Ubuntu Server 10.10/Squid/SquidGuard/Authentication, Step by Step |
Ubuntu Server 10.10/Squid/SquidGuard/Authentication, Step by Step |
Jan 12 2011, 01:17 PM
Post
#1
|
|
Senior Member Group: Official Member Posts: 1,574 Joined: Aug 2007 Member No: 555,438 |
Well Hello All,
As you all know, the economy sucketh at the moment. I need to implement a solution for web filtering in my company. I've decided to use a spare server that we own to accomplish this task with Linux. I'm currently struggling to install a web proxy server with web filtering and authentication via Active Directory. So, I've decided to use this thread to document my findings regarding the process. Maybe this thread will help other people. Maybe I'll learn some new things from the community. If you have any hints or tips, please feel free to share them. Here goes nothing: Problem: I do not have a web proxy at my company, and I don't want to pay for one. It needs to have some kind of authentication via Active Directory (Microsoft's LDAP Server). The server needs to be able to check if a user belongs to a group on the Domain Controller in order to determine their level of access on the Internet. My Suggested Solution: I have a spare server just begging to have Linux installed. I'm very familiar with Ubuntu so that's the flavor of linux I've chosen for this task. Also, 10.10 came out recently and I'd be lying if I said I wasn't a little excited to try it out. I've found that SquidProxy combined with SquidGuard can do what's required. 1/12/2011:
QUOTE At this point, as long as you have an internet connection, you should be able to utilize your proxy. If you're on a Windows Based PC, you can utilize your proxy server by:
CODE sudo tail -f /var/log/squid/access.log You can press Ctrl+C to abort command. Use this to stop viewing the log. Oh, if you want to change the port that Squid uses for a proxy. Find the line http_port 3128 in the squid.conf and change the number. Just remember to sudo squid -k reconfigure after you make the change. 1/18/2011: I just haven't had time to work on this project lately. Lot's of requests for reporting off of our CRM from my Bosses. 1/19/2011 So I've been playing around with Kerberos authentication today... it's a bit of a pain in the ass. There isn't much documentation on the subject. Especially when authenticating against Windows 2008 Server. I'll post some more instruction when I have a stable enough build of the server. |
|
|
Jan 12 2011, 04:57 PM
Post
#2
|
|
/人◕‿‿◕人\ Group: Official Member Posts: 8,283 Joined: Dec 2007 Member No: 602,927 |
I'll admit I kinda just skimmed through it but why not just put the server on opendns and route all traffic through it? I don't know how large the network is so you might have some issue with packet collision but if it's like 10 computers on the network it shouldn't be an issue
edit: or just blacklist the sites you don't want people going on (or whitelist the ones you do) and again route through the server |
|
|
Jan 13 2011, 08:24 AM
Post
#3
|
|
Senior Member Group: Official Member Posts: 1,574 Joined: Aug 2007 Member No: 555,438 |
I'll admit I kinda just skimmed through it but why not just put the server on opendns and route all traffic through it? I don't know how large the network is so you might have some issue with packet collision but if it's like 10 computers on the network it shouldn't be an issue edit: or just blacklist the sites you don't want people going on (or whitelist the ones you do) and again route through the server We have a network with 37 computers. I would say about 15-20 are consistently being used during work hours. Packet collision shouldn't be a problem, because we only use switches. OpenDNS would work for filtering web traffic to a certain extent, but different departments need different levels of access to the internet. We can't have black and white filtering. (Example: Facebook, only marketing should have access) Also, I don't want unauthorized users to have access to our internet connection. If we add authentication then users who are unauthorized will not be able to access the internet. Another thing to consider, on a Windows based network DNS plays a major role in authentication. If I took DNS responsibility away from our windows servers there are a few querks you'd need to work out: http://technet.microsoft.com/es-es/library...550(WS.10).aspx Why am I using a Windows Based network? Two words, group policy. |
|
|
Jan 14 2011, 08:23 AM
Post
#4
|
|
Senior Member Group: Official Member Posts: 1,574 Joined: Aug 2007 Member No: 555,438 |
I'm starting to think that I should implement Kerberos authentication for automatic configuration, but with a fall-back to LDAP authentication. With Kerberos authentication, the browser will automatically authenticate users without having to ask for a password. If a user is using a browser like chrome, then the proxy will fall back to LDAP authentication. Only problem is that there isn't much information regarding the squid_kerb_auth module in the squid library.
Found a great blog post for doing the kerberos part of the installation: http://blogrootlinux.blogspot.com/2010/07/...beros-auth.html I know it's in Spanish, but you can use Google Chrome to translate the text and understand the post. |
|
|
Jan 21 2011, 08:58 AM
Post
#5
|
|
Senior Member Group: Official Member Posts: 1,574 Joined: Aug 2007 Member No: 555,438 |
Just discovered that you can install the latest version of squid using apt-get install squid3. I'm going to rewrite this for the latest version.
|
|
|
Jan 24 2011, 01:25 PM
Post
#6
|
|
Senior Member Group: Official Member Posts: 1,574 Joined: Aug 2007 Member No: 555,438 |
Looks like getting Kerberos authentication to work over Squid3 is much easier:
http://community.centrify.com/t5/Express-T...-04-10/ba-p/263 http://acksyn.org/diary/?p=491 |
|
|