You need to use proxy_auth ACLs to configure ncsa_auth module. Browsers send the user's authentication in the Authorization request header. If Squid gets a request and the http_access rule list gets to a proxy_auth ACL, Squid looks for the Authorization header. If the header is present, Squid decodes it and extracts a username and password.
However squid is not equipped with password authentication. You need to take help of authentication helpers. Following are included by default in most squid and most Linux distros:
=> NCSA: Uses an NCSA-style username and password file.
=> LDAP: Uses the Lightweight Directory Access Protocol
=> MSNT: Uses a Windows NT authentication domain.
=> PAM: Uses the Linux Pluggable Authentication Modules scheme.
=> SMB: Uses a SMB server like Windows NT or Samba.
=> getpwam: Uses the old-fashioned Unix password file.
=> SASL: Uses SALS libraries.
=> NTLM, Negotiate and Digest authentication
Configure an NCSA-style username and password authentication
I am going to assume that squid is installed and working fine.
Tip: Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization :)
Step # 1: Create a username/password
First create a NCSA password file using htpasswd command. htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of squid users.
# htpasswd /etc/squid/passwd user1
Output:
New password:
Re-type new password:
Adding password for user user1Make sure squid can read passwd file:
# chmod o+r /etc/squid/passwd
Step # 2: Locate nsca_auth authentication helper
Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm (Redhat,CentOS,Fedora) or dpkg (Debian and Ubuntu) command:
# dpkg -L squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_authIf you are using RHEL/CentOS/Fedora Core or RPM based distro try:
# rpm -ql squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_authStep # 3: Configure nsca_auth for squid proxy authentication
Now open /etc/squid/squid.conf file
# vi /etc/squid/squid.conf
Append (or modify) following configration directive:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Also find out your ACL section and append/modify
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
Save and close the file.
#service squid restart
done
Sunday, December 20, 2009
Thursday, November 5, 2009
Enable root log in and Login as root user on Linux Fedora
Login as normal user, press Ctrl+Alt+F2 to get the text terminal, then key in your normal user login name and password... remember that you already create these user on early stage the installation configuration process.
Fedora release 10 (Cambridge)
Kernel 2.6.27.5-117.fc10.i686 on an i686 (tty2)
fedora10 login: fedora10
Password:
Last login: Fri Dec 5 06:23:09 on tty4
[fedora10@fedora10 ~]$
2. Switch user to root user. In order to execute command or edit configuration file, you may need the root privileges. The example below use the su command to change from normal user to root user in order to have the root privileges to edit the gdm configuration file.
[fedora10@fedora10 ~]$ su -
Password:
[root@fedora10 ~]#
3. The gdm configuration file contain the setting that disable the root login on Fedora 10. To view the contents of gdm configuration file the cat command is use in this example.
[root@fedora10 ~]# cat /etc/pam.d/gdm
#%PAM-1.0
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_succeed_if.so user != root quiet
auth required pam_env.so
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth
[root@fedora10 ~]#
4. Before we edit the gdm configuration file to enable root login to fedora 10, please make backup the gdm configuration file. The example below use the cp command to make gdm backup file.
Copy file to make backup
[root@fedora10 ~]# cp -pr /etc/pam.d/gdm /etc/pam.d/gdm.bak
[root@fedora10 ~]#
Verify backup file exist
[root@fedora10 ~]# ls /etc/pam.d/gdm.bak
/etc/pam.d/gdm.bak
[root@fedora10 ~]#
5. To allow root user to log in on Fedora 10, the "user != root quiet" need to be remove from the gdm configuration file. The step by step below show how to edit the gdm using vi editor, to edit and remove the "user != root quiet" on the file.
Open vi editor : [root@fedora10 ~]# vi /etc/pam.d/gdm
and move the cursur to the user != root quiet (as show on figure below): use the keyboard key h=move cursor left, j=move cursor down, k=move cursor up, l=move cursor right.
To allow root log in on Fedora 10, the (user != root quiet) must be remove from gdm configuration file.
Hit 'x' key on keyboard to delete the user != root quiet .
After deleting the user != root quiet, save the gdm configuration file and the exit the vi text editor by using :wq as show on figure below.
Verify by display the gdm configuration file contents by using cat command as show on example below.
[root@fedora10 ~]# cat /etc/pam.d/gdm
#%PAM-1.0
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_succeed_if.so
auth required pam_env.so
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth
[root@fedora10 ~]#
Now, reboot the system and start login as root user on Fedora
Squid Web Filtering
Web Filtering
The http caching that has been reviewed here uses Squid Cache. Similarly for filtering we will look at configuration details and modules to be used with Squid will be reviewed here.
* url_regex
* Squid Guard
url_regex
This is integrel to Squid and grabs url segments from a specified file and if a match occurs squid will either allow or disallow dependent upon the configuration. Here is a segment from the example squid file and an example of a banned file.
acl filter url_regex "/etc/squid/banned"
http_access deny filter
Here we have an acl called filter, the type of filter is a url_regex and we use the file /etc/squid/banned.
