Featured Post

Configuring a DHCP Server in debian Linux

Configuring a DHCP Server in debian Linux DHCP The Dynamic Host Configuration Protocol (DHCP) is an auto configuration protocol used on IP networks. Computers that are connected to IP networks must be configured before they can communicate with other computers on the network. DHCP allows a computer to...

Read More

Configuring a Squid Proxy Server

Posted by admindumi | Posted in Proxy Server |

0

Configuring a Squid Proxy Server

Squid

Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests; to caching web, DNS and other computer network lookups for a group of people sharing network resources; to aiding security by filtering traffic.

Proxy server – 10.0.0.113 (debian)

 

1.       Since the proxy server must have a direct connection to internet set the default gateway and dns.

1.1. Set the default gateway

 

$ su-

 

# nano/etc/network/interfaces

Set the “gateway yourgatewayip” under your “eth0” settings.

 

Ex – gateway 10.0.0.2

 

Here the gateway should be your router’s LAN IP

 

Save and exit the file.

 

1.2. Set the DNS server IP

 

# nano/etc/resolv.conf

Type “nameserver yourdnsip”

 

Ex – nameserver 10.0.0.2

 

Save and exit the file

 

1.3. Reload “eth0” to make the changes effect

 

# ifdown eth0

#ifup eth0

1.4. Ping an outside domain to verify whether the gateway and the dns is working properly

 

# ping google.com

2.       Edit the “/etc/hosts” file with all the client computer IPs and their Hostnames

# nano /etc/hosts

10.0.0.111 srv1.tcs.local srv1

 

10.0.0.112 srv2.tcs.local srv2

 

10.0.0.113 srv3.tcs.local srv3

 

10.0.0.114 srv4.tcs.local srv4

 

10.0.0.115 srv5.tcs.local srv5

 

10.0.0.116 srv6.tcs.local srv6

 

10.0.0.117 srv7.tcs.local srv7

 

10.0.0.118 srv8.tcs.local srv8

 

Save and Exit the file

 

3.       Check the software package

# aptitude search ‘~i squid’

4.       If not installed, install it

# aptitude install squid

5.       Check the squid service status

# service squid status

5.1. Check whether the service has been added to the startup

 

# rcconf

You can see the * in front of squid, that means it has been added to the startup.

 

6.       Allow the local network to browse internet through the proxy

# nano /etc/squid/squid.conf

Ctrl + w to search, and search for “insert”

 

Under “# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS” type the following

 

acl mynet src 10.0.0.0/24

 

http_access allow mynet

 

Here “acl” stands for access control list. “mynet” is the acl name. It can be any name. “src” stands for source IPs. “10.0.0.0/24” identifies all the clients within the network. “http_access allow mynet” will allow the network defined by the acl to browse internet through the proxy server.

 

Save and exit the file

 

7.       Reload the proxy service to make the changes effect

# service squid reload

Configuring Proxy Clients

 

A proxy client is a software that we use to access internet through the proxy server.

 

Ex – Web browsers (Firefox, Iceweasel, Chrome, IE)

 

We have to setup the proxy server’s IP (10.0.0.113) and the proxy server’s port number (default 3128) on each software that needs to access internet yhrough proxy server.

 

A port number is a way to identify a specific process to which an Internet or other network message is to be forwarded when it arrives at a server. For the Transmission Control Protocol and the User Datagram Protocol, a port number is a 16-bit integer that is put in the header appended to a message unit. This port number is passed logically between clients.

 

How to set Firefox or Iceweasel web browsers to use proxy

Open the web browser => Edit (Tool in Windows) => Preferences (Options in Windows) => Advanced => Network => Settings => Manual proxy configuration => HTTP proxy 10.0.0.113 Port 3128 => Enable use this proxy server for all protocols => Ok =>Close

 

Filtering Web Access using Dansguardian

 

DansGuardian, written by SmoothWall Ltd and others, is content-control software: software designed to control which websites users can access. It also includes virus filtering and usage monitoring features.

