pfSense + Squid with https filtering + Single Sign-On (SSO) technology with Active Directory group filteringBrief Background
At the enterprise, there was a need to implement a proxy server with the ability to filter access to sites (including https) by groups from AD so that users do not enter any additional passwords, and it can be administered from the web interface. Not a bad application, is it?The correct answer would be to buy solutions like Kerio Control or UserGate, but as always there is no money, but there is a need.Then the good old Squid comes to our rescue, but then again - where to get the web interface? SAMS2? Morally obsolete. Here pfSense comes to the rescue.Description
This article will describe how to configure the Squid proxy server.Kerberos will be used to authorize users.SquidGuard will be used to filter by domain groups.For monitoring, Lightsquid, sqstat and pfSense internal monitoring systems will be used.It will also solve a common problem associated with the introduction of single sign-on (SSO) technology, namely applications that try to go online under the computer account \ their system account.Preparing to Install Squid
The basis will be taken pfSense, Installation Instructions.Inside of which we organize authentication to the firewall itself using domain accounts. InstructionVery important!Before starting the installation of Squid, you need to configure the DNS server in pfsense, make an A and PTR record for it on our DNS server and configure NTP so that the time does not differ from the time on the domain controller.And on your network, you can provide the pfSense WAN interface with access to the Internet, and users on the local network can connect to the LAN interface, including via port 7445 and 3128 (in my case, 8080).Everything is ready? Is the LDAP connection with the domain for authorization on pfSense installed and time synchronized? Fine. It's time to start the main process.Installation and Preset
Install Squid, SquidGuard and LightSquid from the pfSense package manager in the "System / Package Manager" section.After successful installation, go to "Services / Squid Proxy server /" and first of all, in the Local Cache tab, configure caching, I set everything to 0, because I donβt see much point in caching sites, and browsers do just fine with this. After the settings, click the "Save" button at the bottom of the screen and this will give us the opportunity to make basic proxy settings.The main settings are as follows:
The default port is 3128, but I prefer to use 8080.The selected parameters in the Proxy Interface tab determine which interfaces our proxy server will listen to. Since this firewall is designed in such a way that it looks at the Internet with a WAN interface, even though the LAN and WAN can be in the same local subnet, I recommend using the LAN for the proxy.Lupbek is needed for sqstat to work.Below you will find the settings of the Transparent (transparent) proxy, as well as SSL Filter, but we do not need them, our proxy will not be transparent, and for filtering https we will not deal with certificate substitution (we have document flow, bank clients, etc.), but just look at the handshake.At this stage, we need to go to our domain controller, create an account in it for authentication (you can use the one that is configured for authentication on pfSense itself). This is a very important factor - if you intend to use AES128 or AES256 encryption, check the appropriate box in the account settings.If your domain is a very complex forest with a large number of directories or your .local domain, it is POSSIBLE, but not exact, you will have to use a simple password for this account, a bug known, but it may just not work with a complex password, you need check on a specific case.
After that, we create the key file for Kerberos, on the domain controller, open a command line with administrator rights and enter:# ktpass -princ HTTP/pfsense.domain.local@DOMAIN.LOCAL -mapuser pfsense -pass 3EYldza1sR -crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} -ptype KRB5_NT_PRINCIPAL -out C:\keytabs\PROXY.keytab
Where we specify our FQDN pfSense, be sure to follow the register, enter our domain account and its password in the mapuser parameter, and select the encryption method in crypto, I used rc4 to work and in the -out field we select where we will send our ready-made key file.After successfully creating the key file, we will send it to our pfSense, I used Far for this, but you can also do this with both commands and putty, or through the pfSense web interface in the Diagnostics \ Command Line section.Now we can edit \ create /etc/krb5.conf
where /etc/krb5.keytab is the key file we created.Be sure to check the operation of kerberos with kinit, if it does not work, then there is no point in reading.Configure Squid authentication and access list without authentication
Having successfully configured kerberos we will fasten it to our Squid.To do this, go to Services \ Squid Proxy Server and in the main settings go down to the very bottom, there we will find the "Advanced Settings" button.In the Custom Options (Before Auth) field, enter:
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -k /usr/local/etc/squid/squid.keytab -t none
auth_param negotiate children 1000
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
acl nonauth dstdomain "/etc/squid/nonauth.txt"
http_access allow nonauth
http_access deny !auth
http_access allow auth
where auth_param negotiate program / usr / local / libexec / squid / negotiate_kerberos_auth - selects the Kerberos authentication helper we need.The -s switch with the value GSS_C_NO_NAME - defines the use of any account from the key file.The -k switch with the value /usr/local/etc/squid/squid.keytab - defines the use of this keytab file. In my case, this is the same keytab file that we created, which I copied to the / usr / local / etc / squid / directory and renamed it because I didnβt want to be friends with that directory, apparently there were not enough rights.The -t switch with the -t none value- Disables cyclic requests to the domain controller, which greatly reduces the load on it if you have more than 50 users.For the duration of the test, you can also add the -d switch - that is, diagnostics, more logs will be displayed.auth_param negotiate children 1000 - specifies how many concurrent authorization processes can be runauth_param the negotiate keep_alive on - does not break the connection while polling authorization chainthe acl the auth proxy_auth REQUIRED is - creates and requires an access control list that includes users authenticatedacl nonauth dstdomain " /etc/squid/nonauth.txt "- We inform the squid about the nonauth access list which contains the destination domains, to which everyone will always be allowed access. We create the file itself, and inside it we enter the domains in the format.whatsapp.com
.whatsapp.net
Whatsapp is not in vain used as an example - it is very picky about authentication proxies and will not work if it is not allowed before authentication.http_access allow nonauth - allow access to this list to allhttp_access deny! auth - disable access by unauthorized users to other siteshttp_access allow auth - allow access by authorized users.Everything, the squid itself is configured for you, now it's time to start filtering by groups.Configure SquidGuard
Go to Services \ SquidGuard Proxy Filter.In the LDAP Options we enter the details of our account used for Kerberos authentication, but in the following format:CN=pfsense,OU=service-accounts,DC=domain,DC=local
If there are spaces and / or non-Latin characters, this entire entry should be enclosed in single or double quotes:'CN=sg,OU=service-accounts,DC=domain,DC=local'
"CN=sg,OU=service-accounts,DC=domain,DC=local"
Next, be sure to put these checkmarks:
To cut off unnecessary DOMAIN \ pfsense DOMAIN.LOCAL to which the whole system is very sensitive.Now we go to Group Acl and bind our domain access groups, I use simple names in the spirit of group_0, group_1, etc. up to 3, where 3 is access only to the white list, and 0 is everything.Groups are attached as follows:ldapusersearch ldap://dc.domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group_0%2cOU=squid%2cOU=service-groups%2cDC=DOMAIN%2cDC=LOCAL))
we save our group, go to Times, there I created one gap meaning to always work, now go to Target Categories and create lists as you like, after creating the lists we return to our groups and inside the group we select with buttons who can and where not .LightSquid and sqstat
If during the setup process we selected a loopback in the squid settings and opened the ability to access 7445 in the firewall both on our network and on pfSense itself, then when we go to Diagnostics \ Squid Proxy Reports we can open sqstat and Lighsquid without problems, for the latter You will need to come up with a username and password in the same place, and there is also the opportunity to choose the design.Completion
pfSense is a very powerful tool that can do a lot of things - both traffic proxying and user access control to the Internet is just a fraction of all the functionality, nevertheless, in an enterprise with 500 machines this solved the problem and saved on the purchase of a proxy.I hope this article helps someone solve a problem that is quite relevant for medium and large enterprises.