The http_access is set to deny upon match, as you can see from the example file, this is set to block advert sites and other rubbish. It is easy to add new sites to block just by adding another domain to the list.
After a new entry has been added, squid needs to be told by the following command:
squid -k reconfigure
To restart the http cache, you can run the following command:
service squid restart
Squid Guard
Squid Guard has to be downloaded and compiled. This is easier than it sounds. It is dependant upon having gcc package installed.
It runs as follows:
tar zxvf squidguard-xxxx.tar.gz
cd squidGuard-xxx
./configure
make
The install has to be done as root.
make install
Have a read of the documentation and any other information on the site. You will also have to download and install the block lists. There are a large number of different blacklists available, from porn to violence. These are regularly updated and contain tens of thousands of sites and IPs. These are located normally in /var/spool/squidguard/
The Access Control Lists work very similarly to those in the squid configuration file.
Read what documentation you can. Once you have it up and working it is launched from squid using the re-director config option, have a look at the sample file for details.
Once you have downloaded or changed any of the files, you can rebuild the database files using the command:
squidGuard -C all
You will note that there are blockfiles such as:
drwxr-xr-x 2 squid squid 4096 Mar 3 01:23 ads
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 aggressive
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 audio-video
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 drugs
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 gambling
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 hacking
drwxr-xr-x 2 squid squid 4096 Feb 12 18:26 mail
Within these directories you will find files such as:
ls -l /var/spool/squidguard/blacklists/ads
total 184
-rw-r----- 1 squid squid 44500 Mar 3 01:23 domains
-rw-r--r-- 1 squid squid 122880 Mar 3 01:24 domains.db
-rw-r--r-- 1 squid squid 27 Feb 25 13:18 expressions
-rw-r----- 1 squid squid 3147 Feb 7 23:55 urls
-rw-r--r-- 1 squid squid 8192 Mar 3 01:24 urls.db
Note that you have domains and urls, and domains.db and urls.db, these are the database files that are built by the command above.
The blocklists also provide a good list, if you build your ACLs with good then !bad the URL will be accepted if it is found in the good list, even if it is in any of the blacklists.
The http caching that has been reviewed here uses Squid Cache. Similarly for filtering we will look at configuration details and modules to be used with Squid will be reviewed here.
* url_regex
* Squid Guard
url_regex
This is integrel to Squid and grabs url segments from a specified file and if a match occurs squid will either allow or disallow dependent upon the configuration. Here is a segment from the example squid file and an example of a banned file.
acl filter url_regex "/etc/squid/banned"
http_access deny filter
Here we have an acl called filter, the type of filter is a url_regex and we use the file /etc/squid/banned.
The http_access is set to deny upon match, as you can see from the example file, this is set to block advert sites and other rubbish. It is easy to add new sites to block just by adding another domain to the list.
After a new entry has been added, squid needs to be told by the following command:
squid -k reconfigure
To restart the http cache, you can run the following command:
service squid restart
Squid Guard
Squid Guard has to be downloaded and compiled. This is easier than it sounds. It is dependant upon having gcc package installed.
It runs as follows:
tar zxvf squidguard-xxxx.tar.gz
cd squidGuard-xxx
./configure
make
The install has to be done as root.
make install
Have a read of the documentation and any other information on the site. You will also have to download and install the block lists. There are a large number of different blacklists available, from porn to violence. These are regularly updated and contain tens of thousands of sites and IPs. These are located normally in /var/spool/squidguard/
The Access Control Lists work very similarly to those in the squid configuration file.
Read what documentation you can. Once you have it up and working it is launched from squid using the re-director config option, have a look at the sample file for details.
Once you have downloaded or changed any of the files, you can rebuild the database files using the command:
squidGuard -C all
You will note that there are blockfiles such as:
drwxr-xr-x 2 squid squid 4096 Mar 3 01:23 ads
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 aggressive
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 audio-video
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 drugs
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 gambling
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 hacking
drwxr-xr-x 2 squid squid 4096 Feb 12 18:26 mail
Within these directories you will find files such as:
ls -l /var/spool/squidguard/blacklists/ads
total 184
-rw-r----- 1 squid squid 44500 Mar 3 01:23 domains
-rw-r--r-- 1 squid squid 122880 Mar 3 01:24 domains.db
-rw-r--r-- 1 squid squid 27 Feb 25 13:18 expressions
-rw-r----- 1 squid squid 3147 Feb 7 23:55 urls
-rw-r--r-- 1 squid squid 8192 Mar 3 01:24 urls.db
Note that you have domains and urls, and domains.db and urls.db, these are the database files that are built by the command above.
The blocklists also provide a good list, if you build your ACLs with good then !bad the URL will be accepted if it is found in the good list, even if it is in any of the blacklists.
Squid Configuration with MAC Authentication
#squid.conf
#Every option in this file is very well documented in the original squid.conf fi
le
#
#
#The ports our Squid will listen on.
http_port 8080
icp_port 3130
#cgi-bins will not be cached.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#Memory the Squid will use. Well, Squid will use far more than that.
cache_mem 8 MB
#250 means that Squid will use 250 megabytes of disk space.
cache_dir ufs /var/spool/squid 17072 16 256
#Places where Squid's logs will go to.
cache_log /var/log/squid/cache.log
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/swap.log
#How many times to rotate the logs before deleting them.
