Ubuntu Server 10.10/Squid/SquidGuard/Authentication, Step by Step Options

[Uronacid]

Well Hello All,

As you all know, the economy sucketh at the moment. I need to implement a solution for web filtering in my company. I've decided to use a spare server that we own to accomplish this task with Linux.

I'm currently struggling to install a web proxy server with web filtering and authentication via Active Directory. So, I've decided to use this thread to document my findings regarding the process. Maybe this thread will help other people. Maybe I'll learn some new things from the community. If you have any hints or tips, please feel free to share them. Here goes nothing:

Problem: I do not have a web proxy at my company, and I don't want to pay for one. It needs to have some kind of authentication via Active Directory (Microsoft's LDAP Server). The server needs to be able to check if a user belongs to a group on the Domain Controller in order to determine their level of access on the Internet.

My Suggested Solution: I have a spare server just begging to have Linux installed. I'm very familiar with Ubuntu so that's the flavor of linux I've chosen for this task. Also, 10.10 came out recently and I'd be lying if I said I wasn't a little excited to try it out. I've found that SquidProxy combined with SquidGuard can do what's required.

1/12/2011:

1. I'm installing Ubuntu 10.10 x64. If you're interested in the details regarding an Ubuntu Linux installation, check out the following website:
   http://www.howtoforge.com/perfect-server-u...kat-ispconfig-3
2. Linux is installed, I'll need to run a few commands to manipulate this server remotely. First, I'm going to install OpenSSH. This will allow me to connect to the server over the network using an SSH client like PuTTY:
   
   CODE
   sudo apt-get install openssh-server
3. I need to give my Server a static IP address so I'm going to enter these commands:
   
   CODE
   sudo nano /etc/network/interfaces
   
   Then I'm going to change the config to look like this:
   
   CODE
   # This file describes the network interfaces available on your system
   # and how to activate them. For more information, see interfaces(5).
   
   # The loopback network interface
   auto lo
   iface lo inet loopback
   
   # The primary network interface
   auto eth0
   iface eth0 inet static
           address 192.168.10.2
           netmask 255.255.255.0
           network 192.168.10.0
           broadcast 192.168.10.255
           gateway 192.168.10.1
   
   
   In order to apply the changes, I need to restart the networking services:
   
   CODE
   sudo /etc/init.d/networking restart

1/13/2011:

1. To install some of the applications that we're going to use, I'll need a C compiler. Also, I'll need access to "make". A command used for installing many Linux applications. So run the following:
   
   CODE
   sudo apt-get install build-essential
2. Before we start installing all sorts of applications, lets update Ubuntu:
   
   CODE
   sudo apt-get update
   sudo apt-get upgrade
3. I'm not going to do anything special regarding configuration yet, let's just install apache2 & squid by running the following commands:
   
   CODE
   sudo apt-get install apache2
   sudo apt-get install squid
4. After installing squid it's important to note the following files:
   • /etc/squid/squid.conf - configuration file: this is the file we'll be manipulating like crazy to bend the proxy to our will.
   • /var/log/squid/access.log - access log: this file contains a log of web requests from users.
5. Now we'll need to give computers on the local network access to the network. You can do this by manipulating the Squid.conf file listed above. Access the config file with the following command:
   
   CODE
   sudo nano /etc/squid/squid.conf
   
   Now use the "Where Is" feature by pressing Ctrl+W. Search for "http_access allow localnet", and uncomment the line by removing the # symbol. Now press Ctrl+X, press "Y" to accept the changes, and hit <ENTER> when asked about the name of the document.
6. In order for squid to react to changes made in the config file you'll need to run the following command:
   
   CODE
   sudo squid -k reconfigure

At this point, as long as you have an internet connection, you should be able to utilize your proxy. If you're on a Windows Based PC, you can utilize your proxy server by:

1. Goto Start>Run or press Windows Key+R
2. Type "inetcpl.cpl" & press <Enter>
3. Goto Connections>LAN Settings
4. Check "Use a proxy server for your LAN"
5. Fill in your Proxy Server IP Address and use Port Number 3128
6. Click OK twice

You can watch your Proxy server fetch information for you by typing the following command on your Proxy server:

CODE

sudo tail -f /var/log/squid/access.log

You can press Ctrl+C to abort command. Use this to stop viewing the log.

Oh, if you want to change the port that Squid uses for a proxy. Find the line http_port 3128 in the squid.conf and change the number. Just remember to sudo squid -k reconfigure after you make the change.

1/18/2011:
I just haven't had time to work on this project lately. Lot's of requests for reporting off of our CRM from my Bosses.

1/19/2011
So I've been playing around with Kerberos authentication today... it's a bit of a pain in the ass. There isn't much documentation on the subject. Especially when authenticating against Windows 2008 Server. I'll post some more instruction when I have a stable enough build of the server.