 

1.       Check the package

# aptitude search ‘~i dansguardian’

2.       If not installed, install it

# aptitude install dansguardian

It will fail to start, because it has not been configured yet

 

3.       Configuring dansguardian

# nano /etc/dansguardian/dansguardian.conf

Ctrl +W to search, and search for “logfileformat”

 

Change “logfileformat = 1” to “logfileformat = 3”

 

Ctrl + W to search, and search for “dansguardian.pl”

 

Change “accessdeniedaddress = ‘http://YOURSERVER.YOURDOMAIN/cgi-bin/ dansguardian.pl’” to “accessdeniedaddress = ‘http://10.0.0.113/cgi-bin/ dansguardian.pl’”

 

Finally go to the top of the page and comment the “UNCONFIGURED” option

 

Save and Exit the file

 

4.       Start the dansguardian service

# service dansguardian start

5.       Check whether dansguardian was added to the startup

# rcconf

6.       Configuring squid to use dansguardian

# nano /etc/squid/squid.conf

Ctrl + W to search, and search for “http_port 3128”

 

Change “http_port 3128” to “http_port 127.0.0.1:3128 transparent”

 

Save and exit the file

 

7.       Reload squid to make the changes effect

# service squid reload

Reconfiguring Proxy Clients to use Squid through Dansguardian

 

Now the process will be

 

Client (Port – 8080) => DansGuardian (Port 3128) => Squid => Internet

 

Open the web browser => Edit (Tool in Windows) => Preferences (Options in Windows) => Advanced => Network => Settings => Manual proxy configuration => HTTP proxy 10.0.0.113 Port 8080 => Enable use this proxy server for all protocols => Ok =>Close

 

Configuring Dansguardian Filters

 

By default moderate filtering will be enabled. All the filter configuration files can be found under “/etc/ dansguardian/lists/” folder. Each filter file is a text file and you can use a text editor to edit it. Each file is properly explained and can be customized according to your needs quickly.

 

Each filter file explained

 

 

File        Description

exceptioniplist

 

This file contains a list of client IP address that you wish to allow unrestricted access (no filtering).

 

exceptionphraselist

 

This file contains a list of phrases that, if they appear in a web page, will bypass filtering. You may want to use the weightedphraselist instead, as this can result in a lot of pages not being blocked.

 

exceptionsitelist

 

This file contain a list of domain endings that if found in the requested URL, will not be filtered.

 

exceptionurllist

 

This file contains a list of URL parts for sites where filtering should be turned off.

 

bannedextensionlist

 

This file contains a list of file extensions that will be banned. This can be used to restrict users from downloading screen servers, executable files, viruses, and so forth.

 

bannediplist

 

This file contains a list of client IP addresses that will not get web access at all.

 

bannedmimetypelist

 

This file contains a list of MIME-types that will be banned. If URL request returns a MIME-type in this list, DansGuardian will block it. This can be used to block movies, but shouldn’t be used to graphic image files or text/html, etc.

 

bannedphraselist

 

This file contains a list of phrases that will result in banning a page. Each phrase must be enclosed between < and > characters and they may contain spaces. You can also use a combination of phrases that, if all are found in a page, will result in it being blocked.

 

bannedregexpurllist

 

This file contains a list of regular expressions URLs that will be banned. That will be banned. This can be used to restrict users from downloading screen servers, executable files, viruses, and so forth.

 

bannedsitelist

 

This file contains a list of sites that are to be banned. You can use IP addresses here as well as domain names, and can even include stock SquidGuard blacklists as well.

 

bannedurllist

 

This file contains a list of URL parts to block, which allows you to block parts of a site rather than the entire site. You can also use SquidGuard lists here as well.

 

weightedphraselist

 

This file contains a list of phrases with a corresponding positive or negative value. As phrases are encountered in a page, the total “value” of the page will be calculated based on these values; good phrases will have negative values and bad phrases will have positive values. On e the Naughtiness Limit has been reached (defined in dansguardian.conf, the page will be blocked.

 

pics

 

This file contains a number of PICS (Platform for Internet Content) sections that allows you to fine-tune your PICS filtering. It was designed to help control what children access on the internet. The defaults for DansGuardian are for young children (mild profanity, artistic nudity, etc.).

 

 

 

Note – After doing changes to a filter, save and exit it and reload dansguardian

 

Monitoring Internet Usage

 

Real-time internet usage monitoring

Squidview

 

Squidview is an interactive console program which monitors and displays squid logs in a nice fashion, and may then go deeper with searching and reporting functions.

