Linux Mail Server Setup and Howto Guide » Squid Proxy Server http://www.linuxmail.info Rapidly deploy Linux based mail solutions today Tue, 01 Nov 2011 00:43:33 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Squid Proxy Server Setup Howto for RHEL/CentOS 5 http://www.linuxmail.info/squid-proxy-server-setup-howto/ http://www.linuxmail.info/squid-proxy-server-setup-howto/#comments Sat, 15 Nov 2008 13:02:07 +0000 consultant http://www.linuxmail.info/?p=152 Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid also has extensive access controls and makes a great server accelerator. This article will show you how to install and configure the Squid Proxy Server in RHEL/CentOS 5.

How to install Linux

You can use either Red Hat Enterprise Linux 5 or CentOS 5. RHEL 5 can be purchased from Red Hat and comes with support. CentOS 5 on the other hand can be downloaded here.

Boot1. How to install CentOS 5.
Welcome2. How to setup CentOS 5.
NoteTo simplify our administration tasks, log in as the user root and specify your root password. This is not the recommended way of administering a Linux box, but for the tasks at hand it is the most efficient way.
Edit /etc/hosts3. How to configure host name lookup.

How to setup the Squid Proxy Server

The Server – GUI installation already include Squid so all we have to do is start the Squid service and open the Squid port in the firewall.

Edit squid.conf1. Edit the Squid configuration file /etc/squid/squid.conf. See a sample squid.conf. Learn more about the Squid Access Control List (ACL).
Service Configuration2. Start the squid service. Learn how to start services.
Security Level Configuration3. Squid listens on the port 3128 so this should be opened in the firewall. Learn how to configure the firewall.
IE7 Squid Denied4. Configure your browser to use Squid. If you hit any of the deny rules, you should see a Squid error message.

How to integrate Active Directory

You can use you Active Directory user accounts for authenticating in Squid. You can also the Active Directory groups to group the access control in Squid. This section describes how to use Samba to integrate Active Directory into Squid.

getent passwd1. How to setup Samba and Winbind.
getent passwd2. How to integrate Active Directory into Squid.

How to generate analysis reports

To generate analysis report for Squid, we are going to use the Squid Analysis Report Generator (SARG) and Webmin. Webmin will make it easier to manage SARG.

BootHow to install and configure the Squid Analysis Report Generator (SARG).
]]> http://www.linuxmail.info/squid-proxy-server-setup-howto/feed/ 0 Squid and Active Directory Integration http://www.linuxmail.info/squid-active-directory-integration/ http://www.linuxmail.info/squid-active-directory-integration/#comments Sun, 02 Nov 2008 10:29:39 +0000 consultant http://www.linuxmail.info/?p=137 You can use you Active Directory user accounts for authenticating in Squid. You can also the Active Directory groups to group the access control in Squid. This article describes how to configure Squid to use the Active Directory user accounts for authentication and groups for access control.

We will use Winbind to integrate Active Directory into Squid. See Active Directory Integration with Samba for instructions on how to configure Winbind.

Authenticating using Active Directory

Edit squid.conf1. Edit the file /etc/squid/squid.conf and add the lines below.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl authenticated proxy_auth REQUIRED

The first section of auth_param configures NTLM browser authentication (works in Internet Explorer) to authenticate using Samba. The second section of auth_param does the same but works for basic browser authentication.

The last line defines an access control list element named authenticated which can be used in any access control list. Below is a simple access control list which allows only authenticated users to have access to the Squid cache.

http_access allow authenticated
Service Configuration2. Restart the squid service. Learn how to restart services.
Firefox Authentication3. Try browsing the web via the proxy server, you should be asked to authenticate. Learn how to configure Firefox or Internet Explorer to use a proxy server.

Using Active Directory Security Groups

You can use the Active Directory Security Group in your access control list. Distribution group will not work here.

Edit squid.conf1. Edit the file /etc/squid/squid.conf and add the lines below.
external_acl_type ad_group %LOGIN /usr/lib/squid/wbinfo_group.pl
acl banned_users external ad_group BannedUsers

The first line defines an external acl type named ad_group which points to a Perl program that accepts a user name and group name parameter and returns Ok if the user name belongs in a specified group name.

The second line defines an access control list element named banned_users which specifies the Active Directory group BannedUsers. Below is an example in using the banned_users acl.

http_access deny banned_users
Service Configuration2. Restart the squid service. Learn how to restart services.
Internet Explorer 73. Try browsing the web via the proxy server. Learn how to configure Firefox or Internet Explorer to use a proxy server.

Related Pages

BootHow to install and configure the Squid Analysis Report Generator (SARG).
]]> http://www.linuxmail.info/squid-active-directory-integration/feed/ 4 Squid Analysis Report Generator (SARG) and Webmin http://www.linuxmail.info/squid-analysis-report-generator-webmin/ http://www.linuxmail.info/squid-analysis-report-generator-webmin/#comments Sat, 25 Oct 2008 11:56:30 +0000 consultant http://www.linuxmail.info/?p=104 The Squid Analysis Report Generator (SARG) enables you to see your Squid users internet usage. SARG provides many informations about Squid users activities like times, bytes, sites, etc. This article will show you how to use SARG through Webmin, a web-based interface for administering Linux.

