Squid with HTTPS filtering without certificate spoofing, integration with Active Directory 2012R2 + WPAD

This manual was written in connection with the production need to monitor the traffic (http and https) of users, as well as the distribution of access to white and black lists. The articles were taken as a basis: this and this , in which peek-n-splice technology was used. In these articles, the configuration involves the use of a host with squid as a gateway, after finalizing the config, we get a full-fledged proxy server with the ability to distribute access rights to groups from Active Directory. Upon completion of the configuration, the question arose of transferring proxy server settings to users. In view of the fact that laptops are often taken home in the office, the whole idea came to a standstill. Initially, the option of issuing proxy server settings through DHCP was considered, but it is not the best, because offices on different subnets, and different equipment, WPAD became the way out of this situation. Briefly about this technology, we can say that client machines on OS Windows are looking for a host named wpad.example.ru (up to third-level domains) to request a configuration file for working on the network. Based on this principle, you need to raise the web server,cname wpad to the proxy server. It is better to use a proxy server with the ability to collect and view statistics, since there are plenty of choices. Due to some conservative considerations, it was decided to choose SARG. It is easy to configure, quite acceptable statistics for an office with up to 100 employees.

1.1 Simplified WPAD Scheme

- The client on the Windows OS contacts the DNS server with a request to the host wpad.example.ru , and the DNS server name corresponding record indicates where to go. Next, the client contacts wpad.example.ru with a request for a settings file. Having received it, it begins to act according to the instructions in it.

1.2 What is this technology good at?


- there is no need to register proxy addresses through all GPOs for clients
- Employee mobility (access to the Internet outside the office)
- To disable the use of this technology, just disable it in “Browser properties” - “Automatically receive settings”


- “Automatically receive settings "Can be disabled for any user, so it’s better to leave this function on and prohibit changing it through the GPO

1.3 Squid Peek-n-splice - how to it works

The employee is trying to access the site with https through a proxy. When installing an encrypted connection, a “greeting” occurs, which is transmitted in clear form, the proxy server intercepts it, and based on the configuration, squid allows or denies the connection. Those. intercepted to see the "greeting", allowed or dropped the connection.

1.4 Pros and Cons of Peek-n-splice


- This is not a MITM attack, and there will be no problems with bank clients
- Display of domain names in the statistics of sites requested via https


- Unfortunately, you cannot completely view which web page was opened as during a MITM attack
- This the configuration worked well only on CentOS (there were problems on Debian, after a while kernel-panic happened)

1.5 And so, now it is worth noting what is given

- A host with Active Directory 2012R2 (user authorization method - Kerberos)
- A host with CentOS 7 (x64) (it is also a web server for returning wpad.dat, it is a proxy server)
- A test host with OS Windows to test operation
“Let's go” Gagarin Yu.A.

2 Configuring the operating system and installing Squid

There is no point in describing the CentOS installation process. So we will keep in mind that we have a freshly installed CentOS 7 x64. So, for Squid to work equally well with http and https traffic, you need the following:

