pinged DC,and now i can join future SQUID server to domain.

hostnamectl set-hostname squid.example.com

Install sssd,samba and ntp services:

The System Security Services Daemon (SSSD) is a service which provides  LDAP identity provider with LDAP authentication ,and LDAP identity provider with Kerberos authentication.

ntp service is needed to sync our CENTOS time with DC time (time sync is crucial for Kerberos authentcation)

yum install samba* ntp* sssd -y
systemctl start ntpd.service 
ntpdate dc.example.com

When we joined Linux to AD Domain in previous article we used authconfig-gtk,and we haven’t had need to edit any files,this GUI tool did all job,but now we have core installation (No GUI) and we must all do manually

Edit /etc/krb5.conf file

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc=true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
 kdc = DC.EXAMPLE.COM
 admin_server = DC.EXAMPLE.COM
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
kdc = dc.example.com
}

Edit /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet_success
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 36777216 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so

edit /etc/nsswitch.conf file to configure systemt for looking at winbind:

passwd: files winbind
shadow: files winbind
group: files winbind

edit  /etc/samba/smb.conf

#Global Settings:
workgroup = EXAMPLE
interfaces = lo eth0
hosts allow = 127. 192.168.122.

Start winbind,smb and sssd services

systemctl start ntp
systemctl start winbind
systemctl start sssd

join to the domain,enter Windows Domain Admin password when prompted

realm join –user=adminitrator@EXAMPLE.COM EXAMPLE.COM

Add following to smb.config file in section Domain Members Options

#- Domain Members Options 

security = ads

realm = EXAMPLE.COM

password server = DC.EXAMPLE.COM

Now test if we can see windows groups/users

wbinfo -t
checking the trust secret for domain EXAMPLE via RPC calls succeeded

wbinfo -g

EXAMPLE\winrmremotewmiusers__
EXAMPLE\domain computers
EXAMPLE\domain controllers
EXAMPLE\schema admins
EXAMPLE\enterprise admins
EXAMPLE\cert publishers
EXAMPLE\domain admins
EXAMPLE\domain users
EXAMPLE\domain guests
EXAMPLE\group policy creator owners
EXAMPLE\ras and ias servers
EXAMPLE\allowed rodc password replication group
EXAMPLE\denied rodc password replication group
EXAMPLE\read-only domain controllers
EXAMPLE\enterprise read-only domain controllers
EXAMPLE\cloneable domain controllers
EXAMPLE\protected users
EXAMPLE\restricted
EXAMPLE\nolimit

wbinfo -u

EXAMPLE\administrator
EXAMPLE\guest
EXAMPLE\krbtgt
EXAMPLE\tex willer
EXAMPLE\test
EXAMPLE\squid
EXAMPLE\don

 Installing & Configuring SQUID

yum install squid -y

Now we need to configure SQUID authentication,to do that we need to configure helpers.Helpers are modules,written as scripts,which authenticate users.Helper reads username/password pairs from Standard Input one pair at a time in a single line of text, and writes a single line of text to Standard Output that is either “OK”  or “ERR” (in case of problems)

Helper location is /usr/lib64 (or lib,in case of X86 platforms)/squid

Helper needs an account with access to users informations in Active Directory (that’s why we created windows user squid and delegated him rights to see user information.Before we add helper to squid config file,it’s always good idea to test it

First export password of AD user squid to a file,it will be used as input for helper

[root@squid squid]# printf '%s\n    %s\n' 'Passw0rd01'  >> /etc/squid/password.txt

We will be using  basic_ldap_auth helper.

It allows Squid to connect to a LDAP directory to validate the user name and password of Basic HTTP authentication.It uses username and password as parameters on the command line, to be checked against the LDAP directory.

[root@squid squid]# echo "test Passw0rd01" | /usr/lib64/squid/basic_ldap_auth -R -b "dc=example,dc=com" -D "cn=squid,ou=squid,dc=example,dc=com" -w  /etc/squid/password.txt -f sAMAccountName=%s -h 192.168.122.100

Squid will connect to to AD (using squid user and password,to check whether user’s test password (Passw0rd01) is correct.User name is passed to %s variable.

[root@squid squid]# echo "test restricted" | /usr/lib64/squid/ext_ldap_group_acl -R -b "dc=example,dc=com" -D "cn=squid,ou=squid,dc=example,dc=com" -w /etc/squid/password.txt -f "(&(objectclass=person) (sAMAccountname=%u) (memberof=cn=%g,ou=squid,dc=example,dc=com))" -h 192.168.122.100
OK

ext_ldap_group_acl  helper allows Squid to connect to a LDAP directory to authorize users via LDAP groups,with this helper we can authenticate AD users by checking if user is member of particular group.Helper needs an imput parameter.This one needs username and group to check if user is member of that group.In this example we piped SAM Account Name-username (test) and AD group (restricted),created in one of previous steps) to extrenal_acl_type helper,which return OK (if user is member of group) or ERR (if not member of if you have syntax error)
-R Do not follow referrals
-b “dc=example,dc=com” the base DN under which the groups are located
-D “cn=squid,ou=squid,dc=example,dc=com” The DN of user which SQUID uses while performing searches.
User named squid,located in squid OU
-w /etc/squid/password.txt password of squid user.Because password got stored in a file,it’s not being compromised if someone gets the squid configuration file
-f “(&(objectclass=person) (sAMAccountname=%u) ( memberof=cn=%g,ou=squid,dc=example,dc=com))”
LDAP search filter used to search the LDAP directory for  matching group memberships. In the filter %u will be
replaced by the user name (test) and %g by the requested group name (restricted).
-h 192.168.122.100 is IP address of my Domain Controller
When we confirmed that our helpers work,we can now add it to squid.conf file

