Re: [squid-users] HEAD over HTTPS
On 31/03/2016 10:36 a.m., Dick Visser wrote: > On 26 February 2016 at 00:38, Amos Jeffries wrote: >> On 26/02/2016 11:47 a.m., Dick Visser wrote: >>> Hi >>> >>> I'm trying to set up an acl to allow a link checker tool to do its >>> work through squid. >>> This tool is a Wordpress plugin. >>> The whole reason I have squid is so that Wordpress itself cannot >>> retrieve random stuff from the Internet. >>> >>> I had come up with the idea of allowing HEAD method, so the link >>> checker plugin can do its job while at the same time not allowing >>> malicious content to be retrieved. >>> This appears to work well. >>> >>> However, when the plugins tries to check HTTPS URLs it uses CONNECT, >>> which is then denied by squid. >> >> The tool is setup to relay TLS "HTTPS" through an *HTTP* proxy. To have >> any more control than what you already found with that particular >> layering will require MITM'ing that traffic with Squid SSL-Bump feature. >> >> However, Squid is capable of recieving TLS connections in its role as >> explicit/forward proxy. If the tool can be updated to use TLS to secure >> its connection to the proxy, then to deliver its https:// messages to >> the proxy over that (instead of using "HTTPS") you will get better >> control without any loss of security. >> > > I checked and the tool does not support TLS to the proxy... > It is not a problem here to use SSLbump, but I don't understand how to > configure squid to allow *only* HEAD request on HTTPS. > Because that is done using the CONNECT method. > The HEAD method doesn't go 'inside' the CONNECT method - or am I > mixing things up? Yes you are mixing things up. The CONNECT is "outside", and the HEAD is "inside" the encryption layer. Squid normally only sees the "outside". But SSL-Bump ('bump' action for full decryption) lets Squid see the "inside" as well. So for configuration: # let the tool send CONNECT requests (only to SSL ports) # NP: this is separate from the default "deny CONNECT SSL_ports" line # which should come first. acl tool src http_access allow CONNECT SSL_ports toolip # let HTTPS HEAD requsts happen acl HEAD method HEAD acl HTTPS proto HTTPS https_access allow HEAD HTTPS http_access deny all ... plus the usual http_port and ssl_bump settings for bumping. I used tool IP address and src ACL above to be simple. You may have some other way to identify the tools CONNECT requests. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] HEAD over HTTPS
On 26 February 2016 at 00:38, Amos Jeffrieswrote: > On 26/02/2016 11:47 a.m., Dick Visser wrote: >> Hi >> >> I'm trying to set up an acl to allow a link checker tool to do its >> work through squid. >> This tool is a Wordpress plugin. >> The whole reason I have squid is so that Wordpress itself cannot >> retrieve random stuff from the Internet. >> >> I had come up with the idea of allowing HEAD method, so the link >> checker plugin can do its job while at the same time not allowing >> malicious content to be retrieved. >> This appears to work well. >> >> However, when the plugins tries to check HTTPS URLs it uses CONNECT, >> which is then denied by squid. > > The tool is setup to relay TLS "HTTPS" through an *HTTP* proxy. To have > any more control than what you already found with that particular > layering will require MITM'ing that traffic with Squid SSL-Bump feature. > > However, Squid is capable of recieving TLS connections in its role as > explicit/forward proxy. If the tool can be updated to use TLS to secure > its connection to the proxy, then to deliver its https:// messages to > the proxy over that (instead of using "HTTPS") you will get better > control without any loss of security. > I checked and the tool does not support TLS to the proxy... It is not a problem here to use SSLbump, but I don't understand how to configure squid to allow *only* HEAD request on HTTPS. Because that is done using the CONNECT method. The HEAD method doesn't go 'inside' the CONNECT method - or am I mixing things up? I'll start with using Squid 3.5.x to make sure I have the latest versions. Thanks Dick ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] login dialog pop up occurs every site embeed a frame
On 31/03/2016 1:49 a.m., Jens Kallup wrote: > Hello, > > I have the following problem: > when i serve the site: > > http://thejimmahknows.com/squid-proxy-splash-page-2/?doing_wp_cron=1459339456.8651709556579589843750 > > > the authentication/squid ask me for user & password. > That's all ok. > > But, when you look at the right, there is a frame with ads. > And the frame/page is performing an endless login loop, if you click on OK. > If you click "abort/cancel" few times, the web-browser produce prox error. > > What can I do to prevent those loop's? Popup is a browr feature (and decision). Question is why does/might the browser think it needs new credentials different to the ones you just entered? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?