2.1 Squid must be compiled with such parameters

squid -v
$ squid -v
Squid Cache: Version 3.5.16
Service Name: squid
configure options: '--build = x86_64-redhat-linux-gnu' '--host = x86_64-redhat-linux-gnu' '--program-prefix =' '--prefix = / usr' '--exec- prefix = / usr '' --bindir = / usr / bin '' --sbindir = / usr / sbin '' --sysconfdir = / etc '' --datadir = / usr / share '' --includedir = / usr / include '' --libdir = / usr / lib64 '' --libexecdir = / usr / libexec '' --sharedstatedir = / var / lib '' --mandir = / usr / share / man '' --infodir = / usr / share / info '' --verbose '' --exec_prefix = / usr '' --libexecdir = / usr / lib64 / squid '' --localstatedir = / var '' --datadir = / usr / share / squid '' --sysconfdir = / etc / squid '' --with-logdir = $ (localstatedir) / log / squid '' --with-pidfile = $ (localstatedir) /run/squid.pid '' --disable -dependency-tracking ''--enable-follow-x-forwarded-for '' --enable-auth '' --enable-auth-basic = DB, LDAP, NCSA, NIS, PAM, POP3, RADIUS, SASL, SMB, getpwnam, fake ' '--enable-auth-ntlm = smb_lm, fake' '--enable-auth-digest = file, LDAP, eDirectory' '--enable-auth-negotiate = kerberos, wrapper' '--enable-external-acl- helpers = wbinfo_group, kerberos_ldap_group, LDAP_group, delayer, file_userip, SQL_session, unix_group, session, time_quota '' --enable-cache-digests' '--enable-cachemgr-hostname = localhost' '--enable-delay-pools'' ' --enable-epoll '' --enable-icap-client '' --enable-ident-lookups '' --enable-linux-netfilter '' --enable-removal-policies = heap, lru '' --enable -snmp '' --enable-storeio = aufs, diskd, ufs, rock '' --enable-wccpv2 '' --enable-esi ''--enable-ssl-crtd '' --enable-icmp '' --with-aio '' --with-default-user = squid '' --with-filedescriptors = 16384 '' --with-dl '' --with-openssl '' --with-pthreads '' --with-included-ltdl '' --disable-arch-native '' --enable-ecap '' --without-nettle '' build_alias = x86_64- redhat-linux-gnu '' host_alias = x86_64-redhat-linux-gnu '' CFLAGS = -O2 -g -pipe -Wall -Wp, -D_FORTIFY_SOURCE = 2 -fexceptions -fstack-protector-strong --param = ssp-buffer -size = 4 -grecord-gcc-switches -m64 -mtune = generic '' LDFLAGS = -Wl, -z, relro '' CXXFLAGS = -O2 -g -pipe -Wall -Wp, -D_FORTIFY_SOURCE = 2 -fexceptions -fstack -protector-strong --param = ssp-buffer-size = 4 -grecord-gcc-switches -m64 -mtune = generic -fPIC '' PKG_CONFIG_PATH =: / usr / lib64 / pkgconfig: / usr / share / pkgconfig '—Enable-ltdl-convenience

Or you can download the archive with the assembled squid and its dependencies.

2.2 Installing the necessary packages from official repositories

It is worth noting that some dependencies are needed to install the squid. Unfortunately, CentOS has rather scarce official repositories, so some packages must be downloaded from unofficial ones. Installing the necessary packages from the repositories:

# yum install -y libtool-ltdl perl-DBI perl-Digest-MD5 cyrus-sasl-gssapi krb5-workstation

2.3 Manual installation of Squid and optional packages

# rmp -Uvh squid-3.5.8-4.el7.centos.x86_64.rpm libecap-1.0.0-3.el7.centos.x86_64.rpm squid-helpers-3.5.8-4.el7.centos.x86_64.rpm perl-Crypt-OpenSSL-X509-1.803-4.el7.x86_64.rpm

If something is wrong, what is missing is displayed in the terminal.

2.4 Setting permissions for the swap directory

# chown squid:squid /var/spool/squid

2.5 configuration file /etc/squid/squid.conf

### negotiate kerberos
auth_param negotiate program / usr / lib64 / squid / negotiate_kerberos_auth -s HTTP/sq.example.ru@EXAMPLE.RU
auth_param negotiate children 60
auth_param negotiate keep_alive off

external_acl_type inet_medium ttl = 300 negative_OGL = 60% lib64 / squid / ext_kerberos_ldap_group_acl -g Internet-medium@EXAMPLE.RU
external_acl_type inet_full ttl = 300 negative_ttl = 60% LOGIN / usr / lib64 / squid / ext_kerberos_ldap_group_acl -g Internet-full@EXAMPLE.RU
external_acl_tltl = external LOGIN / usr / lib64 / squid / ext_kerberos_ldap_group_acl -g Internet-low@EXAMPLE.RU

acl localnet src
acl localnet src

acl my_full external inet_full
acl my_medium external inet_medium
acl my_low external inet_low
acl auth proxy_auth REQUIRED

