Saturday, March 17, 2012

CONFIGURING SQUID PROXY SERVER IN RED HAT LINUX




Squid is the most popular proxy server in use today. Some of the reasons why squid is so popular are:
1. Squid is not an ordinary proxy server, it is a proxy cum caching server. This means that when a web page is accessed through squid, it caches the web page on the local hard disk. When a request is made for the same web page either by the same client host computer or by any other computer, squid serves the web page from its local hard disk cache. This eliminates repetitive internet access and speeds up client web access.

2. Squid has excellent access control restrictions. For eg, you can restrict only certain computers to access the internet, restrict certain computers to access only certain web sites, restrict certain computers to access the internet only on certain days between certain time periods, restrict access to pornographic web pages etc. Squid can also be integrated with third party content filtering software to provide comprehensive and easily manageable web access restrictions.

3. Squid has extremely good logging capabilities, for eg, you can monitor which IP address has accessed which web site, how well your cache memory is being utilized, etc.

To install and configure squid proxy on our Linux system we need the following rpm:
squid-2.5.STABLE1-2

Edit the file squid.conf

[root@akhisar root]# vi /etc/squid/squid.conf

#Line No. 53
http_port 3128                                                # uncomment this line

#Line No.468
cache_mem 8 MB                                            # uncomment this line

# Line No. 666
cache_dir ufs /var/spool/squid 100 16 256         # uncomment this line

# Line No.673     
cache_access_log /var/log/squid/access.log       # uncomment this line

# Line No.681
cache_log /var/log/squid/cache.log                    # uncomment this line


# ACCESS CONTROLS
#Recommended minimum configuration:

# Line Nos. 1678-1693       # These are the default ACLs configured for our use       
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563  # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports



acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# Line No.1694 onwards         ( Write your own ACLs from this line onwards)
acl ltc1 src "/etc/allowedips"
acl ltc2 src "/etc/domainrestrictedips"
acl ltc3 dstdomain "/etc/domains"
acl ltc4 src "/etc/timerestrictedips"
acl ltc5 time SMT 12:00-14:00
acl badurls url_regex sex hardcore playboy.com

# Line No.1720
#http_access deny all            # Do not uncomment this line if using ACLs

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access deny badurls
http_access deny ltc4 ltc5
http_access allow ltc2 ltc3
http_access allow ltc1

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

#  TAG: visible_hostname
#       If you want to present a special hostname in error messages, etc,
#       then define this.  Otherwise, the return value of gethostname()
#       will be used. If you have multiple caches in a cluster and
#       get errors about IP-forwarding you must set them to have individual
#       names with this setting.
#
visible_hostname akhisar

`Save the file and Quit'.

Explanation of Configuration directives :

Line No.53
Squid listens for requests on tcp port 3128 by default, you can change this.

Line No.468

      'cache_mem' specifies the ideal amount of memory to be used
        for:
               * In-Transit objects
               * Hot Objects
               * Negative-Cached objects

       Data for these objects are stored in 4 KB blocks.  This
       parameter specifies the ideal upper limit on the total size of
       4 KB blocks allocated.  In-Transit objects take the highest
       priority.


       In-transit objects have priority over the others.  When
       additional space is needed for incoming data, negative-cached
       and hot objects will be released.  In other words, the
       negative-cached and hot objects will fill up any unused space
       not needed for in-transit objects.

        If circumstances require, this limit will be exceeded.
        Specifically, if your incoming request rate requires more than
       'cache_mem' of memory to hold in-transit objects, Squid will
        exceed this limit to satisfy the new requests.

 NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
       IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
       USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
       THINGS AS WELL.

Line No.666
This specifies the top level directory squid will use as its cache folder.
`100' specifies the amount of space allocated in MB for this folder (100MB is the default, you can increase this value depending on your usage).
`16' is the number of upper level folders created under the top level cache folder. These upper level folders store the web pages that are more frequently accessed.
`256' is the number of lower level folders created under each of the 16 upper level folders. These lower level folders store the web pages that are less frequently accessed.
The top level folder `/var/spool/squid' is created automatically, the 16 upper level and 256 lower level folders are created only when the squid server service is started for the first time.