put keep at off but no change. I don't think's that it's malware, it's not all time the same username today, 5 new usernames with the same problems between 13:20 and 16:15 i don't understand the problems :< 2016-03-30 12:56 GMT+02:00 Amos Jeffries: > On 30/03/2016 9:40 p.m., Olivier CALVANO wrote: > > Hi > > > > I use: > > > > ## negotiate kerberos and ntlm authentication > > auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm > > /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp > > --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME > > auth_param negotiate children 100 startup=10 idle=1 > > auth_param negotiate keep_alive on > > > > ## Module d'authentification NTLM > > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics > > --helper-protocol=squid-2.5-ntlmssp > > auth_param ntlm children 100 startup=10 idle=1 > > auth_param ntlm keep_alive on > > > Try with "keep_alive off" on both of those auth methods. This does not > conflict with connection keep-alive in genral, just closes the > connection at a very specific time in the auth handshake. Without that > certain IE and Firefox can have problems authenticating properly. > > Given that the client waited 20 minutes for those WU requests to happen > I doubt it is an actual user. Probably an automated WU background > process doing its thing while they happen to be logged in. Which means > the IE behaviour is relevant. > > The yahoo.fr request being 1 hr long is very odd though. That is > something I'd expect to see from a real person user. But not waiting an > hour for. Could they be infected with some toolbar malware? > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] login dialog pop up occurs every site embeed a frame
Hello, I have the following problem: when i serve the site: http://thejimmahknows.com/squid-proxy-splash-page-2/?doing_wp_cron=1459339456.8651709556579589843750 the authentication/squid ask me for user & password. That's all ok. But, when you look at the right, there is a frame with ads. And the frame/page is performing an endless login loop, if you click on OK. If you click "abort/cancel" few times, the web-browser produce prox error. What can I do to prevent those loop's? Here is the config: auth_param basic program /usr/lib/squid3/basic_ncsa_auth /sap/squid/passwd auth_param basic children 4 auth_param basic utf8 on auth_param basic realm Bitte geben Sie Ihren Benutzernamen und Passwort fuer die Internetberechtigung ein! auth_param basic credentialsttl 60 minutes auth_param basic casesensitive on external_acl_type MyAclHelper %LOGIN %DST /sap/squid/myHelper/myaclhelper.pl acl ncsa_users proxy_auth REQUIRED acl block_list external MyAclHelper acl localnet src 10.0.0.0/8 acl localnet src 192.168.178.0/24 # http_access deny !ncsa_users http_access deny !block_list # http_access allow localnet acl SSL_port port 443 acl Safe_ports port 3128 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_port http_access deny all http_port 192.168.178.80:3128 dns_v4_first on # DNS queryis cache_mgr jkal...@web.de cache_mem 8 MB cache_effective_user squid cache_effective_group squid error_directory /usr/local/squid/share/errors/de-de error_default_language de cache_dir ufs/sap/var/spool/squid 64 16 128 cache_access_log /sap/squid/log/access.log cache_log/sap/squid/log/cache.log cache_store_log none # Leave coredumps in the first cache dir coredump_dir /sap/var/spool/squid pid_filename /sap/squid/squid3.pid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 logformat squid %tl.%03tu %6tr %>a %un %Ss/%03>Hs %<>___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?
On 30/03/2016 9:40 p.m., Olivier CALVANO wrote: > Hi > > I use: > > ## negotiate kerberos and ntlm authentication > auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm > /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp > --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME > auth_param negotiate children 100 startup=10 idle=1 > auth_param negotiate keep_alive on > > ## Module d'authentification NTLM > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 100 startup=10 idle=1 > auth_param ntlm keep_alive on Try with "keep_alive off" on both of those auth methods. This does not conflict with connection keep-alive in genral, just closes the connection at a very specific time in the auth handshake. Without that certain IE and Firefox can have problems authenticating properly. Given that the client waited 20 minutes for those WU requests to happen I doubt it is an actual user. Probably an automated WU background process doing its thing while they happen to be logged in. Which means the IE behaviour is relevant. The yahoo.fr request being 1 hr long is very odd though. That is something I'd expect to see from a real person user. But not waiting an hour for. Could they be infected with some toolbar malware? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl + stunnel and cache peer
On 30/03/2016 9:43 a.m., Baselsayeh wrote: > sorry > it seems that http://squid-web-proxy-cache.1019090.n4.nabble.com doesnt > remove posts This is an email mailing list. Nabble is just an archive display. There is no "oops I should not have mailed the world" undo feature in email. > > Yuri Voinov wrote > I said exactly: "Cache peer cannot use re-crypting right now". > > No matter what do you have behind cache_peer. Correction: Squid does not (yet) support re-"CONNECT" messaging to cache_peer. It certainly does support TLS connections to upstream peers. When bumping it *requires* that the peer supports TLS connections. Which is part of the problem lots of people have sending bumped data onwards to non-TLS peers. > > 30.03.16 2:40, Baselsayeh пишет: is there a workaround that i can use cache peer and squid sslbump? isnt stunnel is using ssl that squid dont need to re-crypting? I think your main problem is that Squid *is* re-crypting the outbound connection to stunnel. Then stunnel is double-crypting it since stunnel purpose is to encrypt plain-text connections. When the tunnel made by stunnel through the privoxy-like thing reaches whatever destination Squid instructed it to contact it gets decrypted _once_ and the data inside is found to be encrypted ... oops. What you need to avoid this is something like httptunnel. Which does not double-encrypt the traffic. PS. the tutorials you see around the Internet about using Squid + stunnel at present are either to take plain-text client connections and send them through stunnel to a secured https_port on Squid. Or to take outbound connections from a non-encrypting Squid and send them securely to some upstream proxy. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?