#See the FAQ for more info.
logfile_rotate 10
dns_nameservers 200.32.73.6 200.32.73.4 200.31.30.47
redirect_rewrites_host_header off
cache_replacement_policy GDSF
acl porn url_regex "/etc/squid/pornoweb.txt"
acl localnet src "/etc/squid/permitidos"
acl lab1 arp "/etc/squid/lab1_mac"
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_ports port 80 443 210 119 70 20 21 1025-65535
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
http_access deny porn
http_access allow localnet
http_access allow lab1 arp
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
maximum_object_size 60096 KB
store_avg_object_size 50 KB
#Set these if you want your proxy to work in a transparent way.
#Transparent proxy means you generally don't have to configure all
#your client's browsers, but hase some drawbacks too.
#Leaving these uncommented won't do any harm.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#all our LAN users will be seen by external web servers
#as if they all used Mozilla on Linux.
#anonymize_headers deny User-Agent
#fake_user_agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6+) Gecko/200111
22
#To make our connection even faster, we put two lines similar
#to the ones below. They will point a parent proxy server our own Squid
#will use. Don't forget to change the server to the one that will
#be fastest for you!
#Measure pings, traceroutes and so on.
#Make sure that http and icp ports are correct.
#Uncomment lines beginning with "cache_peer" if necessary.
#This is the proxy you are going to use for all connections...
#cache_peer w3cache.icm.edu.pl parent 8080 3130 no-digest default
#...except for the connections to addresses and IPs beginning with "!".
#It's a good idea not to use a higher
#cache_peer_domain w3cache.icm.edu.pl !.pl !7thguard.net !192.168.1.1
#This is useful when we want to use the Cache Manager.
#Copy cachemgr.cgi to cgi-bin of your www server.
#You can reach it then via a web browser typing
#the address http://your-web-server/cgi-bin/cachemgr.cgi
cache_mgr soporte@techsoftnet.net
cachemgr_passwd gicserver! all
#This is a name of a user our Squid will work as.
cache_effective_user squid
cache_effective_group squid
visible_hostname techsoftnet.net
log_icp_queries off
buffered_logs on
#####DELAY POOLS
#This is the most important part for shaping incoming traffic with Squid
#For detailed description see squid.conf file or docs at http://www.squid-cache.
org
#We don't want to limit downloads on our local network.
acl magic_words1 url_regex -i 192.100.100
#We want to limit downloads of these type of files
#Put this all in one line
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi
.mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov
#We don't block .html, .gif, .jpg and similar files, because they
#generally don't consume much bandwidth
#We want to limit bandwidth during the day, and allow
#full bandwidth during the night
#Caution! with the acl below your downloads are likely to break
#at 23:59. Read the FAQ in this bandwidth if you want to avoid it.
#acl day time 09:00-23:59
#We have two different delay_pools
#View Squid documentation to get familiar
#with delay_pools and delay_class.
delay_pools 2
#First delay pool
#We don't want to delay our local traffic.
#There are three pool classes; here we will deal only with the second.
#First delay class (1) of second type (2).
delay_class 1 2
#-1/-1 mean that there are no limits.
delay_parameters 1 -1/-1 -1/-1
#magic_words1: 192.168 we have set before
delay_access 1 allow magic_words1
#Second delay pool.
#we want to delay downloading files mentioned in magic_words2.
#Second delay class (2) of second type (2).
delay_class 2 2
#The numbers here are values in bytes;
#we must remember that Squid doesn't consider start/stop bits
#5000/150000 are values for the whole network
#5000/120000 are values for the single IP
#after downloaded files exceed about 150000 bytes,
#(or even twice or three times as much)
#they will continue to download at about 5000 bytes/s
delay_parameters 2 5000/150000 5000/120000
#We have set day to 09:00-23:59 before.
#delay_access 2 allow day
#delay_access 2 deny !day
delay_access 2 allow magic_words2
#EOF
Installing, Running and configuring a Squid proxy server
The following tutorial illustrates how to install and run a Squid proxy server.
First off, a little info about Squid, Squid is a fully-featured HTTP/1.0 proxy which is almost (in progress) HTTP/1.1 compliant. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications.
You will need the following programs installed. ‘openssl’ ‘pam’ ‘perl’ and any ‘cron’ daemon preferably dcron. A recent gcc version is also needed.
Installing Squid:
First you need to download the following source tarball.
Open a terminal window and cd to the folder where you downloaded the file
run: tar -jxvf squid-2.6.STABLE14.tar.bz2 && cd squid-2.6.STABLE14
The next step is to run the configure script.
