Squid for LDAP Integration

Original link: https://lisz.me/tech/webmaster/ldap-squid.html

foreword

Squid cache, referred to as Squid, is a high-performance proxy cache software. Squid itself supports multiple protocols including HTTP, HTTPS, FTP, and SSH, and uses a separate, non-modular, I/O-driven process to handle all client requests, thus providing the function of active cache acceleration . In addition, Squid can also provide the function of application layer filtering control , and can also be used with other antivirus software. In some large companies, schools, and research institutions, the Squid proxy is generally used to surf the Internet, which can filter dangerous content or operations, save network bandwidth, and improve access speed.

But in fact, the Squid proxy can also be used as a forward proxy, that is, to speed up the access of external users to intranet applications. This is also the acceleration principle of CDN (Content Delivery Network), which uses nodes located at the edge of the global network to provide services, while the actual application content is cached and accelerated through the intranet between edge nodes.

Although Squid is typically deployed within a team or corporate network, it is important to be able to integrate with an LDAP authentication service because different users’ permissions may require different rules to be applied.

practice

Environmental requirements

Before going into formal practice, it is important to ensure that the following environment is in place:

  • Docker
  • docker-compose

Launch an instance

The author has compiled and published the Docker image zhonger/squid available on multiple architectures. Here directly use the following docker-compose.yml configuration file and docker-compose up -d command to start the instance.

 # docker-compose.yml version : ' 3.2' services : squid : image : zhonger/squid container_name : squid hostname : squid ports : - " 3128:3128" volumes : - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro environment : - SQUID_SSH=true - SQUID_RSYNC=false - LDAP_ENABLE=true - LDAP_HOST=yourldap.domain.com - LDAP_PORT=389 - LDAP_BindDN="cn=admin,dc=yourdomain,dc=com" - LDAP_BindPass="********" - LDAP_DN="ou=Users,dc=yourdomain,dc=com" - LDAP_ATTRIBUT="uid=%s" - PROXY_NAME="Proxy Display Name" restart : always

The above configuration variables and their meanings can be found in zhonger/squid for more information.

test

Access http://ip:3128 through a browser and enter the corresponding user name and password to see something similar to the following.

nUOnpb

Client connection

Since we didn’t specify the address that actually needs to be accessed, Squid will report an error directly. In general use, you need to use the proxy in the network settings of the operating system to configure Squid. As shown in the figure below, check “Web Proxy (HTTP)” and fill in the relevant IP, port, username and password. If you want the same application to access HTTPS sites, you also need to check “Secure Web Proxy (HTTPS)” and fill in the relevant information. Then click Save to take effect.

oXWsLE

In this way, the access traffic can be completely controlled by Squid. Of course, if you are not sure whether the client connection is successful, you can confirm whether the current client traffic exit IP is the Squid server IP by visiting ip.sb.

References

This article is reprinted from: https://lisz.me/tech/webmaster/ldap-squid.html
This site is for inclusion only, and the copyright belongs to the original author.