Java Web Apps and Squid Proxy

Many Java Applications have a hard time authenticating with a Squid Proxy server, especially when using Kerberos. There is a handy work around for this.

Add these lines in you Squid.conf

acl Java browser Java/1.4 Java/1.5 Java/1.6
http_access allow localnet Java

Remember order matters with your http_access allow lines, so you should place this just above the http_access allow line that forces authentication. As an added mesure I add localnet ACL which can be set to you local network.


Hiding internal IP from the internet through Squid proxy

Did you know our internal IP address could be advertised all over the internet through your proxy, or even better yet with no proxy. Do you want to now how to check?

This site will tell you what information your header is passing out, including your internal IP address.

An easy way to fix this it to add the following into your Squid config:

forwarded_for off

Then reload your squid configuration:

sudo squid3 reload

Autodetect Proxy settings using PAC and WPAD files

There is a GPO way of doing this and a more far reaching and flexible way of setting up proxy settings for all your LAN users. This is just my jurney into learning how to us .pac, .dat, .da files to automate proxy settings.

First of all I want to thank everyone out there that has posted so much information on this topic. Really if you want to find out more just google “Proxy WPAD” you are going to find more results and information then you can read on a Saturday morning.

The file is very easy to work with, and anyone comfortable with javascript can figure out how it works in seconds. Plus a PAC file can do way more then just setting the proxy server. you can setup all kinds of exceptions. For your laptop users you can setup a .pac file so that it will automatically know when to use the proxy based on their IP address. This is all possible through the use of simple scripting if, else, and and or statements.

An Example PAC file:

function FindProxyForURL(url, host)
        // Direct connections to non-FQDN hosts
        if (isPlainHostName(host) ||
        (host == "") ||
        (host == "*") ||
        (host == ".com") ||
        (shExpMatch(host, "*")) ||
        (shExpMatch(host, "90.0.0.*")) ||
        (shExpMatch(host, "10.*"))) {
          return "DIRECT"
        } else {
          return "PROXY"

The biggest gotchas for me were DNS issues on Server 2008, and how IE 8 interacted with DNS and retrieving the dat file.

  • First Server 2008 blocks DNS WPAD records by default for security reasons
  • You need to make an A record not a Cname record in the the dns server for IE to even work with it
  • Even after all of that IE still may have issues pulling it off, I’m still testing this.
  • Make sure to ping wpad from a client – if you can you may have to remove wpad from Server 2008 block list

I found the best place to test your PAC file is on your local machine. I like to place my PAC file next to the host file “c:\windows\systems32\drivers\etc\wpad.pac”. Then point IE to FILE://windows/system32/drivers/etc/wpad.pac

For Firefox it is FILE:///windows/system32/drivers/etc/wpad.pac

 Once you have a working pac file just save as and change the  extension to .dat and .da, and place all three of the new files on the root of your webserver. You may allso need to add the MIME file type for each file type to your webserver. In apache2 it is just a matter of adding a few lines to the mime.conf file. You should be able to put in your browser and it should ask you if you want to download the file. if you just see text, then you need to add the mime type.

Then set IE and firefox to autodetect. I found two things to check are local domain webservers where you might type “webservername” vs “”. If you have problems try seeing if placing the ip and wpad in your host file. If it works this we jsut fine it is probably a DNS issue.

At this point it is working perfect or not at all. One thing that is nice is at least being able to use a pac file localy on laptops. I may start using this way for now, until I figure out IE’s issues with wpad DNS records.

Your non-windows users should start pulling these new proxy settings quickly, as most browsers are set to autodetect.

More to come on this post: I plan to test this out more this week.


Blocking and Allowing Sites in Squid

Well, ran into a config issue on the new squid server I’m working on. Still working out all the kinks, but I did learn something new.

You can create a site list and then setup and acl, and block sites within this list. This was not new to me, but it was the way it was done that got me thinking.

acl allowsites url_regex -i "/etc/squid3/allowed-sites"
http_access allow allowsites

By using url_regex, squid will look through the whole url to see if any of the strings i the file match and deal with them accordingly.  Seems to be working well so far.