./configure –prefix=/usr –datadir=/usr/share/squid \
–sysconfdir=/etc/squid –libexecdir=/usr/lib/squid \
–localstatedir=/var –enable-auth=”basic,digest,ntlm” \
–enable-removal-policies=”lru,heap” \
–enable-digest-auth-helpers=”password” \
–enable-storeio=”aufs,ufs,diskd,coss,null” \
–enable-basic-auth-helpers=”getpwnam,YP,NCSA,SMB,MSNT,PAM, multi-domain-NTLM” \
–enable-external-acl-helpers=”ip_user,unix_group,wbinfo_group” \
–enable-ntlm-auth-helpers=”SMB,fakeauth,no_check” \
–enable-delay-pools –enable-arp-acl –enable-ssl \
–enable-linux-netfilter –enable-ident-lookups \
–enable-useragent-log –enable-cache-digests –enable-referer-log \
–enable-async-io –enable-truncate –enable-arp-acl \
–enable-htcp –enable-carp –enable-poll –with-maxfd=4096
Then run ‘make’ and hope for the best.
After it is done compiling, type ’su’ then enter your root password and run ‘make install’
Configuring Squid:
I have an incoming Internet connection through ppp0 and I am hooked to the other computers on my network though the interface eth0. My ip on eth0 is 10.0.2.1 and the addresses of the clients ranges from 10.0.2.2 to 10.0.2.254
Open a terminal and type su. Then type vi /etc/squid/squid.conf
add the following information. Note that lines starting with ## are comments to help you understand the syntax of the file.
http_port 10.0.2.1:3128
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
## This is the maximum size of a single file that the cache can hold.
## You may change this
maximum_object_size 100096 KB
minimum_object_size 0 KB
cache_replacement_policy heap LFUDA
## This is where squid’s cache will be placed. You may change it’s location and
## size.
cache_dir ufs /var/cache/squid 1000 16 256
## location of log file.
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
## my_network is the codename for my network, you may change this to anything you want
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl my_network src 10.0.2.0-10.0.2.254
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# And finally deny all other access to this proxy
http_access allow my_network
http_access deny all
http_reply_access allow all
#Allow ICP queries from everyone
icp_access allow all
Starting Squid:
as root, run:
/usr/sbin/squid -z
This will create the initial cache directory.
You can start the server by running
/usr/sbin/squid -D
You clients can now connect to your proxy server if they are using IP addresses from 10.0.2.2 to 10.0.2.254
They should add 10.0.2.1 as proxy and 3128 as port in their internet programs.
The final step is to secure your server unless you are running other services.
Run vi /etc/iptables/iptables.rules and insert the following lines:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-N SCANDROP
-A SCANDROP -m limit –limit 4/minute -j LOG –log-prefix scan
-A SCANDROP -j DROP
-N LOGDROP
-A LOGDROP -m limit –limit 4/minute -j LOG
-A LOGDROP -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp –icmp-type echo-request -j DROP
-A INPUT -i eth0 -p tcp -s 10.0.2.0/24 -d 10.0.2.1 –destination-port 3128 -m state –state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp –icmp-type echo-request -j DROP
-A INPUT -i ppp0 -s 127.0.0.1 -j LOGDROP
-A INPUT -p tcp –tcp-flags ACK,FIN FIN -j SCANDROP
-A INPUT -i ppp0 -p udp –sport 67 -d 255.255.255.255/32 –dport 68 -j ACCEPT
-A INPUT -i ppp0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -m state –state NEW -j LOGDROP
-A INPUT -j LOGDROP
COMMIT
Note that we are closing everything on eth0 but connection from “10.0.2.0/24” on port 3128. This means clients can’t even ping the server. You may add other lines if your server offers other services.
To start your firewall, run the following as root.
‘/usr/sbin/iptables-restore /etc/iptables/iptables.rules’
That’s it. You should now have a running proxy server!
Installing Squid with the delay pools feature
Configuring Squid to use the delay pools feature
1. Configure our squid.conf file (located under /opt/squid/etc/squid.conf):
#squid.conf #Every option in this file is very well documented in the original squid.conf file #and on http://www.visolve.com/squidman/Configuration%20Guide.html # #The ports our Squid will listen on. http_port 8080 icp_port 3130 #cgi-bins will not be cached. acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY #Memory the Squid will use. Well, Squid will use far more than that. cache_mem 16 MB #250 means that Squid will use 250 megabytes of disk space. cache_dir ufs /cache 250 16 256 #Places where Squid's logs will go to. cache_log /var/log/squid/cache.log cache_access_log /var/log/squid/access.log cache_store_log /var/log/squid/store.log cache_swap_log /var/log/squid/swap.log #How many times to rotate the logs before deleting them. #See the FAQ for more info. logfile_rotate 10 redirect_rewrites_host_header off cache_replacement_policy GDSF acl localnet src 192.168.1.0/255.255.255.0 acl localhost src 127.0.0.1/255.255.255.255 acl Safe_ports port 80 443 210 119 70 20 21 1025-65535 acl CONNECT method CONNECT acl all src 0.0.0.0/0.0.0.0 http_access allow localnet