Installing Webmin and SARG

RPM Forge1. Add the RPMforge repository into Yum. We will be getting the SARG RPM package for Red Hat/CentOS from RPMforge.
Yum install SARG2. From a terminal window, type in the command below to install SARG.
yum install sarg
Webmin3. Install Webmin. After installing, login to Webmin. Webmin will enable us to control who gets access to the Squid reports. We will also have an easy to use web-based interface for configuring the report format.
SARG configure4. Click Un-used modules in the side bar. Next click Squid Report Generator. We need to configure SARG so click module configuration.
SARG configure5. Change the value of Full path to SARG configuration file to /etc/sarg/sarg.conf then click the Save.
NoteNext time you need to use the Squid Report Generator, look for it under Servers instead of Un-used modules.

Generating a report

SARG1. To generate a report, click the Generate Report Now button.
SARG2. Next, click View completed report.
SARG3. Click the latest generated report.
SARG4. Review the generated report.
]]> http://www.linuxmail.info/squid-analysis-report-generator-webmin/feed/ 3 Squid Access Control List (ACL) Elements http://www.linuxmail.info/squid-acl-elements/ http://www.linuxmail.info/squid-acl-elements/#comments Sun, 19 Oct 2008 14:36:34 +0000 consultant http://www.linuxmail.info/?p=99 The Squid Access Control List (ACL) Element defines a specific condition that can be acted upon when met. Listed below are the different types ACL elements available in Webmin and its equivalent in the Squid configuration file.

You can define multiple ACL elements having the same name and type. It will be acted upon if any one of those condition are met.

Example 
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443

You can also define multiple values in a separate file.

Example 
acl Safe_ports port "/etc/squid/safe_ports"
/etc/squid/safe_ports contains the lines below 
80
21
443

Browser Regexp (browser)

Matches a regular expression pattern against the User-Agent header of a browser. Use the -i option to make the comparison case-insensitive. Visit http://www.useragent.org/ to see your User-Agent header. 
acl aclname browser [-i] regexp
Example 
acl mozilla_compatible browser Mozilla

Client Address (src)

Matches the IP address of the requesting client. If hostname is specified, it will be converted to an IP address during Squid initialization so it won’t match anymore if the IP address changes afterwards. 
acl aclname src ip-address[/netmask]
acl aclname src addr1-addr2/netmask
acl aclname src hostname
Example 
acl boss_ip         src 192.168.0.2
acl bosses_ip       src 192.168.0.2-192.168.0.10/255.255.255.0
acl local_network   src 192.168.0.0/24
acl office_networks src 192.168.1.0-192.168.10.0/24

Client Hostname (srcdomain)

Matches the reverse DNS of the requesting client’s IP address. 
acl aclname srcdomain hostname.domain.suffix
acl aclname srcdomain .domain.suffix
Example 
acl bugs_host   srcdomain bugsbunny.acme.local
acl acme_domain srcdomain .acme.local

Client Regexp (srcdom_regexp)

Matches a regular expression pattern against the the reverse DNS of the requesting client’s IP address. Use the -i option to make the comparison case-insensitive. 
acl aclname srcdom_regexp [-i] regexp
Example 
acl hostname_starting_with_the_letter_x srcdom_regexp ^x.*

Date and Time (time)

Matches the date and time the client is making the request. 
acl aclname time [day-abbreviations] [h1:m1-h2:m2]
Day Abbreviations
  • S – Sunday
  • M – Monday
  • T – Tuesday
  • W – Wednesday
  • H -Thursday
  • F – Friday
  • A – Saturday
  • D – Weekdays (Monday – Friday)
Example 
acl lunch_break  time 12:00-13:00
acl office_hours time D 09:00-17:00

Dest AS Number (dest_as)

Matches the Destination Autonomous System Number of the server being queried. 
acl aclname dst_as number
Example 
acl sampleas dst_as 1234

Ethernet Address (arp)

Matches the ethernet (Media Access Control, MAC) address of the requesting client. Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address. 
acl aclname arp mac-address
Example 
acl boss_mac arp 01:02:03:04:05:06

External Auth (proxy_auth)

Matches a username acquired using HTTP authentication headers. Use the -i option to make the comparison case-insensitive. Use REQUIRED to match all users. 
acl aclname proxy_auth username1 username2
acl aclname proxy_auth REQUIRED
Example 
acl acme_top_stars      proxy_auth bugsbunny daffyduck
acl authenticated_users proxy_auth REQUIRED

External Auth Regexp (proxy_auth_regexp)

Matches a regular expression pattern against a username acquired using HTTP authentication headers. Use the -i option to make the comparison case-insensitive. 
acl aclname proxy_auth_regexp [-i] regexp
Example 
acl usernames_starting_with_the_letter_x proxy_auth_regexp ^x.*

Max User IP (max_user_ip)

Matches when the same user attempts to log in for more than the specified number of times from different ip addresses. Use the -s option to strictly enforce the limit. Without -s, Squid will just annoy the user by “randomly” denying requests. 
acl aclname max_user_ip [-s] number
Example 
acl max_user_ip_conn max_user_ip 5

Maximum Connections (maxconn)

Matches when the specified number of HTTP connections for a client has been exceeded. 
acl aclname maxconn number
Example 
acl max_conn_limit maxconn 10

Proxy IP Address (myip)

Matches the IP address of the Squid server where the client connected. Useful for servers with multiple IP addresses. If hostname is specified, it will be converted to an IP address during Squid initialization so it won’t match anymore if the IP address changes afterwards. 
acl aclname myip ip-address[/netmask]
acl aclname myip addr1-addr2/netmask
acl aclname myip hostname
Example 
acl dialup_ip 192.168.0.2

Proxy Port (myport)

Matches the port of the Squid server where the client connected to. Useful for servers listening in multiple ports. 
acl aclname myport portnumber
Example 
acl accel_port myport 80
acl proxy_port myport 3128

RFC931 User (ident)

Matches a username against an external ident server running on the client machines. 
acl aclname ident username
Example 
acl friends ident bugsbunny daffyduck

RFC931 User Regexp (ident_regexp)

Matches a regular expression pattern against an external ident server running on the client machines. Use the -i option to make the comparison case-insensitive. 
acl aclname ident_regexp [-i] regexp
Example 
acl usernames_starting_with_the_letter_x ident_regexp ^x.*

Reply MIME Type (rep_mime_type)

Matches the regular expression pattern against the Content-Type header of the origin server’s HTTP response. Useful only when used in an http_reply_access rule. Use the -i option to make the comparison case-insensitive. 
acl aclname rep_mime_type [-i] regexp
Example 
acl java_download rep_mime_type application/x-java

Request MIME Type (req_mime_type)

Matches the regular express pattern against the Content-Type header of the client’s HTTP request. You can use this to detect certain file uploads and some types of HTTP tunneling requests. Use the -i option to make the comparison case-insensitive. 
acl aclname req_mime_type [-i] regexp
Example 
acl audio_file_upload req_mime_type -i ^audio/

Request Method (method)

Matches the HTTP request method sent by the client. Squid recognizes the following methods: GET,POST,PUT,HEAD, CONNECT,TRACE,OPTIONS and DELETE. 
acl aclname method method-type
Example 
acl get_post_method method GET POST

SNMP Community (snmp_community)

Matches a string against an SNMP query, which is controlled by the snmp_access directive. 
acl aclname snmp_community string
Example 
acl my_community snmp_community MyCommunity

Source AS Number (src_as)

Matches the Autonomous System Number of the requesting client. 
acl aclname src_as number
Example 
acl my_isp src_as 1234

URL Path Regexp (urlpath_regexp)

Matches a regular expression pattern against the requested URL path. The URL path specifies the path only and does not include the protocol and the hostname. Use the -i option to make the comparison case-insensitive. 
acl aclname urlpath_regexp [-i] regexp
Example 
acl images_path urlpath_regexp ^/images

URL Port (port)

Matches the destination port number of the request. 
acl aclname port number
acl aclname port range
Example 
acl web_port  port 80
acl voip_port port 10000-11000

URL Protocol (proto)

Matches the protocol of the request. 
acl aclname proto protocol
Example 
acl ftp proto FTP

URL Regexp (url_regexp)

Matches a regular expression pattern against the requested URL. Use the -i option to make the comparison case-insensitive. 
acl aclname url_regexp [-i] regexp
Example 
acl ftp_mp3 url_regexp ^ftp://.*\.mp3$

Web Server Address (dst)

Matches the IP address of the destination server. If hostname is specified, it will be converted to an IP address during Squid initialization so it won’t match anymore if the IP address changes afterwards. 
acl aclname dst ip-address[/netmask]
acl aclname dst addr1-addr2/netmask
acl aclname dst hostname
Example 
acl google dst www.google.com

Web Server Hostname (dstdomain)

Matches the domain of the destination server. 
acl aclname dstdomain hostname.domain.suffix
acl aclname dstdomain .domain.suffix
Example 
acl www_google dstdomain www.google.com
acl www_google dstdomain google.com  # matches exactly google.com
acl google_dom dstdomain .google.com # all subdomains of google.com

Web Server Regexp (dstdom_regexp)

Matches the regular expression pattern against the domain of the destination server. 
acl aclname dstdom_regexp regexp
Example 
acl domains_starting_with_the_letter_x dstdom_regexp ^x.*
]]> http://www.linuxmail.info/squid-acl-elements/feed/ 1