Log In · Register

 
 
Reply to this topicStart new topic
Ubuntu Server 10.10/Squid/SquidGuard/Authentication, Step by Step
Uronacid
post Jan 12 2011, 01:17 PM
Post #1


Senior Member
******

Group: Official Member
Posts: 1,574
Joined: Aug 2007
Member No: 555,438



Well Hello All,

As you all know, the economy sucketh at the moment. I need to implement a solution for web filtering in my company. I've decided to use a spare server that we own to accomplish this task with Linux.

I'm currently struggling to install a web proxy server with web filtering and authentication via Active Directory. So, I've decided to use this thread to document my findings regarding the process. Maybe this thread will help other people. Maybe I'll learn some new things from the community. If you have any hints or tips, please feel free to share them. Here goes nothing:

Problem: I do not have a web proxy at my company, and I don't want to pay for one. It needs to have some kind of authentication via Active Directory (Microsoft's LDAP Server). The server needs to be able to check if a user belongs to a group on the Domain Controller in order to determine their level of access on the Internet.

My Suggested Solution: I have a spare server just begging to have Linux installed. I'm very familiar with Ubuntu so that's the flavor of linux I've chosen for this task. Also, 10.10 came out recently and I'd be lying if I said I wasn't a little excited to try it out. I've found that SquidProxy combined with SquidGuard can do what's required.

1/12/2011:
  1. I'm installing Ubuntu 10.10 x64. If you're interested in the details regarding an Ubuntu Linux installation, check out the following website:
    http://www.howtoforge.com/perfect-server-u...kat-ispconfig-3
  2. Linux is installed, I'll need to run a few commands to manipulate this server remotely. First, I'm going to install OpenSSH. This will allow me to connect to the server over the network using an SSH client like PuTTY:
    CODE
    sudo apt-get install openssh-server
  3. I need to give my Server a static IP address so I'm going to enter these commands:
    CODE
    sudo nano /etc/network/interfaces

    Then I'm going to change the config to look like this:
    CODE
    # This file describes the network interfaces available on your system
    # and how to activate them. For more information, see interfaces(5).

    # The loopback network interface
    auto lo
    iface lo inet loopback

    # The primary network interface
    auto eth0
    iface eth0 inet static
            address 192.168.10.2
            netmask 255.255.255.0
            network 192.168.10.0
            broadcast 192.168.10.255
            gateway 192.168.10.1


    In order to apply the changes, I need to restart the networking services:
    CODE
    sudo /etc/init.d/networking restart
1/13/2011:
  1. To install some of the applications that we're going to use, I'll need a C compiler. Also, I'll need access to "make". A command used for installing many Linux applications. So run the following:
    CODE
    sudo apt-get install build-essential
  2. Before we start installing all sorts of applications, lets update Ubuntu:
    CODE
    sudo apt-get update
    sudo apt-get upgrade
  3. I'm not going to do anything special regarding configuration yet, let's just install apache2 & squid by running the following commands:
    CODE
    sudo apt-get install apache2
    sudo apt-get install squid
  4. After installing squid it's important to note the following files:
    • /etc/squid/squid.conf - configuration file: this is the file we'll be manipulating like crazy to bend the proxy to our will.
    • /var/log/squid/access.log - access log: this file contains a log of web requests from users.
  5. Now we'll need to give computers on the local network access to the network. You can do this by manipulating the Squid.conf file listed above. Access the config file with the following command:
    CODE
    sudo nano /etc/squid/squid.conf

    Now use the "Where Is" feature by pressing Ctrl+W. Search for "http_access allow localnet", and uncomment the line by removing the # symbol. Now press Ctrl+X, press "Y" to accept the changes, and hit <ENTER> when asked about the name of the document.
  6. In order for squid to react to changes made in the config file you'll need to run the following command:
    CODE
    sudo squid -k reconfigure
QUOTE
At this point, as long as you have an internet connection, you should be able to utilize your proxy. If you're on a Windows Based PC, you can utilize your proxy server by:
  1. Goto Start>Run or press Windows Key+R
  2. Type "inetcpl.cpl" & press <Enter>
  3. Goto Connections>LAN Settings
  4. Check "Use a proxy server for your LAN"
  5. Fill in your Proxy Server IP Address and use Port Number 3128
  6. Click OK twice
You can watch your Proxy server fetch information for you by typing the following command on your Proxy server:
CODE
sudo tail -f /var/log/squid/access.log


You can press Ctrl+C to abort command. Use this to stop viewing the log.