Hi I use: ## negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 100 startup=10 idle=1 auth_param negotiate keep_alive on ## Module d'authentification NTLM auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 100 startup=10 idle=1 auth_param ntlm keep_alive on ## Si echec du NTLM proposer la fenetre d'authentification auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b dc=mydomain,dc=fr -f sAMAccountName=%s -D cn=Proxy,ou=vpn,dc=mydomain,dc=fr -w "mypass" -t 3 -H 172.16.1.21 auth_param basic children 40 startup=5 idle=1 auth_param basic realm Proxy #auth_param basic credentialsttl 2 hours auth_param basic credentialsttl 1 minute But same problems if i put : ## negotiate kerberos and ntlm authentication #auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME #auth_param negotiate children 100 startup=10 idle=1 #auth_param negotiate keep_alive on Yes i have the login/password of the users (on >5000 accounts, we have 10/20 accounts with this problems) I have a second server but for Hight Availability Sample of problems with one username before 11:17am that's work's at 11:17am username don't have access to internet and in logs we have the error. at 07:30pm the username have now internet access .. regards Olivier 2016-03-30 9:59 GMT+02:00 Kinkie: > Are you using BASIC, ntlm or kerberos? > Do you know that user's password in order to run some tests? > Do you have some other proxy or box where you can run some tests? > AD is a complex system, so the first thing to do is to understand I'd the > problem is caused by ad, by the system, by something related to the user or > to the author helper or to squid. > On Mar 30, 2016 9:50 AM, "Olivier CALVANO" wrote: > >> Anyone know this problems ? >> >> >> 2016-03-29 18:22 GMT+02:00 Olivier CALVANO : >> >>> Hi >>> >>> we use on a new server Squid 3.3.8 on CentOS 7 with a Active Directory >>> Authentification (tested in negotiate_wrapper but same >>> problems with ntlm_auth) . >>> >>> That's work's very good a time but without reason, a limited user can't >>> access to internet and i don't know why. >>> >>> In the logs, we have: >>> >>> 1459266547.967 1200888 172.16.6.39 NONE_ABORTED/000 0 GET >>> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? >>> olivier HIER_NONE/- - >>> 1459266567.771 3538111 172.16.6.14 NONE_ABORTED/000 0 GET >>> http://yahoo.fr/ olivier HIER_NONE/- - >>> 1459267856.877 30609 172.16.6.39 NONE_ABORTED/000 0 GET >>> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- - >>> 1459267917.860 60713 172.16.6.39 NONE_ABORTED/000 0 HEAD >>> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- - >>> >>> >>> I don't know why but all logs have "NONE_ABORTED/000" >>> anyone know this errors ? >>> >>> >>> If, on the same PC, i change the username, that's work ! reconnect with >>> the old username and the problems start >>> >>> regards >>> Olivier >>> >> >> >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> >> ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?
Are you using BASIC, ntlm or kerberos? Do you know that user's password in order to run some tests? Do you have some other proxy or box where you can run some tests? AD is a complex system, so the first thing to do is to understand I'd the problem is caused by ad, by the system, by something related to the user or to the author helper or to squid. On Mar 30, 2016 9:50 AM, "Olivier CALVANO"wrote: > Anyone know this problems ? > > > 2016-03-29 18:22 GMT+02:00 Olivier CALVANO : > >> Hi >> >> we use on a new server Squid 3.3.8 on CentOS 7 with a Active Directory >> Authentification (tested in negotiate_wrapper but same >> problems with ntlm_auth) . >> >> That's work's very good a time but without reason, a limited user can't >> access to internet and i don't know why. >> >> In the logs, we have: >> >> 1459266547.967 1200888 172.16.6.39 NONE_ABORTED/000 0 GET >> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? >> olivier HIER_NONE/- - >> 1459266567.771 3538111 172.16.6.14 NONE_ABORTED/000 0 GET >> http://yahoo.fr/ olivier HIER_NONE/- - >> 1459267856.877 30609 172.16.6.39 NONE_ABORTED/000 0 GET >> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- - >> 1459267917.860 60713 172.16.6.39 NONE_ABORTED/000 0 HEAD >> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- - >> >> >> I don't know why but all logs have "NONE_ABORTED/000" >> anyone know this errors ? >> >> >> If, on the same PC, i change the username, that's work ! reconnect with >> the old username and the problems start >> >> regards >> Olivier >> > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?