# in addition to the default 443, for online business I need additional. port 9443
acl SSL_ports port 443 9443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

# In this configuration, whitelist is a list of allowed sites for a group of users Internet-low@EXAMPLE.RU (access only to sites that are in whitelist.txt)
# And blocked_http.txt is a list of blocked sites for a group Internet-medium @ EXAMPLE. RU (you can go to all sites except those in blocked_http.txt)
acl white_list dstdomain "/etc/squid/whitelist.txt"
acl black_list dstdomain "/etc/squid/blocked_http.txt"

# access rule

http_access deny! Safe_ports
http_access deny CONNECT! SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny! auth

http_access deny my_medium black_list
http_access allow my_medium
my_low white_list allow http_access
http_access deny all my_low
http_access allow my_full
# allowed lokalhost
http_access allow localhost

# Forbid rest
http_access deny all

# Opaque port through which the client host interaction with a proxy server

http_port = NO_SSLv3 options: NO_SSLv2

always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

# This option is necessary for peek-n-splice to work correctly. The blocked_https.txt file itself does not affect anything, but it should not be empty. Magic.

acl blocked ssl :: server_name "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1

# terminate the connection if the client accesses the forbidden resource
ssl_bump terminate blocked
ssl_bump splice all

coredump_dir / var / spool / squid
refresh_pattern ^ ftp: 1440 20% 10080
refresh_pattern ^ gopher: 1440 0% 1440
refresh_pattern -i (/ cgi-bin / | \?) 0 0% 0
refresh_pattern. 0 20% 4320

cache_dir aufs / var / spool / squid 20000 49256
maximum_object_size 61440 KB
minimum_object_size 3 KB

#httpd_suppress_version_string on
#visible_hostname PROXYSERVER

cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4

2.6 First you need to bring the file / etc / hosts to this content    localohost    sq.example.ru    sq

2.7 Configuring selinux

The file / etc / selinux / config should have the value:

Install the package for working with selinux:
# yum install policycoreutils-python

Add selinux rules. Allow

connections to the squid:
# setsebool -P squid_connect_any on

Allow kerberos:
# setsebool -P allow_kerberos  on

Allow connections to squid at port 3130:
# semanage port -a -t squid_port_t -p tcp 3130

After changing the selinux settings, you must reboot the system to apply them.
# reboot

2.8 swap generation

# squid -z

2.9 Enabling squid daemon, checking configuration file

# systemctl enable squid
# squid -k parse

Warning and error should not be. If there is something, you need to check the settings.

2.10 Allow traffic forwarding

# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Apply the setting on the fly:
# sysctl -p

3 Integration with an Active Directory 2012R2 domain controller

Integration with a domain controller is necessary so that domain users can log in to the proxy server using the Kerberos protocol. The most reasonable solution is to leave only Kerberos in view of the fact that this method is the safest, authorization occurs automatically. As for client machines that are outside the domain, there are no problems here, you can enter the login and password manually in the authorization pop-up window. Checked, works.

3.1 Configuration file /etc/krb5.conf

The configuration file /etc/krb5.conf must be converted to the following:

default_realm = EXAMPLE.RU
ticket_lifetime = 24h
default_keytab_name = /etc/krb5.keytab

kdc = dc1.example.ru
admin_server = dc1.example.ru
default_domain = example.ru

.example.ru = EXAMPLE.RU
example.ru = EXAMPLE.RU

3.2 Creating a DNS Record

Everyone knows that Active Directory is closely tied to DNS, and for authorization to work correctly, you need to create a host (A or AAA) with the host name and its IP address (it turns out sq.example.ru with the IP address )

3.3 Domain Integration Options

And so, there are two chairs for domain integration options. The first option - means of Windows ( ktpass ), the second option - means of Linux ( Msktutil ). The Windows option is good in that you can disable the password for the squid user . The Linux version is good because it can be entered into the domain by creating a computer account.

