Squid Proxy Server Configuration With Active Directory (LDAP) Authentication
In this
article we discuss about how to configure squid proxy server with windows
Active Directory (LDAP) authentication. After configure squid using below steps
all proxy clients requires AD username and password for internet access.
For Squid
server installation steps click on How to install squid proxy server
Note – All commands are tested on CentOS 7
Squid Configuration with LDAP Authentication
1. Log in to your CentOS server with root permission and edit “squid.conf”
file using vi editor command below,
vi
/etc/squid/squid.conf
|
2. Enter below line at the beginning of the configuration file
auth_param
basic program /usr/lib64/squid/basic_ldap_auth -P -R -b "dc=yourdomainname,dc=com"
-D "cn=domainusername,cn=Users,dc=d,dc=com" -w
"password" -f sAMAccountName=%s -h 192.168.1.1
|
Note: Enter syntax in single line
In
first part of the syntax we define authentication param and call plugin to
support authentication where “/usr/lib64/squid/basic_ldap_auth” is default
plugin path for 64bit servers if its 32bit path should be “/usr/lib/squid/basic_ldap_auth” like this.
Next
part you have to enter the your domain controller (active directory server)
details where
“dc – yourdomaincontroller name”
“cn – your
ldap administrative username”
“-w
- your ldap administrative user password”
“-h – IP address of your ldap server”
3. Enter the below
line after step 2
auth_param
basic children 5
auth_param
basic realm proxyserver
auth_param
basic credentialsttl 1 hour
|
“auth_param
basic children” is the number of basic authentication helper processes squid
uses.
“auth_param
basic realm” here you can enter which every string(name) you want to display in
authentication box. Here we use proxyserver so authentication box showing the
name proxyserver.
“auth_param
basic credentialsttl 1 hour” is used to reduce authentication process load, by
using credentialsttl squid cache successful authentication for 1 hour (as per
our example). If any changes happen in
authentication server squid may not notice the change until ttl expiries.
4. Now move the
line below “# Example rule allowing access from your local networks.” in squid
config
By default
there are number possible networks in squid config like
#acl localnet
src 10.0.0.0/8
#acl
localnet src 172.16.0.0/12
#acl
localnet src 192.168.0.0/16
Enable
network which you want to give internet access through proxy by removing “#”
with authentication parameters. In this example we use 192.168.0.0/16
Below syntax
enable authentication for possible networks. In this example we use ldap
authentication so whenever a request from 192.168.0.0/16 series proxy will ask
for ldap username/password.
acl
localnet proxy_auth REQUIRED src 192.168.0.0/16
|
“acl” –
Access control List
“localnet” –
name of acl which we allow/denied access in next step.
“proxy_auth
REQUIRED” – Using this syntax a request coming from 192.168.0.0/16 network
proxy always ask for authentication.
“src” –
network source list
5. Now move to
line below “# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS”
Here we will
decide whether we have to allow or deny access to acl’s which we enter in step
4. Syntax below,
http_access
allow localnet
|
Above syntax
will allow access to localnet (acl name entered in step4). If syntax is like
below
http_access
deny localnet
|
then
it will deny request from localnet.
6. Squid uses
default port 3128 you can change that to any port as you wish. For changing go
to line below “# Squid normally listens to port 3128” Syntax below,
http_port
8080
|
Now squid listen to port 8080 as per above syntax.
1.
Default log file path “/var/log/squid/access.log” you can customize
log file path and log name as well, syntax below
access_log
/var/log/squid/squidaccess.log
|
Squid log name change to “squidaccess.log” as per above syntax.
After
making above changes in squid.conf save file and exit vi editor using “:wq”.
Now you test the proxy server is working or
not, open your browser(chrome) go to settings à show
advance settingànetworkàchange proxy
settingsàlansettingsàenter your
proxy server IP address and port number under Proxy Server and click Ok refresh
your browser it will ask for proxy authentication. Screenshot below,
Your
proxy server is ready with LDAP authentication.
Any
doubts and query feel free to post it on comment section.
For
proxy server with MySQL authentication click on Squid Proxy ServerConfiguration with MySQL Authentication.
SHARE!!!!!
COMMENT!!!!! SUBSCRIBE!!!!!!
Big thumbs up for making such a wonderful blog with great content.
ReplyDeletecloud computing training in chennai
cloud computing training
Useful blog.
ReplyDeleteCloud computing courses in Chennai | Cloud Training in Chennai
Thanks for taking the time to discuss that, I feel strongly about this and so really like getting to know more on this kind of field. Do you mind updating your blog post with additional insight? It should be really useful for all of us. privacy online
ReplyDeleteI have used a lot of juicers in the past and I created this blog to help juice lovers make the right decision in choosing the type of juicer that best fit their needs. There are several good masticating juicers to choose from. prywatnoscwsieci
ReplyDeleteYou make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. weneedprivacy
ReplyDeleteThere are a lot of blogs and articles out there on this topic, but you have acquired another side of the subject. This is reliable content thank you for sharing it. internetprivatsphare
ReplyDeleteGreat Job! Really a valuable resource for those looking for SQUID-AD Integration/Authentication....How to read currently logged-in credentials automatically, skip asking proxy authentication window?
ReplyDelete