Anyone know this problems ? 2016-03-29 18:22 GMT+02:00 Olivier CALVANO: > Hi > > we use on a new server Squid 3.3.8 on CentOS 7 with a Active Directory > Authentification (tested in negotiate_wrapper but same > problems with ntlm_auth) . > > That's work's very good a time but without reason, a limited user can't > access to internet and i don't know why. > > In the logs, we have: > > 1459266547.967 1200888 172.16.6.39 NONE_ABORTED/000 0 GET > http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? > olivier HIER_NONE/- - > 1459266567.771 3538111 172.16.6.14 NONE_ABORTED/000 0 GET http://yahoo.fr/ > olivier HIER_NONE/- - > 1459267856.877 30609 172.16.6.39 NONE_ABORTED/000 0 GET > http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- - > 1459267917.860 60713 172.16.6.39 NONE_ABORTED/000 0 HEAD > http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- - > > > I don't know why but all logs have "NONE_ABORTED/000" > anyone know this errors ? > > > If, on the same PC, i change the username, that's work ! reconnect with > the old username and the problems start > > regards > Olivier > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] NEGOTIATE Kerberos Auth
Many thanks Markus, i solved everythings! Sent: Tuesday, March 22, 2016 at 1:25 AM From: "Markus Moeller"To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] NEGOTIATE Kerberos Auth Hi, 1) Yes, you should see user@DOMAIN for kerberos authentication, but if you use –r the @DOMAIN will be removed. 2) The client in EXTERNAL.COM needs to know where to find the HTTP/@FATHER.COM principal. I think your trust is not fully setup. You should see some cross domain TGTs. Cross Domain SPN Lookups with Active Directory When Domains are within the same forest, the KDC should consult the GC (Global Catalog) and provide a referral if the account is in a different domain. If the account is not in the same forest you would need to define Host Mapping for the account, unless you are using a forest trust. Then you could define a Kerberos Forest Search Order Markus "akn ab" wrote in message news:trinity-1231fb52-3516-493c-a2c9-b9fe1c1623c5-1458549367234@3capp-mailcom-lxa05... Hello Markus, firt of all thank you for your reply, today i'm having a strange issue. KID1 and KID2 started to autenticate with kerberos correclty without any modification ... This is so strange, but i'm very happy, so i started others configurations, but i have 2 more problems: 1) On my squid logs, i can see users authenticated correctly, but not the domain users came from. For example: FATHER.COM\user1 KID1.FATHER.COM\user1 KID2.FATHER.COM\user1 are reported on my logs with "user1" and not in us...@kid1.father.com or KID1\user1 (for example) I need to differentiate domains because i'm sending x-authenticated-user to my proxy peers. Is it possible with kerberos? 2) I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, so i added it in my krb5.conf like KID1, but kerberos auth fail. Using your instructions, i captured port 88 during handshake and i get: eRR-C-PRINCIPAL-UNKNOWN User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM Best Regards. Sent: Saturday, March 19, 2016 at 12:28 AM From: "Markus Moeller" To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] NEGOTIATE Kerberos Auth Hi, Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ? Can you get a wireshark capture on your client on port 88 ? You should see some TGS –REQs in the capture and I assume also TGS-REPs with error messages. Can you share these error messages ? Regards Markus "akn ab" wrote in message news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01... Dear all, i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains. My FATHER.COM is a forest with 2 children: KID1 and KID2. Like this: FATHER.COM -> KID1.FATHER.COM -> KID2.FATHER.COM With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2. I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users. My krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = FATHER.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_keytab_name = /usr/local/squid/etc/HTTP.keytab default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] FATHER.COM = { kdc = dc1.father.com:88 kdc = dc2.father.com:88 default_domain = father.com } KID1.FATHER.COM = { kdc = dc1.kid1.father.com:88 kdc = dc2.kid1.father.com:88 default_domain = kid1.father.com } KID2.FATHER.COM = { kdc = dc1.kid2.father.com:88 kdc = dc2.kid2.father.com:88 default_domain = kid2.father.com } [domain_realm] .father.com = FATHER.COM father.com = FATHER.COM .kid1.father.com = KID1.FATHER.COM kid1.father.com = KID1.FATHER.COM .kid2.father.com = KID2.FATHER.COM kid2.father.com = KID2.FATHER.COM [capaths] KID1.FATHER.COM = { FATHER.COM = . } KID2.FATHER.COM = { FATHER.COM = . } To join kerberous auth with FATHER.COM i did: # kinit u...@father.com # msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N On squid config i have: auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r