Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication
On 24/07/20 5:09 am, Service MV wrote: > Hi Klaus, > I think something similar. But I understand that you can use the > Kerberos delegation in AD. That's partly why I'm not convinced by the > documentation I read, which tells me to create a user account in Active > Directory. And I don't understand what a user account has to do here. > Maybe the documentation is wrong and actually refers to a computer > account, and the operation of adding a Service Principal Name should be > done to the computer object. I don't know. But I'm going to try to do it > and see what I can achieve. > Kerberos authentication in HTTP uses the Negotiate scheme. The model for that scheme is that it authenticates the exact TCP connection over which the credentials are transmitted. So for it to work *through* a proxy (eg HAProxy) that proxy must ensure the *two* TCP connections it is handling (from-client and to-Squid) are pinned together with all HTTP multiplexing features disabled _and_ the Proxy-Auth* headers are not touched or used along the way. => If either of those conditions is broken the auth will not work and users will definitely get the behaviour you are seeing. That behaviour may also occur anyway if later stages are broken - this is just the first and most non-obvious problem for beginners. [ below is simplified a bit/lot to ensure you have the basic understanding. There is a steep learning curve for Kerberos tools and one needs basics before troubleshooting exposes the gory details ] The HTTP agent which is doing the Kerberos auth validation (eg Squid) must be configured with an account that can perform authentication tasks with the central domain server. This can be either User or Machine account as you know. The important difference is their policy on passwords. User accounts need password rotation, machines are effectively permanent. Since keytab used by Squid has to be re-generated every time the account password changes User accounts are naturally far more complex to administrate for reliable auth. => So ... your choice and YMMV. But we recommend a machine account unless you have reason to go the more complex way. At the other end the client software needs a keytab with a "Principal" name telling it what to request from the central domain server when it needs a token that Squid can validate. => The principal name has to match up with the account details used by the proxy which is checking the auth credentials. This is why the middle proxy (eg HAProxy) cannot touch the authentication on its way to Squid. => The principal name is also case-sensitive and and must survive *exact* string comparisons despite DNS resolve being involved [ because reasons :( ]. So be sure to use full FQDN rather than host name abbreviations. > I'll be back. > > El jue., 23 de jul. de 2020 a la(s) 13:16, Klaus Brandl escribió: > > Hi Gabriel, > > same problem here on our HA systems. > I think, this is caused by kerberos overall, the tickets are always > bound to > the hosts realname and address, look at "klist" on your client, and > only > exactly this name could be used as proxy entry. Indeed. Use of wrong names (eg not using the full FQDN), wrong case, or the hostnames not being DNS resolvable are common causes of Kerberos not working. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication
On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote: > > But if anyone knows a solution, i will spread my ears :) > What we do is: 1) create a user account in AD that will be used for the HA front end, set a password and export the keytab for this user 2) Use ktadmin to import the keytab entries for the user created in step 1 into the keytab for squid on the squid servers. 3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address to the user created in 1 The SPN (service principal name) tells kerberos to use the user details set up in step 1 to authenticate http requests. This works for us, has been for years. One thing, if you want to know the IP addresses of your clients in the squid logs you will need to do some extra stuff because all accesses will appear to come from the HA loadbalancer. We have configured our load balancers to insert the X-Forwarded-For header into the http traffic and then modified the logging to log both the loadblancer and client IP. -- Brett Lymn This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies: BAE Systems Australia Limited - Australian Company Number 008 423 005 BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846 ASC Shipbuilding Pty Limited - Australian Company Number 051 899 864 BAE Systems Australia's registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edindurgh, South Australia, 5111. ASC Shipbuilding's registered office is Level 2, 80 Flinders Street, Adelaide, South Australia, 5000. If the identity of the sending company is not clear from the content of this email, please contact the sender. This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication
Hi Klaus, I think something similar. But I understand that you can use the Kerberos delegation in AD. That's partly why I'm not convinced by the documentation I read, which tells me to create a user account in Active Directory. And I don't understand what a user account has to do here. Maybe the documentation is wrong and actually refers to a computer account, and the operation of adding a Service Principal Name should be done to the computer object. I don't know. But I'm going to try to do it and see what I can achieve. I'll be back. El jue., 23 de jul. de 2020 a la(s) 13:16, Klaus Brandl ( klaus_bra...@genua.de) escribió: > Hi Gabriel, > > same problem here on our HA systems. > I think, this is caused by kerberos overall, the tickets are always bound > to > the hosts realname and address, look at "klist" on your client, and only > exactly this name could be used as proxy entry. > > But if anyone knows a solution, i will spread my ears :) > > Klaus > > --- > > genua GmbH > Domagkstrasse 7, 85551 Kirchheim bei Muenchen > tel +49 89 991950-0, fax -999, www.genua.de > > Geschaeftsfuehrer: Matthias Ochs, Marc Tesch > Amtsgericht Muenchen HRB 98238 > genua ist ein Unternehmen der Bundesdruckerei-Gruppe. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication
Hi Gabriel, same problem here on our HA systems. I think, this is caused by kerberos overall, the tickets are always bound to the hosts realname and address, look at "klist" on your client, and only exactly this name could be used as proxy entry. But if anyone knows a solution, i will spread my ears :) Klaus --- genua GmbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Matthias Ochs, Marc Tesch Amtsgericht Muenchen HRB 98238 genua ist ein Unternehmen der Bundesdruckerei-Gruppe. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid and multipart form decode
Thanks, I have been looking at the squid debug and can see that it is getting the multipart. POST http://bb.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://b.com Cache-Control: no-cache X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---328901485836611227811186534509 Content-Length: 1245 Origin: http://b.com Cookie: cookie Host: bbb.com Via: ICAP/1.0 4dd -328901485836611227811186534509 Content-Disposition: form-data; name="action" frm_submit_dropzone -328901485836611227811186534509 Content-Disposition: form-data; name="field_id" 8 -328901485836611227811186534509 Content-Disposition: form-data; name="form_id" 5 -328901485836611227811186534509 Content-Disposition: form-data; name="nonce" e1aca92777 -328901485836611227811186534509 Content-Disposition: form-data; name="file8"; filename="translate.zip" Content-Type: application/x-zip-compressed On Thu, Jul 23, 2020 at 11:16 AM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 7/23/20 9:22 AM, Ryan Le wrote: > > I have been trying to configure squid to decode and send multipart form > > data to another service. Is there an acl or build parameter needed for > > multipart form data support? > > No, there is no need to allow any specific Content-Type, including > multipart. Squid does not know anything about multipart/form-data. If a > multipart/form-data message is well-formed from HTTP point of view, then > Squid will process it as any other message, including passing it to > ICAP/eCAP (where configured). > > Cheers, > > Alex. > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication
Hi, everybody.
I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration
authenticating and browsing without problems:
cache.log
squid_kerb_auth: User some.user authenticated
access.log
10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443
some.user HIER_DIRECT/172.217.162.3 -
The problem starts when I try to configure a HAProxy 1.8 load balancer to
which by redundancy I configured a virtual IP with the keepalived service.
When I point my browser to the DNS A record (balancer.mydomain.local) which
in turn points to the keepalived virtual IP, the authentication stops
working:
cache.log
no records
access.log
10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 -
HIER_NONE/- text/
In the client browser a prompt appears requesting authentication.
I find it strange that the IP registered by SQUID is 10.10.8.207, which is
the physical IP of my VM, instead of the virtual IP configured in HAProxy,
which is the IP 10.10.8.213.
I send you all the configurations that I have made to see if you can help
me to find where my configuration error is.
keepalived.conf
global_defs {
notification_email {
some.user@mydomain.local
}
notification_email_from balancer1@mydomain.local
smtp_server smtp. mydomain.local
smtp_connect_timeout 60
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 101
priority 101
advert_int 1
authentication {
auth_type PASS
auth_pass somepass123
}
virtual_ipaddress {
10.10.8.213
}
}
haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
server=haproxy
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
balance source
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
timeout connect 5000
timeout client 5
timeout server 5
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
### statistics
listen stats
bind 10.10.8.213:1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy?stats
stats auth haproxy:somepass123
### balancer
listen squid
bind 10.10.8.213:3128
mode http
option httplog
balance source
hash-type consistent
option httpclose
cookie SERVERID insert indirect nocache
option forwardfor header X-Client
server proxy1 10.10.8.205:3128 check inter 2000 rise 2 fall 5
server proxy2 10.10.8.206:3128 check inter 2000 rise 2 fall 5
squid.conf
# minimal configuration for testing
visible_hostname proxy1.mydomain.local
http_port 3128
debug_options ALL, 1 33, 2 28, 9
maximum_object_size 8192 KB
error_directory /opt/squid411/share/errors/es-ar
shutdown_lifetime 0 seconds
forwarded_for on
auth_param negotiate program /usr/local/bin/squid_kerb_auth -i -r -s
GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow auth
acl SSL_ports port 443
acl Safe_ports port 80
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
squid -v
Squid Cache: Version 4.11
Service Name: squid
This binary uses OpenSSL 1.0.2u 20 Dec 2019. For legal restrictions on
distribution see https://www.openssl.org/source/license.html
configure options: '--prefix=/opt/squid411' '--includedir=/include'
'--mandir=/share/man' '--infodir=/share/info'
'--localstatedir=/opt/squid411/var' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' '--enable-inline'
'--enable-async-io' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-digest-auth-helpers' '--enable-negotiate-auth-helpers'
'--enable-auth-ntlm' '--enable-arp-acl' '--enable-esi--disable-translation'
'--with-logdir=/var/log/squid411' '--with-pidfile=/var/run/squid411.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'--enable-ltdl-convenience' '--with-openssl' '--enable-ssl'
'--enable-ssl-crtd'
env
KRB5_KTNAME=/opt/squid411/etc/PROXY.keytab
KRB5RCACHETYPE=none
/etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_kdc = yes
dns_lookup_realm = yes
ticket_lifetime = 24h
Re: [squid-users] Squid and multipart form decode
On 7/23/20 9:22 AM, Ryan Le wrote: > I have been trying to configure squid to decode and send multipart form > data to another service. Is there an acl or build parameter needed for > multipart form data support? No, there is no need to allow any specific Content-Type, including multipart. Squid does not know anything about multipart/form-data. If a multipart/form-data message is well-formed from HTTP point of view, then Squid will process it as any other message, including passing it to ICAP/eCAP (where configured). Cheers, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid and multipart form decode
On Thursday 23 July 2020 at 15:33:01, Ryan Le wrote: > sorry not decode, just parse to send headers to icap as well. Aha, icap - sorry, I can't help you there, but I'm pretty sure there are others here who have used it. > On Thu, Jul 23, 2020 at 9:27 AM Antony Stone wrote: > > On Thursday 23 July 2020 at 15:22:56, Ryan Le wrote: > > > I have been trying to configure squid to decode and send multipart form > > > data to another service. > > > > What do you mean by "decode"? > > > > > Is there an acl or build parameter needed for multipart form data > > > support? > > > > No; Squid sends on what it gets from the client. Antony. -- I bought a book on memory techniques, but I've forgotten where I put it. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid and multipart form decode
sorry not decode, just parse to send headers to icap as well. On Thu, Jul 23, 2020 at 9:27 AM Antony Stone < antony.st...@squid.open.source.it> wrote: > On Thursday 23 July 2020 at 15:22:56, Ryan Le wrote: > > > I have been trying to configure squid to decode and send multipart form > > data to another service. > > What do you mean by "decode"? > > > Is there an acl or build parameter needed for multipart form data > support? > > No; Squid sends on what it gets from the client. > > > Antony. > > -- > The next sentence is untrue. > The previous sentence is true. > >Please reply to the > list; > please *don't* CC > me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid and multipart form decode
On Thursday 23 July 2020 at 15:22:56, Ryan Le wrote: > I have been trying to configure squid to decode and send multipart form > data to another service. What do you mean by "decode"? > Is there an acl or build parameter needed for multipart form data support? No; Squid sends on what it gets from the client. Antony. -- The next sentence is untrue. The previous sentence is true. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid and multipart form decode
I have been trying to configure squid to decode and send multipart form data to another service. Is there an acl or build parameter needed for multipart form data support? Thanks, Ryan ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Not working: http://www.squid-cache.org/cgi-bin/swish-query.cgi
Hi, unfortunately not. You can use google search to search through the archives. On Thu, Jul 23, 2020 at 3:47 AM David A. Gershman wrote: > Hello, > > The mailing list site > > http://www.squid-cache.org/Support/mailing-lists.html > > states a search engine is available at > > http://www.squid-cache.org/cgi-bin/swish-query.cgi > > However, going here results in a 404 not found. Is there another search > engine? > > --David > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- Francesco ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