Squid3 LDAP Group Membership Helper

Here are the lines I use to create a acl based on an already authenticated users LDAP group membership. Keep in mind the helper used here is not for authentication it just uses the user account already authenticated with another helper and queries for the Group Membership. This First Part is all one line:

external_acl_type ldap_group %LOGIN /usr/lib/squid3/squid_ldap_group -R -P -b rator"dc=DOMAIN,dc=COM" -D "cn=administrator,cn=Users,dc=DOMAIN,dc=COM" -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou="groups",dc=DOMAIN,dc=COM))" -h DOMAINCONTROLLERIP

Let Break this all down into chewable parts:

external_acl_type – This is a special acl that defines an external helper program used to identify the user or device

ldap_group – name I gave the external acl

%LOGIN – Authenticated User Name

/usr/lib/squid3/squid_ldap_group – Location of the helper program

-R  – do not follow referrals

-P   – Keeps a persistent connection with the LDAP server, speeds up query for membership when there are a lot of users using the proxy server 

-b   rator”dc=DOMAIN,dc=COM” – Base Domain to start looking in

-D “cn=administrator,cn=Users,dc=DOMAIN,dc=COM”  -Domain User account used to login to the Domain Controller

-w  “Password”   – Password, this can also point to another file with the password in it “/etc/pw”

 -f “(&(objectclass=person)(sAMAccountName=%v)  – This Part parse the username that was already authenticated in Squid via another helper

(memberof=cn=%a,ou=”groups”,dc=DOMAIN,dc=COM))” – The most important part, I would point this to the OU where you store your groups squid uses, %a will pull the group name from the acl line posted later

-h DOMAINCONTROLLERIP,  This one is self explanitory point it to the authentication server of choice.

Here is what the ACL line would look like. You can create multiple group acl lines that use the same single query above

acl SQUID_ACL_GROUP  external ldap_group GROUP_FROM_LDAP

So to break this down:

SQUID_ACL_GROUP – would be the name you give this acl to be used later

external ldap_group – points this at an external acl ldap_group that I listed earlier

GROUP_FROM_LDAP – This is the group the acl will query for using LDAP and will fit into %a


Squid Kerberos configuration

Here are a couple of good links for configuration of Squid Kerberos Authentication:

Squid3 has the helper programs preloaded, other then that the informaiton here is fine. I recommend using this post first and the last post to reference some of the configurations. I may post a complete how to later when I have some time. I like this version as you join the server to the domain first to create the Keytab file. So far this has worked great just make sure you give the correct permissions to the keytab file and that you add it to the squid startup script usually in /etc/init.d/squid3


Squid Setup – Setting outgoing IP Address

Well, when I set out to do something, I usually don’t stop until I find answers. What I’m planning to do with a new squid server I’m building at work is to set the outgoing IP address, so when the firewall/Content Filter receives the traffic it will know wether our not to filter the traffic. At first I thought this would be pointless, but after much research I did find a good post:

Very straight forward config:

tcp_outgoing_address DIRECT_INTERNET
tcp_outgoing_address FILTER_INTERNET

So my only asumption here is that tcp_outgoing_address is based on order of how the rule is listed, if it is then this should work great, as I only have to add use IPs to the DIRECT_INTERNET acl, I’m also guessing that I should be able to add LDAP groups to the DIRECT_INTERNET acl and take this a step forward and lets say members of DIRECT_INTERNET group will have full access while others will be filtered. Unfortunatly this only works with IP based ACLs and not LDAP as I had hoped for.

The most important part of this is everyone can go through the same proxy and I can use the squid logs to report of the traffic.

Here is another resource to read for more technical info:

Stay tuned for more posts on Squid Authentication

Update: I have not been able to get the outgoing IP to work with group based ACLs, seems to work fine with IP based ACLs, and from the sample configs I’ve seen, it may also work with time based ACLs.