Sunday 27 January 2013

squid proxy server: quick setup and how to










### Example of my squid configuration file ###
## Start By Amitmund
## to block the sites that are written at "/usr/local/etc/restricted-sites.squid"
acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid" 
http_access deny BadSites
## It should ask for authentication to the users.
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd
acl ncsa_users proxy_auth REQUIRED
## To block .mp3 and .exe files
acl FILE_MP3 urlpath_regex -i \.mp3
acl FILE_EXE urlpath_regex -i \.exe
http_access deny FILE_MP3
http_access deny FILE_EXE
http_access allow ncsa_users
## End By Amitmund


This is a quick note on how to setup the squid:
1. Install the package:
[Ubuntu] apt-get install squid
[Redhat] yum install squid

2. Its a nice idea to take a backup the original configuration file before changing the configuration. 
cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original

3. Make sure squid runs after the system restart and start the process.
[Ubuntu]  sysv-rc-conf --level 2345 squid3  on
recheck:   sysv-rc-conf --list squid3
start the service: service squid3 start

[Redhat] chkconfig --levels 345 squid on
recheck: chkconfig --list squid
start the service: service squid start   [[ service state can be on of the following value{start/stop/restart/status} ]]

4. NOTE: 
Make sure, you restart the squid service when ever you update your configuration.
And to check the server is running or not [ pgrep squid ]
Your /etc/hosts file should be configured with your server’s hostname

You can also configure the squid [ if you want ] to display a different hostname: [ to do so... ]
# File: squid.conf 
visible_hostname CompanySquidServer1
  
Mis configured Squid instances will give an error like: 
WARNING: Could not determine this machines public hostname.
Please configure one or set 'visible_hostname'.


Few example on doing things at squid.conf
5a. Restricting Web Access By Time:

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.99. 
 
You can start updating the file, near by line number close to 700 of squid.conf file.
 
#
# Add this to the bottom of the ACL section of squid.conf
#
acl officeHosts src 192.168.1.0/24
acl officeHours time M T W H F 9:00-18:00
acl RestrictedHost src 192.168.1.99

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny RestrictedHost
http_access allow officeHosts officeHours
 
 
5b. Restricting Access to specific Web sites
 
Create the files that holds the website names. E.g:
 
 # File: /etc/squid/allowedSites.squid
www.google.com
www.yahoo.com
 
 # File: /etc/squild/restrictedSites.squid

www.badsite1.com
www.badsite2.com  
 
Now update your squid file to with the following ACL 

#File: squid.conf
acl AllowedSites dstdomain "/etc/squid/allowedSites.squid"
acl BlockedSites  dstdomain "/etc/squild/restrictedSites.squid"
#
# Add this at the top of the http_access section of squid.conf
#
http_access deny BlockedSites
http_access allow AllowedSites
 
NOTE: You can update your config to have multiple checks such as:
[  http_access allow officeHosts officeHours AllowedSites
 
5c. Password Authentication Using NCSA
Create the file which will have the username and password: 
 # touch /etc/squid/squid_passwd
# chmod o+r /etc/squid/squid_passwd

# htpasswd /etc/squid/squid_passwd user1
New password:
Re-type new password:
Adding password for user user1

Find your ncsa_auth file using the locate command.
# locate ncsa_auth
/usr/lib/squid/ncsa_auth

Edit squid.conf; 
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
 
5d.Enforcing to use squid forward proxy server:
Transparent proxy configuration. 

Version 3.1+: squid.conf:
http_port 3128 transparent

Configuring iptables to Support the Squid Transparent Proxy 
[ Consider eth0 is connected to internet and eth1 is to the intranet/home network]. 
Only the Squid server has access to the Internet on port 80 (HTTP).
 
Note: Squid Server and Firewall – Same Server (HTTP Redirect).

If the Squid server and firewall are the same server,
all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128,
and then only the firewall itself is allowed to access the Internet on port 80.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp --dport 3128
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --dport 80
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp --sport 80
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1 -p tcp --sport 80

Note: This example is specific to HTTP traffic. 
You won't be able to adapt this example to support HTTPS web browsing on TCP port 443, 
as that protocol specifically doesn't allow the insertion of a "man in the middle" server for security purposes. 
One solution is to add IP masquerading statements for port 443, or any other important traffic, 
immediately after the code snippet. This will allow non HTTP traffic to access the Internet without being cached by Squid.

Squid Server and Firewall – Different Servers

If the Squid server and firewall are different servers, the statements are different.
You need to set up iptables so that all connections to the Web, not originating from the Squid server, 
are actually converted into three connections; 
one from the Web browser client to the firewall and another from the firewall to the Squid server, 
which triggers the Squid server to make its own connection to the Web to service the request. 
The Squid server then gets the data and replies to the firewall which then relays this information to the Web browser client.
The iptables program does all this using these NAT statements:

iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.1.100 -p tcp --dport 80 -j DNAT --to 192.168.1.100:3128
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 192.168.1.100 -j SNAT --to 192.168.1.1
iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.1.100 -i eth1 -o eth1 -m state --state NEW,ESTABLISHED,RELATED \
-p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -s 192.168.1.100 -i eth1 -o eth1 -m state --state ESTABLISHED,RELATED \
-p tcp --sport 3128 -j ACCEPT
 










Posted by



at






















Labels:
,


















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)