Squid with HTTPS filtering without certificate spoofing, integration with Active Directory 2012R2 + WPAD

This manual was written in connection with the production need to monitor the traffic (http and https) of users, as well as the distribution of access to white and black lists. The articles were taken as a basis: this and this , in which peek-n-splice technology was used. In these articles, the configuration involves the use of a host with squid as a gateway, after finalizing the config, we get a full-fledged proxy server with the ability to distribute access rights to groups from Active Directory. Upon completion of the configuration, the question arose of transferring proxy server settings to users. In view of the fact that laptops are often taken home in the office, the whole idea came to a standstill. Initially, the option of issuing proxy server settings through DHCP was considered, but it is not the best, because offices on different subnets, and different equipment, WPAD became the way out of this situation. Briefly about this technology, we can say that client machines on OS Windows are looking for a host named wpad.example.ru (up to third-level domains) to request a configuration file for working on the network. Based on this principle, you need to raise the web server,cname wpad to the proxy server. It is better to use a proxy server with the ability to collect and view statistics, since there are plenty of choices. Due to some conservative considerations, it was decided to choose SARG. It is easy to configure, quite acceptable statistics for an office with up to 100 employees.

1.1 Simplified WPAD Scheme

- The client on the Windows OS contacts the DNS server with a request to the host wpad.example.ru , and the DNS server name corresponding record indicates where to go. Next, the client contacts wpad.example.ru with a request for a settings file. Having received it, it begins to act according to the instructions in it.

1.2 What is this technology good at?

Pros:

- there is no need to register proxy addresses through all GPOs for clients
- Employee mobility (access to the Internet outside the office)
- To disable the use of this technology, just disable it in “Browser properties” - “Automatically receive settings”

Cons:

- “Automatically receive settings "Can be disabled for any user, so it’s better to leave this function on and prohibit changing it through the GPO

1.3 Squid Peek-n-splice - how to it works

The employee is trying to access the site with https through a proxy. When installing an encrypted connection, a “greeting” occurs, which is transmitted in clear form, the proxy server intercepts it, and based on the configuration, squid allows or denies the connection. Those. intercepted to see the "greeting", allowed or dropped the connection.

1.4 Pros and Cons of Peek-n-splice

Pros:

- This is not a MITM attack, and there will be no problems with bank clients
- Display of domain names in the statistics of sites requested via https

Cons:

- Unfortunately, you cannot completely view which web page was opened as during a MITM attack
- This the configuration worked well only on CentOS (there were problems on Debian, after a while kernel-panic happened)

1.5 And so, now it is worth noting what is given

- A host with Active Directory 2012R2 (user authorization method - Kerberos) 10.0.0.9
- A host with CentOS 7 (x64) (it is also a web server for returning wpad.dat, it is a proxy server) 10.0.0.10
- A test host with OS Windows to test operation 10.0.0.11

“Let's go” Gagarin Yu.A.

2 Configuring the operating system and installing Squid

There is no point in describing the CentOS installation process. So we will keep in mind that we have a freshly installed CentOS 7 x64. So, for Squid to work equally well with http and https traffic, you need the following:

2.1 Squid must be compiled with such parameters

Or you can download the archive with the assembled squid and its dependencies.

2.2 Installing the necessary packages from official repositories

It is worth noting that some dependencies are needed to install the squid. Unfortunately, CentOS has rather scarce official repositories, so some packages must be downloaded from unofficial ones. Installing the necessary packages from the repositories:

# yum install -y libtool-ltdl perl-DBI perl-Digest-MD5 cyrus-sasl-gssapi krb5-workstation

2.3 Manual installation of Squid and optional packages

# rmp -Uvh squid-3.5.8-4.el7.centos.x86_64.rpm libecap-1.0.0-3.el7.centos.x86_64.rpm squid-helpers-3.5.8-4.el7.centos.x86_64.rpm perl-Crypt-OpenSSL-X509-1.803-4.el7.x86_64.rpm

If something is wrong, what is missing is displayed in the terminal.

