Install Proxy Authentication pada centos 5
Output:Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package squid.i386 7:2.6.STABLE6-4.el5 set to be updated
--> Running transaction check
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
squid i386 7:2.6.STABLE6-4.el5 updates 1.2 M
Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: squid ######################### [1/1]
Installed: squid.i386 7:2.6.STABLE6-4.el5
Complete!
[root@aku ~]# vi /etc/squid/squid.conf
[root@aku ~]# chkconfig squid on
[root@aku ~]# /etc/init.d/squid start
Output:init_cache_dir /var/spool/squid... Starting squid: . [ OK ]
[root@aku ~]# netstat -tulpn | grep 3128
Output:tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 20653/(squid)
[root@aku ~]# vi /etc/sysconfig/iptables
Append configuration:
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
Restart iptables based firewall:
[root@aku ~]# /etc/init.d/iptables restart
Output:Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
[root@aku ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.0.0/24 192.168.1.0/24
http_access allow our_networks
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
[root@aku ~]# htpasswd -c /etc/squid/passwd user1
Output:New password:
Re-type new password:
Adding password for user user1
[root@aku ~]# chmod o+r /etc/squid/passwd
Output: /usr/lib/squid/ncsa_auth
[root@aku ~]# rpm -ql squid | grep ncsa_auth
/usr/lib/squid/ncsa_auth
[root@aku ~]# vi /etc/squid/squid.conf
[root@aku ~]# ntsysv
Select squid Service and click "ok".
[root@aku ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow ncsa_users
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.0.0/24 192.168.1.0/24
http_access allow our_networks
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
#cp ERR_ACCESS_DENIED ERR_ACCESS_DENIEDBACKUP
#vi ERR_ACCESS_DENIED
<HTML>
<HEAD>
<TITLE>ERROR : BLOCK ! ACCESS DENIED </TITLE>
</HEAD>
<BODY>
<H1>Web Page is blocked due to new IT policy</H1>
<p>Please contact helpdesk for more information:</p>
Phone: 55555555 (ext 44)<br>
Email: helpdesk@yourcorp.com<br>
<HEAD>
<TITLE>ERROR: Blocked file content</TITLE>
</HEAD>
<BODY>
<H1>File is blocked due to new IT policy</H1>
<p>Please contact helpdesk for more information:</p>
Phone: 555-12435 (ext 44)<br>
Email: helpdesk@yourcorp.com<br>
Install Squid on CentOS 5 / RHEL 5
Use yum command as follows:
[root@aku ~]# yum install squidOutput:Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package squid.i386 7:2.6.STABLE6-4.el5 set to be updated
--> Running transaction check
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
squid i386 7:2.6.STABLE6-4.el5 updates 1.2 M
Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: squid ######################### [1/1]
Installed: squid.i386 7:2.6.STABLE6-4.el5
Complete!
Squid Basic Configuration
Squid configuration file located at /etc/squid/squid.conf. Open file using a text editor:
Backup original squid.conf files First.
At least you need to define ACL (access control list) to work with squid. The defaults port is TCP 3128. Following example ACL allowing access from your local networks 192.168.1.0/24 and 192.168.2.0/24. Make sure you adapt to list your internal IP networks from where browsing should be allowed:
acl our_networks src 192.168.1.0/24 192.168.2.0/24
http_access allow our_networks
acl our_networks src 192.168.1.0/24 192.168.2.0/24
http_access allow our_networks
Save and close the file. Start squid proxy server:
Output:init_cache_dir /var/spool/squid... Starting squid: . [ OK ]
Verify port 3128 is open:
Output:tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 20653/(squid)
Open TCP port 3128
Finally make sure iptables is allowing to access squid proxy server. Just open /etc/sysconfig/iptables file:
Append configuration:
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
Restart iptables based firewall:
Output:Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
Client configuration
Open a webbrowser > Tools > Internet option > Network settings > and setup Squid server IP address and port # 3128.
[root@aku ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.0.0/24 192.168.1.0/24
http_access allow our_networks
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
Howto: Squid proxy authentication using ncsa_auth helper
For fine control you may need to use Squid proxy server authentication. This will only allow authorized users to use proxy server.
You need to use proxy_auth ACLs to configure ncsa_auth module. Browsers send the user's authentication in the Authorization request header. If Squid gets a request and the http_access rule list gets to a proxy_auth ACL, Squid looks for the Authorization header. If the header is present, Squid decodes it and extracts a username and password.
However squid is not equipped with password authentication. You need to take help of authentication helpers. Following are included by default in most squid and most Linux distros:
=> NCSA: Uses an NCSA-style username and password file.
=> LDAP: Uses the Lightweight Directory Access Protocol
=> MSNT: Uses a Windows NT authentication domain.
=> PAM: Uses the Linux Pluggable Authentication Modules scheme.
=> SMB: Uses a SMB server like Windows NT or Samba.
=> getpwam: Uses the old-fashioned Unix password file.
=> SASL: Uses SALS libraries.
=> NTLM, Negotiate and Digest authentication
=> NCSA: Uses an NCSA-style username and password file.
=> LDAP: Uses the Lightweight Directory Access Protocol
=> MSNT: Uses a Windows NT authentication domain.
=> PAM: Uses the Linux Pluggable Authentication Modules scheme.
=> SMB: Uses a SMB server like Windows NT or Samba.
=> getpwam: Uses the old-fashioned Unix password file.
=> SASL: Uses SALS libraries.