Line No.673
The access log file logs every client web request. It is used to monitor which IP address has accessed which web site.

Line No.681
Cache logging file. This is where general information about your cache's behavior goes.

ACCESS CONTROLS :

This section is used to impose access restrictions to Squid Proxy server.
Restrictions are imposed with the help of access controls lists (ACLs) that need to be created by the squid server administrator. Default access lists have been created but for secure access further customization is required.

The syntax used in writing ACLs is as follows :
acl       <label>               <keyword>  <parameter>
Explanation :
Every access control list starts with the word `acl'. Label is just a descriptive name for that acl,it has no technical significance.

The first acl is named `ltc1',it uses the keyword `src'.
The keyword `src' stands for source IP address, i.e. the IP address of the client host computer making a web request via the squid proxy server. Instead of defining IP addresses individually we can write the IP addresses (one below the other) to a file and mention the path to that file on the `acl line'.
Here we have written a few IP addresses to the file `allowedips' created under the /etc subdirectory.

The second `acl',`ltc2' also refers to IP addresses that have been saved to a file `domainrestrictedips' created under /etc.

The third `acl',`ltc3' contains the keyword `dstdomain'. This keyword refers to domain names for eg,www.yahoo.com,www.rediff.com etc. Instead of specifying domain names individually we can write them to a file (one below the other) and mention the path to that file on the `acl line'. Here we have written a few domain names to the file `domains' created under /etc.

The fourth `acl',`ltc4' refers to IP addresses that have been written to a file `timerestrictedips' created under /etc.

The fifth `acl',`ltc5' specifies the keyword `time'. This keyword refers to days of the week and times. Here we have specified the days of the week as Sunday, Monday and Tuesday and the time as 12:00 p.m. to 2:00 p.m.

The sixth `acl', named `badurl', consists of the keyword `url_regex'. This keyword refers to regular expressions. Here we have mentioned a few expressions or phrases like sex, hardcore, playboy.com.

The six `acls' that we have created above are of no use until and unless they have been enforced.


To enforce these rules go to the following section :

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

http_access deny badurls

Explanation :
No url mentioning any of the expressions or phrases mentioned in that acl (sex,hardcore,playboy.com) will be allowed access to. In fact even if a search is done through google or any other search engine on any of these expressions, web access will be denied.

http_access deny ltc4 ltc5
Web access will be denied to all host computers having IP addresses contained in the file `/etc/timerestrictedips' on Sunday.Monday and Tuesday between 12:00 p.m. to 2:00 p.m.

http_access allow ltc2 ltc3
The host computers having the IP addresses defined in the file `/etc/domainrestrictedips' will  be allowed access to only the web sites defined in the file /etc/domains.

http_access allow ltc1
All IP addresses mentioned in the file /etc/allowedips will be allowed unrestricted internet access other than access to site urls containing the phrases specified in the `badurls' acl.

# And finally deny all other access to this proxy
Explanation :
http_access allow localhost
Any user who accesses the internet from the squid proxy server itself will not be controlled by the access control lists and will have absolute unrestricted internet access.
This privilege should only be reserved for the squid server administrator.

http_access deny all
Any incoming web request that is not matched by any of the acl rules will be denied.

# TAG : visible_hostname
Specifies the hostname of the squid proxy server as defined in the file `/etc/hosts' or in DNS.

To start the squid proxy server service :
[root@akhisar root]# service squid start


Any change made to the file `/etc/squid/squid.conf' will need the service to be restarted.

[root@akhisar root]# service squid restart

To set the squid service to be permanently on:
[root@akhisar root]# chkconfig squid on

" Do not forget to create your access control files"
1. [root@akhisar root]# vi /etc/allowedips
     192.0.2.179
     192.0.2.176

2. [root@akhisar root]# vi /etc/domainrestrictedips
     192.0.2.167

3. [root@akhisar root]# vi /etc/timerestrictedips
     192.0.2.176

4. [root@akhisar root]# vi /etc/domains
     www.yahoo.com
     www.rediff.com

You can create any files by any name located in any folder, just specify the correct name and path to the files on the `acl' lines.