http_access allow localhost http_access deny !Safe_ports http_access deny CONNECT http_access deny all maximum_object_size 3000 KB store_avg_object_size 50 KB #Set these if you want your proxy to work in a transparent way. #Transparent proxy means you generally don't have to configure all #your client's browsers, but hase some drawbacks too. #Leaving these uncommented won't do any harm. httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on #all our LAN users will be seen by external web servers #as if they all used Mozilla on Linux. :) anonymize_headers deny User-Agent fake_user_agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6+) Gecko/20011122 #To make our connection even faster, we put two lines similar #to the ones below. They will point a parent proxy server our own Squid #will use. Don't forget to change the server to the one that will #be fastest for you! #Measure pings, traceroutes and so on. #Make sure that http and icp ports are correct. #Uncomment lines beginning with "cache_peer" if necessary. #This is the proxy you are going to use for all connections... #cache_peer w3cache.icm.edu.pl parent 8080 3130 no-digest default #...except for the connections to addresses and IPs beginning with "!". #It's a good idea not to use a higher #cache_peer_domain w3cache.icm.edu.pl !.pl !7thguard.net !192.168.1.1 #This is useful when we want to use the Cache Manager. #Copy cachemgr.cgi to cgi-bin of your www server. #You can reach it then via a web browser typing #the address http://your-web-server/cgi-bin/cachemgr.cgi cache_mgr your@email cachemgr_passwd secret_password all #This is a name of a user our Squid will work as. cache_effective_user squid cache_effective_group squid log_icp_queries off buffered_logs on
#This is the most important part for shaping incoming traffic with Squid #For detailed description see squid.conf file or docs at http://www.squid-cache.org #We don't want to limit downloads on our local network. acl magic_words1 url_regex -i 192.168 #We want to limit downloads of these type of files #Put this all in one line acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov #We don't block .html, .gif, .jpg and similar files, because they #generally don't consume much bandwidth #We want to limit bandwidth during the day, and allow #full bandwidth during the night #Caution! with the acl below your downloads are likely to break #at 23:59. Read the FAQ in this bandwidth if you want to avoid it. acl day time 09:00-23:59 #We have two different delay_pools #View Squid documentation to get familiar #with delay_pools and delay_class. delay_pools 2 #First delay pool #We don't want to delay our local traffic. #There are three pool classes; here we will deal only with the second. #First delay class (1) of second type (2). delay_class 1 2 #-1/-1 mean that there are no limits. delay_parameters 1 -1/-1 -1/-1 #magic_words1: 192.168 we have set before delay_access 1 allow magic_words1 #Second delay pool. #we want to delay downloading files mentioned in magic_words2. #Second delay class (2) of second type (2). delay_class 2 2 #The numbers here are values in bytes; #we must remember that Squid doesn't consider start/stop bits #5000/150000 are values for the whole network #5000/120000 are values for the single IP #after downloaded files exceed about 150000 bytes, #(or even twice or three times as much) #they will continue to download at about 5000 bytes/s delay_parameters 2 5000/150000 5000/120000 #We have set day to 09:00-23:59 before. delay_access 2 allow day delay_access 2 deny !day delay_access 2 allow magic_words2 #EOFHear in delay_parameters 2 5000/150000 5000/120000 we can change the numbers according to our requirement. For example if we want to restrict our lan users to give download speed of 20 KB/Sec with a bucket size 12 MB and to whole network a download speed of 25 KB/Sec with a bucket size 25 MB, change this line to delay_parameters 2 25000/250000 20000/120000
OK, when we have configured everything, we must make sure everything under /opt/squid and /cache directories belongs to user 'squid'.
# mkdir /var/log/squid/ # chown squid:squid /var/log/squid/ # chmod 770 /var/log/squid/ # chown -R squid:squid /opt/squid/ # chown -R squid:squid /cache/Now everything is ready to run Squid. When we do it for the first time, we have to create its cache directories:
# /opt/squid/bin/squid -zWe run Squid and check if everything is working. A good tool to do that is IPTraf; you can find it on http://freshmeat.net. Make sure you have set the appropriate proxy in your web browsers (192.168.1.1, port 8080 in our example):
# /opt/squid/bin/squidIf everything is working, we add /opt/squid/bin/squid line to the end of our initializing scripts. Usually, it can be /etc/rc.d/rc.local.
Other helpful options in Squid may be:
# /opt/squid/bin/squid -k reconfigure (it reconfigures Squid if we made any changes in its squid.conf file) # /opt/squid/bin/squid -help :) self-explanatoryYou can also copy cachemgr.cgi to the cgi-bin directory of your WWW server, to make use of a useful Cache Manager.