=> NTLM, Negotiate and Digest authentication
Configure an NCSA-style username and password authentication
I am going to assume that squid is installed and working fine.
Tip: Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization :)
Step # 1: Create a username/password
First create a NCSA password file using htpasswd command. htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of squid users.
Output:New password:
Re-type new password:
Adding password for user user1
Make sure squid can read passwd file:
Step # 2: Locate nsca_auth authentication helper
Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm (Redhat,CentOS,Fedora) or dpkg (Debian and Ubuntu) command:
[root@aku ~]# dpkg -L squid | grep ncsa_authOutput: /usr/lib/squid/ncsa_auth
If you are using RHEL/CentOS/Fedora Core or RPM based distro try:
Output:
/usr/lib/squid/ncsa_auth
Step # 3: Configure nsca_auth for squid proxy authentication
Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
[root@aku ~]# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
OR, try out sed (thanks to kotnik for small sed trick)
[root@aku ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
Now open /etc/squid/squid.conf file
Append (or modify) following configration directive:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Also find out your ACL section and append/modify
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Also find out your ACL section and append/modify
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
http_access allow ncsa_users
Save and close the file.
Where,
- auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd : Specify squid password file and helper program location
- auth_param basic children 5 : The number of authenticator processes to spawn.
- auth_param basic realm Squid proxy-caching web server : Part of the text the user will see when prompted their username and password
- auth_param basic credentialsttl 2 hours : Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.
- auth_param basic casesensitive off : Specifies if usernames are case sensitive. It can be on or off only
- acl ncsa_users proxy_auth REQUIRED : The REQURIED term means that any authenticated user will match the ACL named ncsa_users
- http_access allow ncsa_users : Allow proxy access only if user is successfully authenticated.
Restart squid:
[root@aku ~]# /etc/init.d/squid restart
Now user is prompted for username and password.
Configure Startup Service Squid using Redhat ntsysv tool
ntsysv is a simple interface for configuring runlevel services which are also configurable through chkconfig. By default, it configures the current runlevel. Just type ntsysv and select service you want to run:[root@aku ~]# ntsysv
Select squid Service and click "ok".
How do I test my squid proxy is working correctly?
See access log file /var/log/squid/access.log:
[root@aku ~]# tail -f /var/log/squid/access.log
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.
[root@aku ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow ncsa_users
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.0.0/24 192.168.1.0/24
http_access allow our_networks
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
How to deny a user from accessing particular site?
To block site called foo.com you need to add following two lines to your squid configuration file.
[root@aku ~]# vi /etc/squid/squid.conf
Search for `Access Controls' and append following two lines:
1. Find and edit ACCESS CONTROL part and put in the ( acl bad_url dstdomain "/etc/squid/bad-sites.squid" ) as shown in example below.
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 2083 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 2083 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl bad_url dstdomain "/etc/squid/bad-sites.squid"
2. Then put the (http_access deny bad_url) on http_access part.
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access deny bad_url
http_access allow ncsa_users
[root@aku ~]# vi /etc/squid/bad-sites.squid
.facebook.com
.meebo.com
.playboy.com
.myspace.com
.facebook.com
.meebo.com
.playboy.com
.myspace.com
Save and close the file. Restart Squid:
[root@aku ~]# /etc/init.d/squid restart
Change Block Page Notification.
#vi ERR_ACCESS_DENIED
<HTML>
<HEAD>
<TITLE>ERROR : BLOCK ! ACCESS DENIED </TITLE>
</HEAD>
<BODY>
<H1>Web Page is blocked due to new IT policy</H1>
<p>Please contact helpdesk for more information:</p>
Phone: 55555555 (ext 44)<br>
Email: helpdesk@yourcorp.com<br>
Let us say you would like to deny access for anyone who browses to a URL with the word "bar" in it. Append following ACL:
acl blockregexurl url_regex -i bar
http_access deny blockregexurl
acl blockregexurl url_regex -i bar
http_access deny blockregexurl
Save and close the file.
Squid content filtering: Block / download of music MP3, mpg, mpeg, exec files
Q. For security and to save bandwidth I would like to configure Squid proxy server such way that I do not want my users to download all of the following files:
MP3
MPEG
MPG
AVG
AVI
EXE
MP3
MPEG
MPG
AVG
AVI
EXE
How do I configure squid content filtering?
A. You can use squid ACL (access control list) to block all these files easily.
How do I block music files using squid content filtering ACL?
First open squid.conf file /etc/squid/squid.conf:
# vi /etc/squid/squid.conf
Now add following lines to your squid ACL section:
Now add following lines to your squid ACL section:
acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"
You want display custom error message when a file is blocked:
# Deny all blocked extension
deny_info ERR_BLOCKED_FILES blockfiles
http_access deny blockfiles
You want display custom error message when a file is blocked:
# Deny all blocked extension
deny_info ERR_BLOCKED_FILES blockfiles
http_access deny blockfiles
Save and close the file.
Create custom error message HTML file called ERR_BLOCKED_FILES in /etc/squid/error/ directory or /usr/share/squid/errors/English directory.
# vi ERR_BLOCKED_FILES
Append following content:
<HTML># vi ERR_BLOCKED_FILES
Append following content:
<HEAD>
<TITLE>ERROR: Blocked file content</TITLE>
</HEAD>
<BODY>
<H1>File is blocked due to new IT policy</H1>
<p>Please contact helpdesk for more information:</p>
Phone: 555-12435 (ext 44)<br>
Email: helpdesk@yourcorp.com<br>