3.3.1 Windows integration

We create the user in AD, for example squid
Now we generate krb5.keytab . At a command prompt on a domain controller with administrator rights, you must run this command:

C:\Windows\system32> ktpass -princ HTTP/sq.example.ru@EXAMPLE.RU -mapuser squid@EXAMPLE.RU -crypto rc4-hmac-nt -pass Pa$$wd12 -ptype KRB5_NT_PRINCIPAL -out C:\

The krb5.keytab file itself can be moved (You can use WinSCP) on sq.example.ru to the / etc directory .

3.3.2 Linux integration

In the archive with squid and dependencies, msktutil is also attached, install it:

# rpm -Uhv msktutil-0.5.1-2.el7.x86_64.rpm

Now we execute the following command:

# msktutil -c -b "CN=COMPUTERS" -s HTTP/sq.example.ru -k /etc/krb5.keytab --computer-name sq-k --upn HTTP/sq.example.ru --server dc1.example.ru --verbose --enctypes 28

If successful, the output of the command will be great, I don’t see the point here. Errors and warings should not be. It is worth paying attention to --computer-name sq-k is not a typo. The hostname must be different.

In view of the need to update the password for the computer account, this can be done via cron.
 # crontab -e

It is necessary to add a task to it:
00 3 * * *      msktutil --auto-update --verbose --computer-name sq-k 

3.4 Recommended permissions on the krb5.keytab file

After moving krb5.keytab , it is recommended that you lower the file permissions

# chown squid:squid /etc/krb5.keytab && chmod 644 /etc/krb5.keytab

3.5 AD Access Groups

In ActiveDirectory in OU Users, you need to create three groups according to which Internet access will be distributed: Internet-full, Internet-medium , Internet-low .

3.6 Authorization Check

Checking authorization in Active Directory using the /etc/krb5.keytab file

# kinit -V -k -t /etc/krb5.keytab HTTP/sq.example.ru@EXAMPLE.RU

The output from the command should be something like this:

Using default cache: /tmp/krb5cc_0
Using principal: HTTP/sq.example.ru@EXAMPLE.RU
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5

And klist should display the following:

Ticket cache: FILE: / tmp / krb5cc_0
Default principal: HTTP/sq.example.ru@EXAMPLE.RU

Valid starting Expires Service principal
10/09/2016 22:19:20 10/10/2016 08:19:20 krbtgt / EXAMPLE.RU @ EXAMPLE.RU
renew until 10/10/2016 10:19:20 PM

Squid’s configuration is almost done, now we reboot the host to apply the settings. After rebooting for the test, you can manually register the proxy in the sq.example.ru settings by specifying port 3130 .


4.1 Installing and configuring the apache2 web server

Web server installation:

# yum install -y httpd

After installation, we include in startup:

# systemctl enable httpd

We launch:

# systemctl start httpd

If you try to open the sq.example.ru domain name in your browser, the apache2 test page should open.

Next, you need to create the / var / www / html / wpad.dat file with the following contents:

function FindProxyForURL(url, host)
// var ip_host = dnsResolve(host);
// var localnet = «»;
// var localhost = «»;
// var localnet = «»;
if (isInNet( host, «», «») ||
isInNet( host, «», «») ||
isInNet( host, «», «») ||
shExpMatch( host, "*.example.ru"))
{ return «DIRECT»; }
if (dnsDomainIs( host, "*.inet-example.ru" ))
{ return «DIRECT»; }
return «PROXY sq.exmaple.ru:3130»;

4.2 Описание файла wpad.dat

By default, in the /var/www/html/wpad.dat directory, the file is given to everyone without additional apache2 settings, and this is just necessary for the correct interaction with client machines on Windows.


if (isInNet( host, "", "") ||
isInNet( host, "", "") ||

It means that calls to hosts on the, and subnets (the latter is necessary for the services to work correctly when accessing localhost) are transmitted directly, and the connection to .example domain hosts is also directly .ru:


if (dnsDomainIs( host, "*.inet-example.ru" ))
{ return "DIRECT"; }

They indicate that when accessing the domain names .inet-example.ru occurs directly

If the requested resource does not fall under the above conditions, the following is true:

return "PROXY sq.exmaple.ru:3130";

4.3 Creating a CNAME

On the Active Directory DNS server, create cname wpad (FQDN wpad.example.ru) at sq.example.ru.

