RE: [squid-users] Reverse proxy with LDAP authentication

From: Andrew Struiksma <astruiksma_at_esd189.org>
Date: Thu, 25 Sep 2008 14:36:30 -0700

> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
> Sent: Friday, September 19, 2008 2:31 PM
> To: Andrew Struiksma
> Cc: 'squid-users_at_squid-cache.org'
> Subject: Re: [squid-users] Reverse proxy with LDAP authentication
>
> On fre, 2008-09-19 at 13:04 -0700, Andrew Struiksma wrote:
> > We have a company intranet server running Apache2 on Debian 4.
> > Currently it is only available on our LAN. We would like to make it
> > available outside our LAN. However, we want users to have to
> > authenticate against our Active Directory when they are coming from
> > the outside. Once they have authenticated, they should have full
> > access to the internal website. Is this something that Squid can do?
>
> Yes, with some limitations.
>
> The limitation is that there is only one authentication slot
> in HTTP, so if the web server also uses HTTP authentication
> then it needs to use the exact same authentication (basic
> authentication to the same password backend), or you need to
> set up a special authentication peering between the two (see
> the login= cache_peer option).
>

I've setup the reverse SSL proxy on Squid 2.7 and it's almost working as needed. I want to accept connections on both port 80 and 443 but I want all the port 80 traffic to be redirected to 443 so that everything is encrypted. The main reason we need everything encrypted is that we are requiring LDAP authentication before Squid will allow access to the site. How can I do this?

Here is the main part of my config:

http_port 80 defaultsite=site.company.org
https_port 443 cert=/etc/ssl/certs/company.org.cert \
        key=/etc/ssl/certs/company.org.key \
        defaultsite=site.company.org

cache_peer site.company.org parent 443 0 no-query \
        originserver ssl sslflags=DONT_VERIFY_PEER name=myAccel
acl our_sites dstdomain site.company.org
acl all src 0.0.0.0/0.0.0.0

auth_param basic program /usr/lib/squid/ldap_auth \
        -R -b "dc=company,dc=org" -D "cn=squid_user,cn=Users,dc=company,dc=org" \
        -w "password" -f sAMAccountName=%s -h 192.168.1.2
auth_param basic children 5
auth_param basic realm Our Site
auth_param basic credentialsttl 5 minutes

acl ldap_users proxy_auth REQUIRED

http_access allow ldap_users
http_access allow our_sites
cache_peer_access myAccel allow our_sites

Andrew
Received on Thu Sep 25 2008 - 21:36:56 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 26 2008 - 12:00:03 MDT