2.4 Setting permissions for the swap directory

# chown squid:squid /var/spool/squid

2.5 configuration file /etc/squid/squid.conf

2.6 First you need to bring the file / etc / hosts to this content

127.0.0.1    localohost
10.0.0.10    sq.example.ru    sq

2.7 Configuring selinux

The file / etc / selinux / config should have the value:

SELINUX=enforcing

Install the package for working with selinux:

# yum install policycoreutils-python

Add selinux rules. Allow

connections to the squid:

# setsebool -P squid_connect_any on

Allow kerberos:

# setsebool -P allow_kerberos  on

Allow connections to squid at port 3130:

# semanage port -a -t squid_port_t -p tcp 3130

After changing the selinux settings, you must reboot the system to apply them.

# reboot

2.8 swap generation

# squid -z

2.9 Enabling squid daemon, checking configuration file

# systemctl enable squid
# squid -k parse

Warning and error should not be. If there is something, you need to check the settings.

2.10 Allow traffic forwarding

# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Apply the setting on the fly:

# sysctl -p

3 Integration with an Active Directory 2012R2 domain controller

Integration with a domain controller is necessary so that domain users can log in to the proxy server using the Kerberos protocol. The most reasonable solution is to leave only Kerberos in view of the fact that this method is the safest, authorization occurs automatically. As for client machines that are outside the domain, there are no problems here, you can enter the login and password manually in the authorization pop-up window. Checked, works.

3.1 Configuration file /etc/krb5.conf

The configuration file /etc/krb5.conf must be converted to the following:

3.2 Creating a DNS Record

Everyone knows that Active Directory is closely tied to DNS, and for authorization to work correctly, you need to create a host (A or AAA) with the host name and its IP address (it turns out sq.example.ru with the IP address 10.0.0.10 )

3.3 Domain Integration Options

And so, there are two chairs for domain integration options. The first option - means of Windows ( ktpass ), the second option - means of Linux ( Msktutil ). The Windows option is good in that you can disable the password for the squid user . The Linux version is good because it can be entered into the domain by creating a computer account.

3.3.1 Windows integration

We create the user in AD, for example squid
Now we generate krb5.keytab . At a command prompt on a domain controller with administrator rights, you must run this command:

C:\Windows\system32> ktpass -princ HTTP/sq.example.ru@EXAMPLE.RU -mapuser squid@EXAMPLE.RU -crypto rc4-hmac-nt -pass Pa$$wd12 -ptype KRB5_NT_PRINCIPAL -out C:\

The krb5.keytab file itself can be moved (You can use WinSCP) on sq.example.ru to the / etc directory .

3.3.2 Linux integration

In the archive with squid and dependencies, msktutil is also attached, install it:

# rpm -Uhv msktutil-0.5.1-2.el7.x86_64.rpm

Now we execute the following command:

# msktutil -c -b "CN=COMPUTERS" -s HTTP/sq.example.ru -k /etc/krb5.keytab --computer-name sq-k --upn HTTP/sq.example.ru --server dc1.example.ru --verbose --enctypes 28

If successful, the output of the command will be great, I don’t see the point here. Errors and warings should not be. It is worth paying attention to --computer-name sq-k is not a typo. The hostname must be different.

In view of the need to update the password for the computer account, this can be done via cron.

 # crontab -e

It is necessary to add a task to it:

00 3 * * *      msktutil --auto-update --verbose --computer-name sq-k 

3.4 Recommended permissions on the krb5.keytab file

After moving krb5.keytab , it is recommended that you lower the file permissions

# chown squid:squid /etc/krb5.keytab && chmod 644 /etc/krb5.keytab

3.5 AD Access Groups

In ActiveDirectory in OU Users, you need to create three groups according to which Internet access will be distributed: Internet-full, Internet-medium , Internet-low .

3.6 Authorization Check

Checking authorization in Active Directory using the /etc/krb5.keytab file

# kinit -V -k -t /etc/krb5.keytab HTTP/sq.example.ru@EXAMPLE.RU

The output from the command should be something like this:

Using default cache: /tmp/krb5cc_0
Using principal: HTTP/sq.example.ru@EXAMPLE.RU
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5

And klist should display the following:


Squid’s configuration is almost done, now we reboot the host to apply the settings. After rebooting for the test, you can manually register the proxy in the sq.example.ru settings by specifying port 3130 .

4 WPAD

4.1 Installing and configuring the apache2 web server

Web server installation:

# yum install -y httpd

After installation, we include in startup:

# systemctl enable httpd

We launch:

# systemctl start httpd

If you try to open the sq.example.ru domain name in your browser, the apache2 test page should open.