vi /etc/squid/squid.conf

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=example,dc=com" -D "cn=squid,ou=squid,dc=example,dc=com" -w "Zemun2013" -f sAMAccountName=%s -h 192.168.122.100
auth_param basic children 5
auth_param basic realm Please enter user name to access the internet
auth_param basic credentialsttl 1 hour
external_acl_type ldap_group %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R -b "dc=example,dc=com" -D "cn=squid,ou=squid,dc=example,dc=com" -w "Zemun2013" -f "(&(objectclass=person) (sAMAccountname=%u)(memberof=cn=%g,ou=squid,dc=example,dc=com))" -h 192.168.122.100

acl restricted external ldap_group restricted
acl nolimit external ldap_group nolimit
acl allowed_time time T 00:00-12:00
acl blockfiles urlpath_regex -i \.[Ee][Xx][Ee]$

acl rule2 url_regex -i www.ign.com
reply_body_max_size 30 MB allowed_time

http_access allow test_group !rule2 allowed_time !blockfiles
http_access allow nolimit

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .

Let explain some lines:

visible_hostname squid.example.com simply sets visible name

auth_param basic /usr/lib64/squid/basic_ldap_auth -R -b “dc=example,dc=com” -D cn=squid,ou=squid,dc=example,dc=com” -w  /etc/squid/password.txt -f sAMAccountName=%s -h 192.168.122.100

With line above we instruct SQUID to use basic_ldap_auth helper in order to negotiate with active directory.

Anyone who need internet access must provide it’s user name and password,and Squid will,using auth helper to check credentials

auth_param basic children 5

tells Squid how many helpers to use ( 5 is default)

auth_param basic realm Please enter user name to access the internet

Sets custom message on login box on browser

auth_param basic credentalsttl 30 minutes

Specifies how long squid assumes an externally validated username:password pair is valid for

external_acl_type ldap_group %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R -b “dc=example,dc=com” -D “cn=squid,ou=squid,dc=example,dc=com” -w /etc/squid/password.txt -f “(&(objectclass=person) (sAMAccountname=%u) (memberof=cn=%g,ou=squid,dc=example,dc=com))” -h 192.168.122.100

External  ACL’s named ldap_group (names as arbitrary),implemented in external helper processes.It tells Squid to pass username and group to the helper on /usr/lib64/squid/ location,which then responds with either OK or ERR
acl restricted extrernal ldap_group restricted:Creates ACL named restricted (don’t mix it with AD group name,it’s just a name,you can set any),which will use external process to define this ACL.That external process is ldap_group,created in previous step,and value of this ACL will be AD group restricted (last value is ,in fact AD group name).In same manner i created another acl named unlimited,value will be unlimited group (i used same name for list and it’s value for simplicity:acl unlimited extrernal ldap_group unlimited)

acl allowed_time time T 00:00-12:00-ACL  named allowed_time which denies/allows browsing for specific day (Tuesday from 00-12 hours)
acl blockfiles urlpath_regex -i \.[Ee][Xx][Ee]$-ACL named blockfiles which defines exe.extension

acl rule2 url_regex -i http://www.ign.com– ACL  named rule2 which defines site
reply_body_max_size 30 MB allowed_time– max download size is 30 MB,appended to prevoiusly created ACL allowed_time

http_access allow restricted !rule2 allowed_time !blockfiles

This rule above permits web access for users in AD group named restricted during Tuesdays (00:00-12:00 AM), for all sites except http://www.ign.com and,limits download size up to 30 MB to any file,and denies download of EXE files.
http_access allow nolimit-permits unlimited web access to users in nolimit AD group

I customized ERR_ACCESS_DENIED in /usr/share/squid/errors/en/ folder

Start squid service and open 3128 port in firewall

systemctl start squid
firewall-cmd --add-port=3128/tcp --permanent
firewall-cmd --reload

Log in to client computer as member of restricted group (test) and set proxy settings in browser:

Untitled3

Try to open http://www.ign.com file

Login form will pop-up

enter test as username (we use SAM account name) and Passw0rd01 as password

Untitled1

Untitled2

You should see same page if you try to download any file>30 MB or file with EXE extrension,on Tuesday between 00:12 AM

Advertisements
Comments
  1. J says:

    Your Guide doesn’t have sssd.conf which should be required to start the sssd service.

    Thanks

    Like

  2. J says:

    Ok, I got it now :

    this should run -> realm join –user=adminitrator@EXAMPLE.COM EXAMPLE.COM

    which will create sssd.conf so that I can run “systemctl start sssd”

    Thanks

    Like

  3. Cristian Andrade says:

    Hi,
    This post about squid is great, helpfull, and work fine although I have a problem with the functionality of squid. It work fine for hours but when they connected than more 4 users it suddenly break down. The logs show me some like that:
    ext_ldap_group_acl: WARNING: could not bind to binddn ‘Invalid credentials’
    Then I try to run /usr/lib64/squid/ext_ldap_group_acl command and give me an ERROR with the credentials. After some minutes it comming back working fine again. Could you helpme please

    Like

  4. M says:

    Hi,
    Have been trying to find a way to include single sign -on instead of having the pop-up which requires entering username and password.Is this possible?

    Like

  5. Mitsos says:

    Hi,

    Great article !!!
    I was wondering is there a way to use groups instead of users in the AD groups?
    For instance instead of adding users on the groups unlimited & restricted is it possible to add other AD groups:

    department1 to be member of restricted whereas bod to be member of unlimited?

    Thanks

    Like

  6. ln10474 says:

    hello:
    all user allow login,But I want to allow only t1 groups to log on

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s