Re: Problem with HAProxy + Squid 4.11 + Kerberos authentication

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

Hi

 

 

Maybe some general comments about LB, CNAMEs and Squid Kerberos will help.  The kerberos client will try to request a ticket based on the used hostname. e.g. if you configure in your browser the proxy name as  ha-proxy.slb.example.com then the client will look for a serviceprincipal of HTTP/ha-proxy.slb.example.com. If this is a Cname then you may have browser dependencies e.g.

 

  ha-proxy.slb.example.com CNAME HA-server1.real.example.com

 

Some browsers will use HTTP/ha-proxy.slb.example.com  and some will use HTTP/HA-server1.real.example.com 

 

Now if your squid server name is squid1.real.example.com you will have probably only HTTP/squid1.real.example.com  in your keytab. 

 

 

There are now 2 Options:

 

1 ) Create one entry in AD for all squid servers  i.e. the AD entry will have at least number of servers + 2  service principals associated to it, extract the key to a keytab and use the option –s GSS_C_NO_NAME with the negotiate_kerberos_auth helper

     .e.g HTTP/squid1.real.example.com , HTTP/squid2.real.example.com , HTTP/HA-server1.real.example.com  ,  HTTP/ha-proxy.slb.example.com 

2) Create separate entries in AD for each squid server, the LB and the CNAMEs and then merge the keys into one keytab to be used on all squid servers.

 

Kind Regards

Markus

 

 

 

"L.P.H. van Belle" <belle@xxxxxxxxx> wrote in message news:vmime.5f1aa165.2c44.7eb4bc368baef35@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...

forgot 1 thing. (sorry)
#

adduser proxyuser winbind_priv

or things might not work.

 

---

Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens L.P.H. van Belle
Verzonden: vrijdag 24 juli 2020 10:46
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: Re: Problem with HAProxy + Squid 4.11 + Kerberos authentication

i would recommend to ..

1) use debian buster,

2) use squid 4.12

3) use samba (winbind).

 

needed  in smb.conf ( only shown whats really needed ), there is more offcourse.

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

 

    # renew the kerberos ticket
    winbind refresh tickets = yes

    # Added for freeradius support
    #ntlm auth = mschapv2-and-ntlmv2-only

apt install winbind krb5-user should be sufficient.

samba joins the domain.
/etc/krb5.keytab contains the default part and refreshed the server kerberos passworks/tickes.

And for squid its keytab.

kinit Administrator
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab add_update_ads HTTP/$(hostname -f) -U Administrator

# alias name to keytab
net ads keytab ADD HTTP/CNAME.FQDN

# check keytab file.
klist -ke /etc/squid/HTTP-$(hostname -s).keytab
unset KRB5_KTNAME

# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab

And i use  in squid
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP-hostname.keytab \
    -s HTTP/hostname.fqdn@REALM -s HTTP/CNAME.FQDN@REALM
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

Point to think about.

server IP's needs A + PTR
use CNAMEs in the DNS.
and make sure the resolving is setup correctly.

Add a caching DNS to the proxy. ( and let squid use it also )

I had this working (without HAproxy) but with keepalived.

As far i can tel, your problem is in how the hostnames and ip are used.
but above might give you ideas.

Greetz,

Louis

 

---

Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Service MV
Verzonden: donderdag 23 juli 2020 17:36
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: Problem with HAProxy + Squid 4.11 + Kerberos authentication

Hi, everybody.
I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration authenticating and browsing without problems:
cache.log
squid_kerb_auth: User some.user authenticated
access.log
10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443 some.user HIER_DIRECT/MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 172.217.162.3 -

The problem starts when I try to configure a HAProxy 1.8 load balancer to which by redundancy I configured a virtual IP with the keepalived service. When I point my browser to the DNS A record (balancer.mydomain.local) which in turn points to the keepalived virtual IP, the authentication stops working:
cache.log

no records
access.log
10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 - HIER_NONE/- text/

 

In the client browser a prompt appears requesting authentication.

I find it strange that the IP registered by SQUID is 10.10.8.207, which is the physical IP of my VM, instead of the virtual IP configured in HAProxy, which is the IP 10.10.8.213.