How to block websites and file extension
How to block few users and allow some for a particular website
First we will create a list then allow or deny at the end
[go to acl and add/modify according to ur need]
save and close
Now lets create extndeny file ..this is the list of file extensions which we are blocking in SQUID. make a file and add these file extensions vi /etc/squid/extndeny --
Now restart squid
Always look in log files for errors
First we will create a list then allow or deny at the end
| Code: |
| # vi /etc/squid/squid.conf |
[go to acl and add/modify according to ur need]
| Code: |
acl GoodIP src 192.168.0.1 acl GoodIP src 192.168.0.15 acl BlockedIP src 192.168.0.2 acl BlockedIP src 192.168.0.3 acl LimitedURL url_regex -i bbc.com acl LimitedURL url_regex -i abc.com acl GoodURL url_regex -i 123abc.com acl GoodURL url_regex -i abc123.com acl badURL url_regex -i xyz.com acl badURL url_regex -i games acl badURL url_regex -i chat acl x-type req_mime_type -i ^application/octet-stream$ acl x-type req_mime_type -i application/octet-stream acl x-type req_mime_type -i ^application/x-mplayer2$ acl x-type req_mime_type -i application/x-mplayer2 acl x-type req_mime_type -i ^application/x-oleobject$ acl x-type req_mime_type -i application/x-oleobject acl x-type req_mime_type -i application/x-pncmd acl x-type req_mime_type -i ^video/x-ms-asf$ acl x-type2 rep_mime_type -i ^application/octet-stream$ acl x-type2 rep_mime_type -i application/octet-stream acl x-type2 rep_mime_type -i ^application/x-mplayer2$ acl x-type2 rep_mime_type -i application/x-mplayer2 acl x-type2 rep_mime_type -i ^application/x-oleobject$ acl x-type2 rep_mime_type -i application/x-oleobject acl x-type2 rep_mime_type -i application/x-pncmd acl x-type2 rep_mime_type -i ^video/x-ms-asf$ http_access allow GoodIP all http_access deny BlockedIP LimitedURL http_access deny badURL http_access deny x-type all http_reply_access deny x-type all http_access deny x-type1 all http_reply_access deny x-type1 all http_access deny x-type2 all http_reply_access deny x-type2 all acl extndeny url_regex -i "/etc/squid/extndeny" acl download method GET http_access deny extndeny download http_access deny extndeny |
save and close
Now lets create extndeny file ..this is the list of file extensions which we are blocking in SQUID. make a file and add these file extensions vi /etc/squid/extndeny --
| Code: |
| \.ez$ \.hqx$ \.cpt$ \.dot$ \.wrd$ \.bin$ \.dms$ \.lha$ \.lzh$ \.ace$ \.r00$ \.r01$ \.exe$ \.wp5$ \.wk$ \.wz$ \.vcd$ \.bz2$ \.deb$ \.dvi$ \.tar$ \.gtar$ \.tgz$ \.gz$ \.bat$ \.rpm$ \.spm$ \.zip$ \.mid$ \.midi$ \.kar$ \.mpga$ \.mp2$ \.mp3$ \.ra$ \.dl$ \.fli$ \.gl$ \.mpe$ \.mpeg$ \.mpg$ \.qt$ \.mov$ \.avi$ \.movie$ \.wav$ \.au$ \.asf$ \.af$ \.bin$ \.gz$ \.bz2$ \.asx$ \.afx$ \.asf$ \.asx$ \.au$ \.avi$ \.divx$ \.m3u$ \.mov$ \.mp2$ \.mp3$ \.mpeg$ \.mpg$ \.qt$ \.ra$ \.ram$ \.rm$ \.viv$ \.vivo$ \.vob$ \.vqf$ \.wav$ \.wma$ \.wmv$ \.vbs$ \.shs$ \.pif$ \.wpm$ \.wvx$ |
Now restart squid
| Code: |
| # service squid restart |
Always look in log files for errors
| Code: |
| /var/log/squid/access.log # have list of website visited by all users /var/log/squid/cache.log # Log of squid deamon / process |
Step by step Setup and Configure Squid Proxy Server on Fedora Core.
Step by step Setup and Configure Squid Proxy Server on Fedora Core.
The article below show the step by step to setup and configure SQUID proxy serve on Fedora core with screenshot and SQUID configuration example.
Network configuration scenario:
Setp 1:
To backup the Squid configuration directory:
[root@cempakasari ~]# cp -pr /etc/squid/ /etc/squid.bak
[root@cempakasari ~]#
Backup the squid.conf file:
[root@cempakasari ~]# cp -pr /etc/squid/squid.conf /etc/squid/squid.conf.bak
[root@cempakasari ~]#
Setp 2:
Edit the squid.conf, the Squid Cache Proxy configuration file.
1. Open the squid config file (squid.conf) that is located on the /etc/squid directory with your own choice of text editor.
[root@linux fedora]# vi /etc/squid/squid.conf
or you can use the gedit program...
[root@linux fedora]# gedit /etc/squid/squid.con
On this project, we setup (configure) our Squid proxy to bind with the internal Ethernet card which is using internal IP 10.2.0.5 and listen on port 8080 on that internal IP address. With this configuration, Squid should only visible and listen to our internal address only.
Change the address to fit your network layout.
# NETWORK OPTIONS
........................
#Default:
# http_port 3128
http_port 10.2.0.5:8080
Setp 3:
Scroll down the page and find # TAG: cache_mem (bytes), To increase the Squid cache memory capacity, edit the default setting and put the appropriate memory size base on your system capabilities. The example below show that the Squid cache memory setting increase up to 256 MB. Take note that, before you change this setting make sure your hardware can support the size of memory that you specify here.
# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------
# TAG: cache_mem (bytes)
# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
#
# 'cache_mem' specifies the ideal amount of memory to be used
# for:
# * In-Transit objects
# * Hot Objects
# * Negative-Cached objects
------- +++++ ---------------------------
#Default:
# cache_mem 8 MB
cache_mem 256 MB
4. Then find tag # TAG: cache_dir, then increase the size of cache directory to 2000 MB, also make sure that you have enough disk space before you change the size value.
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------
# TAG: cache_dir
# Usage:
#
# cache_dir Type Directory-Name Fs-specific-data [options]
#
------- +++++ ---------------------------
#
#Default:
# cache_dir ufs /var/spool/squid 100 16 256
cache_dir ufs /var/spool/squid 2000 16 256
Setp 4:
Adjust the list of DNS name servers. Squid cache proxy used this list of DNS servers to query domain name.
# TAG: dns_nameservers
# Use this if you want to specify a list of DNS name servers
# (IP addresses) to use instead of those given in your
# /etc/resolv.conf file.
# On Windows platforms, if no value is specified here or in
# the /etc/resolv.conf file, the list of DNS name servers are
# taken from the Windows registry, both static and dynamic DHCP
# configurations are supported.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#
#Default:
# none
dns_nameservers 203.106.93.91 161.142.227.17 192.228.128.16 201.188.0.16
Setp 5:
Add required port to "Acess Control List". This example show that the port number 2083 port is add to safe_ports list.
# ACCESS CONTROLS
# ---------------------------
----------- **** +++++
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 2083 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 2083 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
You can enter your own rules:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl our_networks src 172.16.160.0/24 172.16.161.0/24 172.16.162.0/24 172.16.163.0/24 172.16.164.0/24 172.16.165.0/24 172.16.166.0/24 172.16.167.0/24 172.16.168.0/24 172.16.169.0/24 172.16.170.0/24
acl bad_url dstdomain "/etc/squid/bad-sites.squid"
http_access allow our_networks
http_access deny bad_url
To allow FTP request from client.
# TAG: always_direct
# Usage: always_direct allowdeny [!]aclname ...
#
# Here you can use ACL elements to specify requests which should
# ALWAYS be forwarded by Squid to the origin servers without using
# any peers. For example, to always directly forward requests for
# local servers ignoring any parents or siblings you may have use
# something like:
#
# acl local-servers dstdomain my.domain.net
# always_direct allow local-servers
#
# To always forward FTP requests directly, use
#
# acl FTP proto FTP
# always_direct allow FTP
+++++++++++++++++++++
#
#Default:
# none
acl FTP proto FTP
always_direct allow FTP
In order to make sure that the configuration and your Squid proxy server running smoothly, test to start Squid proxy server in debugging mode; The command example below show the step by step to create the Squid cache directory and then running Squid proxy server in debugging mode.
1. Create squid cache directory by issuing this command:
[root@linux fedora]# /usr/sbin/squid -z
2006/03/16 10:33:00 Creating Swap Directories
2. Then test run your Squid cache proxy by running Squid in debug-mode
[root@linux fedora]# /usr/sbin/squid -NCd1
Ctrl + C to stop.
Output
2006/03/16 10:43:22 Preparing for shutdown after 39 requests
2006/03/16 10:43:22 Waiting 0 seconds for active connections to finish
2006/03/16 10:43:22 FD 11 Closing HTTP connection
2006/03/16 10:43:22 FD 12 Closing HTTP connection
2006/03/16 10:43:24 Shutting down...
2006/03/16 10:43:24 FD 13 Closing ICP connection
2006/03/16 10:43:24 Closing unlinkd pipe on FD 9
2006/03/16 10:43:24 storeDirWriteCleanLogs: Starting...
2006/03/16 10:43:25 Finished. Wrote 7796 entries.
2006/03/16 10:43:25 Took 0.1 seconds (89056.4 entries/sec).
Use the following command to start and stop Squid.
[root@linux fedora]# /sbin/service squid start
[root@linux fedora]# /sbin/service squid stop
To make sure Squid automatic start after the system reboot, use the chkconfig command to On Squid on runlevel 3 and 5. (Setting of automatic start on runlevel 3 and 5)
[root@linux fedora]# /sbin/chkconfig --level 35 squid on
(Confirmation of automatic start)
[root@linux fedora]# /sbin/chkconfig --list squid
squid 0:off 1: off 2: off 3: on 4: off 5:on 6: off
The article below show the step by step to setup and configure SQUID proxy serve on Fedora core with screenshot and SQUID configuration example.
Network configuration scenario:
Setp 1:
To backup the Squid configuration directory:
[root@cempakasari ~]# cp -pr /etc/squid/ /etc/squid.bak
[root@cempakasari ~]#
Backup the squid.conf file:
[root@cempakasari ~]# cp -pr /etc/squid/squid.conf /etc/squid/squid.conf.bak
[root@cempakasari ~]#
Setp 2:
Edit the squid.conf, the Squid Cache Proxy configuration file.
1. Open the squid config file (squid.conf) that is located on the /etc/squid directory with your own choice of text editor.
[root@linux fedora]# vi /etc/squid/squid.conf
or you can use the gedit program...