Oh, if you want to change the port that Squid uses for a proxy. Find the line http_port 3128 in the squid.conf and change the number. Just remember to sudo squid -k reconfigure after you make the change.

1/18/2011:
I just haven't had time to work on this project lately. Lot's of requests for reporting off of our CRM from my Bosses.

1/19/2011
So I've been playing around with Kerberos authentication today... it's a bit of a pain in the ass. There isn't much documentation on the subject. Especially when authenticating against Windows 2008 Server. I'll post some more instruction when I have a stable enough build of the server.
 
heyo-captain-jac...
post Jan 12 2011, 04:57 PM
Post #2


/人◕‿‿◕人\
*******

Group: Official Member
Posts: 8,283
Joined: Dec 2007
Member No: 602,927



I'll admit I kinda just skimmed through it but why not just put the server on opendns and route all traffic through it? I don't know how large the network is so you might have some issue with packet collision but if it's like 10 computers on the network it shouldn't be an issue

edit:

or just blacklist the sites you don't want people going on (or whitelist the ones you do) and again route through the server
 
Uronacid
post Jan 13 2011, 08:24 AM
Post #3


Senior Member
******

Group: Official Member
Posts: 1,574
Joined: Aug 2007
Member No: 555,438



QUOTE(boot @ Jan 12 2011, 04:57 PM) *
I'll admit I kinda just skimmed through it but why not just put the server on opendns and route all traffic through it? I don't know how large the network is so you might have some issue with packet collision but if it's like 10 computers on the network it shouldn't be an issue

edit:

or just blacklist the sites you don't want people going on (or whitelist the ones you do) and again route through the server



We have a network with 37 computers. I would say about 15-20 are consistently being used during work hours.

Packet collision shouldn't be a problem, because we only use switches.

OpenDNS would work for filtering web traffic to a certain extent, but different departments need different levels of access to the internet. We can't have black and white filtering. (Example: Facebook, only marketing should have access)

Also, I don't want unauthorized users to have access to our internet connection. If we add authentication then users who are unauthorized will not be able to access the internet.

Another thing to consider, on a Windows based network DNS plays a major role in authentication. If I took DNS responsibility away from our windows servers there are a few querks you'd need to work out:
http://technet.microsoft.com/es-es/library...550(WS.10).aspx

Why am I using a Windows Based network? Two words, group policy.
 
Uronacid
post Jan 14 2011, 08:23 AM
Post #4


Senior Member
******

Group: Official Member
Posts: 1,574
Joined: Aug 2007
Member No: 555,438



I'm starting to think that I should implement Kerberos authentication for automatic configuration, but with a fall-back to LDAP authentication. With Kerberos authentication, the browser will automatically authenticate users without having to ask for a password. If a user is using a browser like chrome, then the proxy will fall back to LDAP authentication. Only problem is that there isn't much information regarding the squid_kerb_auth module in the squid library.

Found a great blog post for doing the kerberos part of the installation:
http://blogrootlinux.blogspot.com/2010/07/...beros-auth.html

I know it's in Spanish, but you can use Google Chrome to translate the text and understand the post.
 
Uronacid
post Jan 21 2011, 08:58 AM
Post #5


Senior Member
******

Group: Official Member
Posts: 1,574
Joined: Aug 2007
Member No: 555,438



Just discovered that you can install the latest version of squid using apt-get install squid3. I'm going to rewrite this for the latest version.
 
Uronacid
post Jan 24 2011, 01:25 PM
Post #6


Senior Member
******

Group: Official Member
Posts: 1,574
Joined: Aug 2007
Member No: 555,438



Looks like getting Kerberos authentication to work over Squid3 is much easier:
http://community.centrify.com/t5/Express-T...-04-10/ba-p/263
http://acksyn.org/diary/?p=491
 

Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members: