Setting up a Squid Proxy Server – playing with ACLs, passwd file and LDAP Authentication
Hello everyone! Today I’ll blog about squid. I wanna play with ACLs, permissions, authentication based on passwd-file and Ldap. It’s gonna have to be thought pretty much before to implement it, but basically I’ll assume that the ideal environment is this one.
Let’s install it. yum is quite a useful tool :)
[root@webserver01 conf.d]# yum install squid
If you take a look at /etc/sysconfig/squid, you’ll see squid starts without dns resolution. It’s just -D as parameter.
SQUID_OPTS=”-D”
The options which are commons when you’re configuring a squid proxy server are:
[root@webserver01 ~]# vi /etc/squid/squid.conf
http_port 3128
hierarchy_stoplist cgi-bin ? # it’s a list of words which it found any of them at the URL, the objects will be handled for this proxy.
acl QUERY urlpath_regex cgi-bin \? # It’s the moment when we define the acl.
cache deny QUERY # Right here, the object won’t be cached, that’s why we use DENY.By default is to allow all objects to be cached.visible_hostname webserver01 # You must give a name to the server. You’re not probably gonna find this entry, you need to find the part over “visible_hostname” and comment out the line “none” replaced by the value visible_hostname followed by the server name. Make sure that the server is included into /etc/hosts.
Cache Dir, there will be two choices.
cache_dir ufs Directory-Name Mbytes L1 L2 [options]
cache_dir ufs /cache_dir 5000 16 256
So, to get a good explanation, we must understand first of all, what all of these parameters mean.
cache_dir is the option folowed by their parameters. UFS is the file system type, after this comes the directory-name (/var/spool/squid), the next one would be the amount of the disk space in MBytes. L1 and L2 mean the levels of the directory. The level-1 is the number of first-level subdirectory witch will be created under the main directory. by default the value is 16. The level-2 is the second-level subdirectory which will be created under level-1 directory and by default its value is 256.
cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
Diskd uses the same format as “ufs”, utilizing separate process to avoid blocking the main squid process on disk-I/O.
cache_dir diskd /var/spool/squid 1024 16 256 Q1=72 Q2=64
I preffer the this second method. How it were a question of choice. The second one is better than the first one because is most safe.
———————————————————
http_access and ACLs.
By default squid blocks for all. you can see that when is marked:
http_access deny all
To resolv it, we must “allow” our network to be allowed by the proxy through ACLs.
acl mynetwork src 192.168.1.0/24
http_access allow mynetwork
http_access deny all
*****************
to set on SElinux configuration over squid:
[root@webserver01 squid]# setsebool -P squid_connect_any 1
—-
to force all conections coming from port 80 towards to port 3128.
[root@webserver01 squid]# iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 3128
[root@webserver01 squid]# iptables -L
REDIRECT tcp — anywhere anywhere tcp dpt:http redir
ports 3128
to create the proxy cache directory.
[root@webserver01 squid]# squid -z
2010/03/09 18:21:05| Creating Swap Directories
[root@webserver01 squid]#
to start the service and make sure that it will be started during boot process.
[root@webserver01 squid]# service squid start
Starting squid: . [ OK ]
[root@webserver01 squid]# chkconfig squid on
[root@webserver01 squid]#
Now, you can try setting the configuration on your browser. Remember, the port is 3128.
You can check out the file logs access.log, cache.log and store.log stored in /var/log/squid.
*************************
Playing ACLs and authentication based on Ldap and password-file.
Let’s begin with 2 lists both of them will be useful as forbidden content.
file1:
[root@webserver01 squid]# vi /etc/squid/blocked-words
sexy
sexo
drogas
playstation
games
file2:
[root@webserver01 squid]# vi /etc/squid/blocked-sites
http://www.youtube.com
http://www.infojobs.net
http://www.infojobs.com
http://www.google.com
http://www.hotmail.com
http://www.elpais.es
http://www.msn.com
http://www.yahoo.com
http://www.softonic.com
http://www.monters.com
http://www.facebook.com
http://www.linkedin.com
Through these two files, we’re gonna define 2 rules:
The first one, we’re going to deny through url_regex option. That means if some word at the list matches to the URL, the proxy server handles to refuse the request.
The second one will be denied by dstdomain option. In other words, if some domain at the list matches to the URL, the proxy will refuse the connection too.
acl blockedwords url_regex “/etc/squid/blocked-words”
acl bloquedsites dstdomain “/etc/squid/blocked-sites”
and finally to deny all of two ACLs we need to get something like this:
http_access deny mynetwork blockedwords
http_access deny mynetwork blockedsites
The survey currently found into the squid.conf file at the acl and http_access sessions is:
acl mynetwork src 192.168.1.0/24
acl blockedwords url_regex “/etc/squid/blocked-words”
acl bloquedsites dstdomain “/etc/squid/blocked-sites”http_access deny mynetwork blockedwords
http_access deny mynetwork blockedsites
http_access allow mynetwork
http_access deny all
Reload the currently configuration running
[root@webserver01 squid]# service squid reload
So, make sure that it works in your client browser.
Making more funny out our proxys-server. Authentication by password-file.
Edit /etc/squid/squid.conf and modify or add entries with is highlighted.
***************
auth_param basic children 5
auth_param basic realm “This party is by invitation only. Enter with your Login and password”
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/user.passwd
auth_param basic credentialsttl 2 hours#ACLs session
acl authenticated-users proxy_auth REQUIRED
acl mynetwork src 192.168.1.0/24
acl blockedwords url_regex “/etc/squid/blocked-words”
acl bloquedsites dstdomain “/etc/squid/blocked-sites”#http_access session
http_access deny mynetwork blockedwords
http_access deny mynetwork blockedsiteshttp_access allow authenticated-users
http_access allow mynetwork
http_access deny all
For now, we need to create the user.passwd file witch the username and password will be stored and associated to the proxyserver.
According to our example, I’ll assign some users and functions how it were a company environment.
Department – user
ADM admin
RRHH jose
RRHH juanVenta maria
Venta marioTI leonardo
Let’s create the password file.
[root@webserver01 ~]# htpasswd -c /etc/squid/user.passwd admin
New password:
Re-type new password:
Adding password for user admin
[root@webserver01 ~]#
Once adm user is created, the option “-c” there’s no need from then on. it’s just to create the file. Once the file is created, forget this option.
[root@webserver01 ~]# htpasswd /etc/squid/user.passwd jose
[root@webserver01 ~]# htpasswd /etc/squid/user.passwd juan
[root@webserver01 ~]# htpasswd /etc/squid/user.passwd maria
[root@webserver01 ~]# htpasswd /etc/squid/user.passwd mario
[root@webserver01 ~]# htpasswd /etc/squid/user.passwd leonardo
Reload the currently configuration and test the system using your client browser.
[root@webserver01 ~]# service squid reload
Is that all? Absolutely not. We must be thinking how the RRHH staff could work without access granted to http://www.infojobs.net ?
Great, it’s about time. Let me think a good scene to implement.
Ti Group gotta have permissions to access http://www.google.com, http://www.yahoo.com, http://www.softonic.com
RRHH Group has to be allowed access to http://www.infojobs.net, http://www.infojobs.com, http://www.monsters.com, http://www.facebook.com, http://www.linkedin.com
Let’s grant access to TI Group, for that, we need to create a file with the users content-list added into it.
[root@webserver01 ~]# vi /etc/squid/ti
leonardo
[root@webserver01 ~]# vi /etc/squid/sites-ti
http://www.google.com
http://www.yahoo.com
http://www.softonic.com
[root@webserver01 ~]# vi /etc/squid/rrhh
jose
juan
[root@webserver01 ~]# vi /etc/squid/sites-rrhh
http://www.infojobs.com
http://www.infojobs.net
http://www.monters.com
http://www.facebook.com
http://www.linkedin.com
Let’s come back to squid.conf
These entries must be added into /etc/squid/squid.conf
acl ti proxy_auth “/etc/squid/ti”
acl sites-ti dstdomain “/etc/squid/sites-ti”acl rrhh proxy_auth “/etc/squid/rrhh”
acl sites-rrhh dstdomain “/etc/squid/sites-rrhh”http_access allow ti sites-ti
http_access allow rrhh sites-rrhh
Let’s see how the survey will be looked like:
[root@webserver01 ~]# vi /etc/squid/squid.conf
#ACLs session
acl authenticated-users proxy_auth REQUIRED
acl mynetwork src 192.168.1.0/24
acl blockedwords url_regex “/etc/squid/blocked-words”
acl blockedsites dstdomain “/etc/squid/blocked-sites”acl ti proxy_auth “/etc/squid/ti”
acl sites-ti dstdomain “/etc/squid/sites-ti”acl rrhh proxy_auth “/etc/squid/rrhh”
acl sites-rrhh dstdomain “/etc/squid/sites-rrhh”#http_access session
http_access allow ti sites-ti
http_access allow rrhh sites-rrhh
http_access deny mynetwork blockedwords
http_access deny mynetwork blockedsites
http_access allow authenticated-users
http_access allow mynetwork
http_access deny all
Check out yourself. Go for testing if the RRHH group can access all entries allowed to them and do the same to TI Group.
At the end we’ve got the LDAP authentication session.
I’ll write the examples based on an article recently published by myself. You can check out, of course. Here you are: https://ibroughtthe.wordpress.com/2010/03/01/step-by-step-how-to-configure-a-ldap-directory-service/
Make sure if we can communicate to our LDAP server. type username and password folowed by “enter key”
[root@webserver01 ~]# /usr/lib/squid/squid_ldap_auth -b “dc=queirozpacheco,dc=com” -f “uid=%s” -h 192.168.1.2
jose jose123
OK
[root@webserver01 ~]# vi /etc/squid/squid.conf
#auth_param session
auth_param basic program /usr/lib/squid/squid_ldap_auth -b ‘dc=queirozpacheco,dc=com’ -f “uid=%s” -h 192.168.1.2
Ok, now, check out if it works.
Cheers.
Carlos.
Carlos Queiroz's blog. 