[root@linux fedora]# gedit /etc/squid/squid.con
On this project, we setup (configure) our Squid proxy to bind with the internal Ethernet card which is using internal IP 10.2.0.5 and listen on port 8080 on that internal IP address. With this configuration, Squid should only visible and listen to our internal address only.
Change the address to fit your network layout.
# NETWORK OPTIONS
........................
#Default:
# http_port 3128
http_port 10.2.0.5:8080
Setp 3:
Scroll down the page and find # TAG: cache_mem (bytes), To increase the Squid cache memory capacity, edit the default setting and put the appropriate memory size base on your system capabilities. The example below show that the Squid cache memory setting increase up to 256 MB. Take note that, before you change this setting make sure your hardware can support the size of memory that you specify here.
# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------
# TAG: cache_mem (bytes)
# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
#
# 'cache_mem' specifies the ideal amount of memory to be used
# for:
# * In-Transit objects
# * Hot Objects
# * Negative-Cached objects
------- +++++ ---------------------------
#Default:
# cache_mem 8 MB
cache_mem 256 MB
4. Then find tag # TAG: cache_dir, then increase the size of cache directory to 2000 MB, also make sure that you have enough disk space before you change the size value.
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------
# TAG: cache_dir
# Usage:
#
# cache_dir Type Directory-Name Fs-specific-data [options]
#
------- +++++ ---------------------------
#
#Default:
# cache_dir ufs /var/spool/squid 100 16 256
cache_dir ufs /var/spool/squid 2000 16 256
Setp 4:
Adjust the list of DNS name servers. Squid cache proxy used this list of DNS servers to query domain name.
# TAG: dns_nameservers
# Use this if you want to specify a list of DNS name servers
# (IP addresses) to use instead of those given in your
# /etc/resolv.conf file.
# On Windows platforms, if no value is specified here or in
# the /etc/resolv.conf file, the list of DNS name servers are
# taken from the Windows registry, both static and dynamic DHCP
# configurations are supported.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#
#Default:
# none
dns_nameservers 203.106.93.91 161.142.227.17 192.228.128.16 201.188.0.16
Setp 5:
Add required port to "Acess Control List". This example show that the port number 2083 port is add to safe_ports list.
# ACCESS CONTROLS
# ---------------------------
----------- **** +++++
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 2083 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 2083 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
You can enter your own rules:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl our_networks src 172.16.160.0/24 172.16.161.0/24 172.16.162.0/24 172.16.163.0/24 172.16.164.0/24 172.16.165.0/24 172.16.166.0/24 172.16.167.0/24 172.16.168.0/24 172.16.169.0/24 172.16.170.0/24
acl bad_url dstdomain "/etc/squid/bad-sites.squid"
http_access allow our_networks
http_access deny bad_url
To allow FTP request from client.
# TAG: always_direct
# Usage: always_direct allowdeny [!]aclname ...
#
# Here you can use ACL elements to specify requests which should
# ALWAYS be forwarded by Squid to the origin servers without using
# any peers. For example, to always directly forward requests for
# local servers ignoring any parents or siblings you may have use
# something like:
#
# acl local-servers dstdomain my.domain.net
# always_direct allow local-servers
#
# To always forward FTP requests directly, use
#
# acl FTP proto FTP
# always_direct allow FTP
+++++++++++++++++++++
#
#Default:
# none
acl FTP proto FTP
always_direct allow FTP
In order to make sure that the configuration and your Squid proxy server running smoothly, test to start Squid proxy server in debugging mode; The command example below show the step by step to create the Squid cache directory and then running Squid proxy server in debugging mode.
1. Create squid cache directory by issuing this command:
[root@linux fedora]# /usr/sbin/squid -z
2006/03/16 10:33:00 Creating Swap Directories
2. Then test run your Squid cache proxy by running Squid in debug-mode
[root@linux fedora]# /usr/sbin/squid -NCd1
Ctrl + C to stop.
Output
2006/03/16 10:43:22 Preparing for shutdown after 39 requests
2006/03/16 10:43:22 Waiting 0 seconds for active connections to finish
2006/03/16 10:43:22 FD 11 Closing HTTP connection
2006/03/16 10:43:22 FD 12 Closing HTTP connection
2006/03/16 10:43:24 Shutting down...
2006/03/16 10:43:24 FD 13 Closing ICP connection
2006/03/16 10:43:24 Closing unlinkd pipe on FD 9
2006/03/16 10:43:24 storeDirWriteCleanLogs: Starting...
2006/03/16 10:43:25 Finished. Wrote 7796 entries.
2006/03/16 10:43:25 Took 0.1 seconds (89056.4 entries/sec).
Use the following command to start and stop Squid.
[root@linux fedora]# /sbin/service squid start
[root@linux fedora]# /sbin/service squid stop
To make sure Squid automatic start after the system reboot, use the chkconfig command to On Squid on runlevel 3 and 5. (Setting of automatic start on runlevel 3 and 5)
[root@linux fedora]# /sbin/chkconfig --level 35 squid on
(Confirmation of automatic start)
[root@linux fedora]# /sbin/chkconfig --list squid
squid 0:off 1: off 2: off 3: on 4: off 5:on 6: off
Subscribe to:
Posts (Atom)