I send you all the configurations that I have made to see if you can help me to find where my configuration error is.

keepalived.conf

  global_defs {
     notification_email {
       some.user@mydomain.local
     }
     notification_email_from balancer1@mydomain.local
     smtp_server smtp. mydomain.local
     smtp_connect_timeout 60
  }

  vrrp_instance VI_1 {
      state MASTER
      interface eth0
      virtual_router_id 101
      priority 101
      advert_int 1
      authentication {
          auth_type PASS
          auth_pass somepass123
      }
      virtual_ipaddress {
          10.10.8.213
      }
  }

 

haproxy.conf

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
balance source
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 127.0.0.0/8
timeout connect 5000
timeout client 50000
timeout server 50000

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

### statistics
listen stats
bind MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.8.213:1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy?stats
stats auth haproxy:somepass123

### balancer
listen squid
bind MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.8.213:3128
  mode http
  option httplog
  balance source
  hash-type consistent
  option httpclose
  cookie SERVERID insert indirect nocache
  option forwardfor header X-Client
  server proxy1 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.8.205:3128 check inter 2000 rise 2 fall 5

  server proxy2 MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 10.10.8.206:3128 check inter 2000 rise 2 fall 5

 

 

squid.conf

# minimal configuration for testing

visible_hostname proxy1.mydomain.local
http_port 3128
debug_options ALL, 1 33, 2 28, 9
maximum_object_size 8192 KB
error_directory /opt/squid411/share/errors/es-ar
shutdown_lifetime 0 seconds
forwarded_for on
auth_param negotiate program /usr/local/bin/squid_kerb_auth -i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow auth
acl SSL_ports port 443
acl Safe_ports port 80
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

 

 

squid -v

Squid Cache: Version 4.11
Service Name: squid

This binary uses OpenSSL 1.0.2u  20 Dec 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/opt/squid411' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--localstatedir=/opt/squid411/var' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--enable-inline' '--enable-async-io' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-digest-auth-helpers' '--enable-negotiate-auth-helpers' '--enable-auth-ntlm' '--enable-arp-acl' '--enable-esi--disable-translation' '--with-logdir=/var/log/squid411' '--with-pidfile=/var/run/squid411.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' '--enable-ltdl-convenience' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd'

 

 

env

KRB5_KTNAME=/opt/squid411/etc/PROXY.keytab
KRB5RCACHETYPE=none

 

 

/etc/krb5.conf

[libdefaults]
    default_realm = MYDOMAIN.LOCAL
    dns_lookup_kdc = yes
    dns_lookup_realm = yes
    ticket_lifetime = 24h

        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
    MYDOMAIN.LOCAL = {
        kdc = s-dc00.mydomain.local
        kdc = s-dc01.mydomain.local
        kdc = s-dc02.mydomain.local
        admin_server = s-dc00.mydomain.local
    }

[domain_realm]
    .mydomain.local = MYDOMAIN.LOCAL
    mydomain.local = MYDOMAIN.LOCAL

 

 

msktutil -c -b "OU=SERVIDORES" -s HTTP/debian-proxy.mydomain.local -k /opt/squid411/etc/PROXY.keytab --computer-name DEBIAN-PROXY --upn HTTP/debian-proxy.mydomain.local --server s-dc00.mydomain.local --verbose --enctypes 28

 

 

# permissions for kaytab file

chgrp proxy /opt/squid411/etc/PROXY.keytab
chmod g+r /opt/squid411/etc/PROXY.keytab

 

 

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: some.user@MYDOMAIN.LOCAL

Valid starting       Expires              Service principal
07/23/2020 11:59:45  07/23/2020 21:59:45  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
        renew until 07/24/2020 11:59:40

 

 

One thing I didn't quite understand is the procedure to authenticate from HAProxy. According to the documentation I read, I did the following:

I created a DNS A record and its PTR in my DNS server pointing to the virtual IP of the keepalived (10.10.8.213) in the HAProxy.
Then I created a "HTTP_inet" user account in Active Directory.
Then on my domain controller, in a CMD with administrator permissions, I ran:
setspn -S HTTP/inet.mydomain.local HTTP_inet
setspn -S HTTP/inet HTTP_inet
In both cases the message was: object updated.
Then in my SQUID servers, I executed:
kinit HTTP_inet@MYDOMAIN.LOCAL
It asks for the user's password.
Start the ktutil tool
That's where I write:
addent -password -p HTTP/inet.mydomain.local -k 2 -e rc4-hmac

Ask the user password
addent -password -p HTTP/inet -k 2 -e rc4-hmac

Ask the user password
wkt /opt/squid411/etc/PROXY.keytab
quit

list the keys in keytab:
ktutil
read_kt /opt/squid411/etc/PROXY.keytab
   1 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
   2 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
   3 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL
   4 1 HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
   5 1 HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
   6 1 HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
   7 1 host/DEBIAN-PROXY@MYDOMAIN.LOCAL
   8 1 host/DEBIAN-PROXY@MYDOMAIN.LOCAL
   9 1 host/DEBIAN-PROXY@MYDOMAIN.LOCAL
  10 1 host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
  11 1 host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
  12 1 host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL
  13 2 HTTP/inet.mydomain.local@MYDOMAIN.LOCAL
  14 2 HTTP/inet@MYDOMAIN.LOCAL

It's this last part I understand the least, maybe the mistake is there. Or somewhere else.
I appreciate any help you can offer me.

Best regards,

Gabriel

 

---

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users