Next, you need to create the / var / www / html / wpad.dat file with the following contents:

4.2 Описание файла wpad.dat

By default, in the /var/www/html/wpad.dat directory, the file is given to everyone without additional apache2 settings, and this is just necessary for the correct interaction with client machines on Windows.

Lines

if (isInNet( host, "192.168.0.0", "255.255.255.0") ||
isInNet( host, "10.0.0.0", "255.255.255.0") ||

It means that calls to hosts on the 192.168.0.0/24, 10.0.0.0/24 and 127.0.0.0/8 subnets (the latter is necessary for the services to work correctly when accessing localhost) are transmitted directly, and the connection to .example domain hosts is also directly .ru:

Lines:

if (dnsDomainIs( host, "*.inet-example.ru" ))
{ return "DIRECT"; }

They indicate that when accessing the domain names .inet-example.ru occurs directly

If the requested resource does not fall under the above conditions, the following is true:

return "PROXY sq.exmaple.ru:3130";

4.3 Creating a CNAME

On the Active Directory DNS server, create cname wpad (FQDN wpad.example.ru) at sq.example.ru.

To test the need to open a browser wpad / wpad.dat and file wpad.dat should automatically download. Thus, all hosts download the given file, and proceed from the content. It is recommended to relog or restart all computers in the domain on the Windows OS so that the file can be downloaded.

5 Statistics

5.1 Installing SARG from source

If gcc has not been installed before, now is the time:

# yum install -y gcc gd gd-devel make wget
# wget http://liquidtelecom.dl.sourceforge.net/project/sarg/sarg/sarg-2.3.10/sarg-2.3.10.tar.gz
# tar -xvzf sarg-2.3.10.tar.gz
# cd sarg-2.3.10
# ./configure
# make

In the po / Makefile.in.in file, the gettext version is specified as 0.18, so that there is no error during make install, you need to change it to 0.19:

# make install

5.2 Configuring SARG

The standard configuration file /usr/local/etc/sarg.conf is better to backup:

# mv /usr/local/etc/sarg.conf /usr/local/etc/sarg.conf.default

Now create the sarg.conf file with the following contents:

access_log /var/log/squid/access.log
output_dir /var/www/html/squid-reports
date_format e
overwrite_report yes
language UTF-8

5.3 Schedule reporting using cron

# crontab -e

Add the line:

55 23 * * * /usr/local/bin/sarg -xd day-0

This line indicates that reports will be generated every day and for the current day at 23:55

5.4 Web server configuration

On a previously installed web server, you can still assign the task of displaying reports, with a request to enter a login and password for authorization. Create the file /etc/httpd/conf.d/sarg.conf with the following contents:

5.5 Authorization on a site with statistics

Login and password file generation for authorization

# htpasswd -c /etc/httpd/conf/.htpasswd administrator

Restart apache2 :

# systemctl restart httpd

When you try to open sq.example.ru/reports, you will be prompted to enter your login and password. In case of successful authorization, you can view statistics.

6 Group policies

Everything here is ambiguous and may depend on some features. In the current task, it was a reasonable decision to exclude the possibility of installing a user proxy server, or disabling the "Automatic detection of parameters."

6.1 GPO Editing

To prohibit the input of a proxy server or change the settings for the automatic determination of parameters, you can use the group policy. Create and associate a group policy with an OU such as office .

Edit Group Policy:

User → Policies → Administrative Templates → Windows Components → Internet Explorer

In this directory, find the parameters and translate into the “Enabled” status :

“Prohibit changing proxy settings”
“Disable changing automatic settings”

In conclusion, I can say this, this configuration has been working successfully to the present since the spring of 2016, and has proved itself to be excellent. I will be glad to answer all questions.

UPD No. 1: 12.11.16
1 Extra lines of ports 3128 and 3129 were removed from the squid config.
2 included selinux and added the rules.
3 Certificate generation was removed from the manual (it works without it)
4 Minor UPD fixes
№2: 11/20/16
1 Extra lines were removed from krb5.conf config
2 Added integration method with AD via Msktutil
3 Added forwarding
4 Updated archive with squid and dependencies