To test the need to open a browser wpad / wpad.dat and file wpad.dat should automatically download. Thus, all hosts download the given file, and proceed from the content. It is recommended to relog or restart all computers in the domain on the Windows OS so that the file can be downloaded.

5 Statistics

5.1 Installing SARG from source

If gcc has not been installed before, now is the time:

# yum install -y gcc gd gd-devel make wget
# wget http://liquidtelecom.dl.sourceforge.net/project/sarg/sarg/sarg-2.3.10/sarg-2.3.10.tar.gz
# tar -xvzf sarg-2.3.10.tar.gz
# cd sarg-2.3.10
# ./configure
# make

In the po / Makefile.in.in file, the gettext version is specified as 0.18, so that there is no error during make install, you need to change it to 0.19:

# make install

5.2 Configuring SARG

The standard configuration file /usr/local/etc/sarg.conf is better to backup:

# mv /usr/local/etc/sarg.conf /usr/local/etc/sarg.conf.default

Now create the sarg.conf file with the following contents:

access_log /var/log/squid/access.log
output_dir /var/www/html/squid-reports
date_format e
overwrite_report yes
language UTF-8

5.3 Schedule reporting using cron

# crontab -e

Add the line:

55 23 * * * /usr/local/bin/sarg -xd day-0

This line indicates that reports will be generated every day and for the current day at 23:55

5.4 Web server configuration

On a previously installed web server, you can still assign the task of displaying reports, with a request to enter a login and password for authorization. Create the file /etc/httpd/conf.d/sarg.conf with the following contents:

Alias ​​/ reports / var / www / html / squid-reports /

AuthType Basic
AuthName "Basic Authentication"
AuthUserFile /etc/httpd/conf/.htpasswd
require valid-user
AddDefaultCharset UTF-8

5.5 Authorization on a site with statistics

Login and password file generation for authorization

# htpasswd -c /etc/httpd/conf/.htpasswd administrator

Restart apache2 :

# systemctl restart httpd

When you try to open sq.example.ru/reports, you will be prompted to enter your login and password. In case of successful authorization, you can view statistics.

6 Group policies

Everything here is ambiguous and may depend on some features. In the current task, it was a reasonable decision to exclude the possibility of installing a user proxy server, or disabling the "Automatic detection of parameters."

6.1 GPO Editing

To prohibit the input of a proxy server or change the settings for the automatic determination of parameters, you can use the group policy. Create and associate a group policy with an OU such as office .

Edit Group Policy:

User → Policies → Administrative Templates → Windows Components → Internet Explorer

In this directory, find the parameters and translate into the “Enabled” status :

“Prohibit changing proxy settings”
“Disable changing automatic settings”

In conclusion, I can say this, this configuration has been working successfully to the present since the spring of 2016, and has proved itself to be excellent. I will be glad to answer all questions.

UPD No. 1: 12.11.16
1 Extra lines of ports 3128 and 3129 were removed from the squid config.
2 included selinux and added the rules.
3 Certificate generation was removed from the manual (it works without it)
4 Minor
UPD fixes
№2: 11/20/16
1 Extra lines were removed from krb5.conf config
2 Added integration method with AD via Msktutil
3 Added forwarding
4 Updated archive with squid and dependencies

Only registered users can participate in the survey. Please come in.

Was this article useful to you?

  • 67.3% Yes, this is what I have been looking for! 31
  • 26% Interesting, but I won’t do it myself 12
  • 8.6% No 4

Also popular now: