pfSense+Squid with https filtering + Single sign-on (SSO) with Active Directory group filtering
Brief background
The company needed to implement a proxy server with the ability to filter access to sites (including https) by groups from AD so that users do not enter any additional passwords, and can be administered from the web interface. Good application, isn't it?
The correct answer would be to buy solutions such as Kerio Control or UserGate, but as always there is no money, but there is a need.
This is where the good old Squid comes to the rescue, but again - where can I get a web interface? SAMS2? Morally obsolete. This is where pfSense comes to the rescue.
Description
This article will describe how to configure the Squid proxy server.
Kerberos will be used to authorize users.
SquidGuard will be used to filter by domain groups.
Lightsquid, sqstat and internal pfSense monitoring systems will be used for monitoring.
It will also solve a common problem associated with the introduction of single sign-on (SSO) technology, namely applications that try to surf the Internet under the compass account with their system account.
Preparing to install Squid
pfSense will be taken as the basis,
Inside which we organize authentication on the firewall itself using domain accounts.
Very important!
Before you start installing Squid, you need to configure the DNS server in pfsense, make an A record and a PTR record for it on our DNS server, and configure NTP so that the time does not differ from the time on the domain controller.
And on your network, provide the ability for the WAN interface of pfSense to go to the Internet, and users on the local network to connect to the LAN interface, including on ports 7445 and 3128 (in my case 8080).
All is ready? Is the LDAP connection established with the domain for authorization on pfSense and the time is synchronized? Great. It's time to start the main process.
Installation and pre-configuration
Squid, SquidGuard and LightSquid will be installed from the pfSense package manager in the "System / Package Manager" section.
After successful installation, go to "Services / Squid Proxy server /" and first of all, in the Local Cache tab, configure caching, I set everything to 0, because I donβt see much point in caching sites, browsers do a great job with this. After setting, press the "Save" button at the bottom of the screen and this will give us the opportunity to make basic proxy settings.
The main settings are as follows:
The default port is 3128, but I prefer to use 8080.
The selected parameters in the Proxy Interface tab determine which interfaces our proxy server will listen on. Since this firewall is built in such a way that it looks on the Internet as a WAN interface, even though LAN and WAN can be on the same local subnet, I recommend using LAN for the proxy.
Loopback is needed for sqstat to work.
Below you will find the Transparent (transparent) proxy settings, as well as SSL Filter, but we donβt need them, our proxy will not be transparent, and for https filtering we will not replace the certificate (we have document flow, bank clients, etc.), let's just look at the handshake.
At this stage, we need to go to our domain controller, create an authentication account in it (you can also use the one that was configured for authentication on pfSense itself). Here is a very important factor - if you intend to use AES128 or AES256 encryption - check the appropriate boxes in your account settings.
If your domain is a very complex forest with a large number of directories or your domain is .local, then it is POSSIBLE, but not certain, that you will have to use a simple password for this account, the bug is known, but it may simply not work with a complex password, you need to check on a specific particular case.
After that, we create a key file for kerberos, open a command prompt with administrator rights on the domain controller and enter:
# ktpass -princ HTTP/[email protected] -mapuser pfsense -pass 3EYldza1sR -crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} -ptype KRB5_NT_PRINCIPAL -out C:keytabsPROXY.keytab
Where we indicate our FQDN pfSense, be sure to respect the case, enter our domain account and its password in the mapuser parameter, and in crypto we select the encryption method, I used rc4 for work and in the -out field we select where we will send our finished key file.
After successfully creating the key file, we will send it to our pfSense, I used Far for this, but you can also do this both with commands and putty or through the pfSense web interface in the "Diagnostics Command Line" section.
Now we can edit/create /etc/krb5.conf
where /etc/krb5.keytab is the key file we created.
Be sure to check the operation of kerberos using kinit, if it does not work, there is no point in reading further.
Configuring Squid Authentication and Access List without Authentication
Having successfully configured kerberos, we will fasten it to our Squid.
To do this, go to ServicesSquid Proxy Server and in the main settings go down to the very bottom, there we will find the button "Advanced settings".
In the Custom Options (Before Auth) field, enter:
#Π₯Π΅Π»ΠΏΠ΅ΡΡ
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -k /usr/local/etc/squid/squid.keytab -t none
auth_param negotiate children 1000
auth_param negotiate keep_alive on
#Π‘ΠΏΠΈΡΠΊΠΈ Π΄ΠΎΡΡΡΠΏΠ°
acl auth proxy_auth REQUIRED
acl nonauth dstdomain "/etc/squid/nonauth.txt"
#Π Π°Π·ΡΠ΅ΡΠ΅Π½ΠΈΡ
http_access allow nonauth
http_access deny !auth
http_access allow authwhere auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth - selects the authentication kerberos helper we need.
Key -s with meaning GSS_C_NO_NAME β defines the use of any account from the key file.
Key -k with meaning /usr/local/etc/squid/squid.keytab - determines to use this particular keytab file. In my case, this is the same keytab file that we created, which I copied to the /usr/local/etc/squid/ directory and renamed it, because the squid did not want to be friends with that directory, apparently there were not enough rights.
Key -t with meaning -t none - disables cyclic requests to the domain controller, which greatly reduces the load on it if you have more than 50 users.
For the duration of the test, you can also add the -d key - i.e. diagnostics, more logs will be displayed.
auth_param negotiate children 1000 - determines how many simultaneous authorization processes can be run
auth_param negotiate keep_alive on - does not allow to break the connection during the polling of the authorization chain
acl auth proxy_auth REQUIRED - creates and requires an access control list that includes users who have passed authorization
acl nonauth dstdomain "/etc/squid/nonauth.txt" - we inform the squid about the nonauth access list, which contains destination domains, to which everyone will always be allowed access. We create the file itself, and inside it we enter domains in the format
.whatsapp.com
.whatsapp.net
Whatsapp is not in vain used as an example - it is very picky about the proxy with authentication and will not work if it is not allowed before authentication.
http_access allow nonauth - allow access to this list to everyone
http_access deny !auth - we prohibit access to unauthorized users to other sites
http_access allow auth - allow access to authorized users.
That's it, the squid itself is configured, now it's time to start filtering by groups.
Configuring SquidGuard
Go to ServicesSquidGuard Proxy Filter.
In LDAP Options we enter the data of our account used for kerberos authentication, but in the following format:
CN=pfsense,OU=service-accounts,DC=domain,DC=localIf there are spaces or non-Latin characters, this entire entry should be enclosed in single or double quotes:
'CN=sg,OU=service-accounts,DC=domain,DC=local'
"CN=sg,OU=service-accounts,DC=domain,DC=local"Next, be sure to check these boxes:
To cut off unnecessary DOMAINpfsense .LOCAL to which the whole system is very sensitive.
Now we go to Group Acl and bind our domain access groups, I use simple names like group_0, group_1, etc. up to 3, where 3 is access only to the white list, and 0 - everything is possible.
Groups are linked as follows:
ldapusersearch ldap://dc.domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group_0%2cOU=squid%2cOU=service-groups%2cDC=DOMAIN%2cDC=LOCAL))save our group, go to Times, there I created one gap meaning to always work, now go to Target Categories and create lists at our discretion, after creating the lists we return to our groups and inside the group with buttons we select who can go where, and who can not where .
LightSquid and sqstat
If during the configuration process we selected a loopback in the squid settings and opened the ability to access 7445 in the firewall both on our network and on pfSense itself, then when going to Squid Proxy Reports Diagnostics, we can easily open both sqstat and Lighsquid, for the latter we will need In the same place, come up with a username and password, and there is also the opportunity to choose a design.
Completion
pfSense is a very powerful tool that can do a lot of things - both traffic proxying and control over user access to the Internet are just a fraction of the whole functionality, nevertheless, in an enterprise with 500 machines, this solved the problem and saved on buying a proxy.
I hope this article will help someone solve a problem that is quite relevant for medium and large enterprises.
Source: habr.com