 

Check the package

 

# aptitude search ‘~i squidview’

If not installed, install it

 

# aptitude install squidview

Run squidview for first time

 

# squidview

Ctrl + X  to quit squidview

 

Set squidview to use dansguardian access log

 

# cd

# cd .squidview

# ls –l

# rm log1

# ln –s /var/log/dansguardian/access.log log1

# ls –l

Realtime monitoring

 

# squidview

To quit squidview press Ctrl + X

 

Making proxy reports

SARG

 

Sarg – squid Analysis Report Generator is a tool that allows you to view “where” your users are going to on the Internet.

 

Sarg provides much information about Squid users activities: times, bytes, sites, etc….

 

Still SARG is not available in Debian 6 repositories, but we can manually download it from the Debian 5 repositories

 

# cd

 

# wget http://mirrors.kernel.org/debian/pool/main/s/sarg/sarg_2.2.5-2_i386.deb

 

For 64bit

 

# cd

 

# wget http://mirrors.kernel.org/debian/pool/main/s/sarg/sarg_2.2.5-2_amd64.deb

 

Now we have to install it

 

# aptitude install gdebi

# cd

 

# gdebi sarg_2.2.5-2_i386.deb

 

Set sarg to use dansguardian’s access log file

 

# nano /etc/squid/sarg.conf

Ctrl + W to search, and search for “squid”

 

Change “access_log/var/log/squid/access.log” to “access_log/var/log/dansguardian/access.log”

 

Save and Exit the file.

 

Now we can make a proxy report

 

# sarg

 

By default it will create a report based on the date

 

Accessing the report

 

# cd/var/www/squid-reports

# ls

 

# iceweasel index.html

For more details about sarg

 

# sarg –h

 

Enable User Authentication in Squid

 

1.       Check the package

# aptitude search ‘~i mini-httpd’

 

2.       If not installed, install it

# aptitude install mini-httpd

 

3.       Create a new user account database to use with squid

# htpasswd -c/etc/squid/passwd user1

Here “-c” to create the database, hereafter when adding users to the squid user database the “-c” option will not be necessary. “/etc/squid/passwd” is the squid user database location. “user1” is the first user that will be added to the database.

 

You will have to give a password for the user1, once you press enter

 

4.       Enable authentication in squid

# nano /etc/squid/squid.conf

Ctrl + W to search, and search for “#auth_param basic”

 

Uncomment “#auth_param basic program <uncomment and complete this line>” line and change it to “#auth_param basic program/usr/lib/squid/ncsa_auth/etc/squid/passwd”

 

Uncomment the following lines also

 

auth_param basic children 5

 

auth_param basic realm Squid proxy-caching web server

 

auth_param basic credentialsttl 2 hours

 

auth_param basic casesensitive off

 

Ctrl +W to search, and search for “# http_access”

 

Under the comment type these new lines

 

acl ncsa_users proxy_auth REQUIRED

 

http_access allow ncsa_users

 

Save and Exit the file

 

Here,

 

auth_param basic program/usr/lib/squid/ncsa_auth/etc/squid/passwd : Specify squid password file and helper program location

 

auth_param basic children 5 : The number of authenticator processes to spawn.

 

auth_param basic realm Squid proxy-caching web server : Part of the text the user will see when prompted their username and password

 

auth_param basic credentialsttl 2 hours : Specifies how long squid assumes an externally validated username:password pair is valid for – in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.

 

auth_param basic casesensitive off : Specifies if usernames are case sensitive. It can be on or off only

 

acl ncsa_users proxy_auth REQUIRED : The REQURIED term means that any authenticated user will match the ACL named ncsa_users

 

http_access allow ncsa_users : Allow proxy access only if user is successfully authenticated.

 

5.       To make the changes effect, reload the squid service

# service squid reload

 

Now once a user tries to browse internet through the proxy, the will have to provide a valid username and a password.

 

How to Filter Users by their Names

 

# nano /etc/squid/squid.conf

Ctrl + W to search, and search for “# http_access”

 

Under the comment, but before the “acl ncsa_users proxy_auth REQUIRED” type these new lines

 

acl deny_users proxy_auth –i user1

 

http_access deny deny_users

 

Here “-i” is for incase sensitive. “user1” is the user’s name to deny. You can give multiple user names each separated by a space.

 

Save and Exit the file.

 

To make the changes effect, reload the squid service

 

# service squid reload

 

Now “user1” will not be able to browse internet but other users will be able to.

Write a comment