Note : Make sure that the time restricted ips are have also been defined in the `allowedips' file else those ips will be denied web access.

Any change made in any of these files will require the squid service to be restarted.

Visible_hostname akhisar à  This line needs to be defined, else the squid service will fail to start. Set this parameter to the hostname of your computer as defined in the file /etc/hosts.

To configure authentication for Squid Proxy server :

We can also configure then squid server to request for authentication whenever a user tries to access the internet through squid proxy.

Perform the following configuration in the auth_param section of the squid.conf file.
[root@akhisar root]# vi /etc/squid/squid.conf
                               # TAG: auth_param
                                   
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
                                   auth_param basic children 5
                                   auth_param basic realm Squid proxy-caching web server
                                   auth_param basic credentials ttl 2 hours

The first line points to the name and location of the external authenticator program used. Here we use the ncsa_auth software located in the /usr/lib/squid folder. We need to input all authorized username and password combinations into the file specified viz. /etc/squid/passwd. This passwd file will not exist by default, it needs to be created. You can create a file by any name under any folder.

[root@akhisar root]# cd /etc/squid
[root@akhisar squid]# touch passwd
Enter the authorized usernames/passwords you require.
[root@akhisar squid]# htpasswd passwd proxyuser
New password:
Re-type new password:
Adding password for user proxyuser

Here we create an authorized user by the name of `proxyuser' and assign him a password. This username/password combination will need to be used by requesting users to authenticate themselves before accessing the internet.

Create an Access Control List for ncsa_auth in the file /etc/squid/squid.conf :

[root@akhisar root]# vi /etc/squid/squid.conf
                               # ACCESS CONTROLS
                                  acl password proxy_auth REQUIRED

                              
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
                                     
http_access allow password

Here the name of the acl we create is `password'. The keyword used is `proxy_auth'. The parameter used is `REQUIRED' which will cause ncsa_auth to accept any valid username/password combination for authentication.

INSTALLING A EXTERNAL MODEM :

To install an external modem :

Connect the modem to a serial port at the back of your computer and power it on.

Execute the following command :

# wvdialconf /etc/wvdial.conf

This starts the modem autodetection procedure,you will see the modem lights blinking and a series of messages will be output on screen stating that the modem is detected and the port on which it has been detected on(if all goes well).

[root@akhisar squid]# wvdialconf /etc/wvdial.conf
Scanning your serial ports for a modem.

Port Scan<*1>: Scanning ttyS0 first, /dev/modem is a link to it.
ttyS0<*1>: ATQ0 V1 E1 -- OK
ttyS0<*1>: ATQ0 V1 E1 Z -- OK
ttyS0<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyS0<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyS0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyS0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyS0<*1>: Modem Identifier: ATI -- 33600
ttyS0<*1>: Speed 4800: AT -- OK
ttyS0<*1>: Speed 9600: AT -- OK
ttyS0<*1>: Speed 19200: AT -- OK
ttyS0<*1>: Speed 38400: AT -- OK
ttyS0<*1>: Speed 57600: AT -- OK
ttyS0<*1>: Speed 115200: AT -- OK
ttyS0<*1>: Max speed is 115200; that should be safe.
ttyS0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK


Found a modem on /dev/ttyS0, using link /dev/modem in config.
Modem configuration written to /etc/wvdial.conf.
ttyS0<Info>: Speed 115200; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"

Edit the ‘wvdial.conf’ file and make changes to the highlighted sections

[root@akhisar squid]# vi /etc/wvdial.conf
                    [Dialer Defaults]
                    Modem = /dev/modem
                    Baud = 115200
                    Init1 = ATZ
                    Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
                    ISDN = 0
                    Modem Type = Analog Modem
                    Phone = "Your ISP's internet acces number"
                    Username = "Your internet username"
                    Password = "Your internet access password"


To dialup to the internet, execute the following command :

[root@akhisar root]# wvdial





No comments:

Post a Comment