Beruflich Dokumente
Kultur Dokumente
http://cottagedata.com/security/squid/squid.html
Home
Services
Tutorials
Pay Bills
Contact
Tutorials
Sysadmin Network Security
Squid Proxy Server
Basic Configuration Controlling Traffic Blocking Access Monitoring Traffic
Services
Linux problems? I can help.
eBook
Sponsors
1 of 7
10/7/2013 2:19 PM
http://cottagedata.com/security/squid/squid.html
proxy server. Simply follow the procedure appropriate to your operating system. For this article, I will assume the server is a Linux system. For instance, on a Ubuntu server, you would install squid with this simple command:
sudo apt-get install squid
On a Unix-type system, you will need to have superuser powers to edit the configuration file. On most systems, you would simply login as root to do this work. On some Linux distributions, however, you may need to use the sudo command to elevate your privileges. I am assuming you are familiar enough with your own system to know what to do.
The name_of_your_choice in this case is any word that you may want to use to refer to your network, such as "mylan" or "family_net". The sample configuration file that comes with squid uses "localnet" for this purpose but you can create your own. For our examples, we will use "mylan". The keyword "src" stands for source address. So, if your local network is 192.168.0.xxx and uses a subnet mask of 255.255.255.0 for instance, you would add this line to the configuration file:
acl mylan src 192.168.0.0/24
Note that the "acl" instruction can take many other forms as you will see in the profuse comments in squid.conf. For instance, using "dst" instead of "src," you can specify destination addresses instead of source addresses. For our purposes here, we will limit the scope of our discussion to the bare necessities to get your users on the Web through the proxy server. To this end, we now need to tell squid that HTTP traffic is to be allowed for members of acl "mylan." This is done with the http_access directive in the form: http_access allow your_acl_name In our case, we would create this instruction:
http_access allow mylan
Since access rules are position-dependent, be sure to insert this line at the correct place in the file. Search for the phrase "INSERT YOUR OWN RULE(S) HERE" in the configuration file to find that place. Next, you need to create an "icp_access" instruction with the same format as the http_access line we just created, as in:
icp_access allow mylan
ICP stands for "Internet Cache Protocol" and this is what squid uses to find the most appropriate location for the requested object (such as its own cache, a cache on a different proxy server, or retrieving the page from the website itself). The above line tells squid to allow members of mylan to use this protocol to fetch pages. Search the configuration file for lines that begin with "icp_access" and insert your own line in that area. Make sure your new line comes before the line that denies access to all others (icp_access deny all). Finally, some installations will require you to specify the name under which your server will be known. Typically, this is the machine name you gave to this computer. Simply edit (or create) the line beginning with "visible_hostname" and specify your machine name, as in:
visible_hostname hal9000
That's it! With the above 4 modifications, squid is now configured for basic functionality, meaning it will allow clients (users) to access the Web through the proxy server. Start the squid daemon using the command appropriate for your Linux distribution. For instance, on Ubuntu, you would use service squid start; on OpenSUSE, you would use rcsquid start. And since squid will normally be configured to start up automatically at boot-time, you can probably just shut down and reboot your computer if you can't find a more elegant way to start the daemon.
2 of 7
10/7/2013 2:19 PM
http://cottagedata.com/security/squid/squid.html
The server may well be ready for action, but the users' PCs must also be told to use the new proxy server. On a Windows PC, you would do this through the Control Panel by navigating to the Networking panel down to Internet Options and LAN Settings. Unfortunately, since there are so many different versions of Windows, each with slightly different menus under the Control Panel, it's impractical to provide detailed directions here. Fortunately, you can access the same panel through the Internet Explorer Web browser by clicking on ToolsInternet OptionsConnectionsLAN Settings. In that panel, check the box for "Use a proxy server" and enter the IP address of your proxy server as well as the port specified in the squid.conf file. That value will usually be 3128, but look for the line that starts with "http_port" in squid.conf to be sure. With this small change done, your Web browser will now access the Web through the proxy server. Make this same modification on all the PCs that need to use the proxy and you're done! This change affects all other applications on the PC, such as other Web browsers, FTP clients and telnet communication programs unless they have been specifically configured not to use a proxy. For instance, the Firefox browser features a checkbox in the AdvancedNetwork configuration screen for "No proxy," so check this out if you're having difficulty using this program through a proxy server.
NOTE: It is possible, under some conditions, to implement a proxy server without having to manually configure each client PC as we have just described here. See the section "Transparent Proxy" in the next section for details.
3 of 7
10/7/2013 2:19 PM
http://cottagedata.com/security/squid/squid.html
port 80 (HTTP) to your proxy server, all regular Web traffic will go through the proxy, but all other types of traffic, such as email, ftp and telnet, will continue to go directly to your Internet connection, bypassing the proxy server. In practice, that's probably not an issue since those other protocols would not benefit much from a caching proxy and are not usually the protocols you want to control and monitor anyway. Another issue is that port HTTPS (secure HTTP) may not work correctly if you intercept it since, as a secure protocol, it is designed to defeat man-in-the-middle attacks, and an intercepting proxy is precisely that. There have also been other technical problems detected with transparent proxies, especially when dealing with older browsers. Without going into these details, let me simply say that while a transparent proxy is very convenient, you should only consider it if the alternative configuring your client PCs manually is truly undesirable. If you are still interested in setting up a transparent proxy, here is how it's done. 1. Configure your router or firewall to redirect port 80 to the IP address and port of your proxy server. 2. Edit the squid configuration file to inform it that it should run as a transparent proxy. Let's examine each step in greater detail.
The first line enables packet forwarding on the system; this is required in order to perform any kind of port redirection. The second instruction (shown on 2 lines here, although it should be entered as a single command) causes all incoming traffic for port 80 to be redirected to port 3128 on the same system. Note that if you have changed the default port in your squid.conf file, you should specify your custom port number here instead. Note that if your system is already configured as a router or firewall, you probably have a shell script somewhere with lines similar to those above and you should incorporate these instructions in that script so that they are executed automatically whenever the system is booted. By the way, if you are not familiar with configuring firewalls on Linux, these instructions are probably totally cryptic to you. Unfortunately, that topic is outside the scope of this document, so you may want to read up on the subject in separate documentation.
4 of 7
10/7/2013 2:19 PM
http://cottagedata.com/security/squid/squid.html
Then, stop and restart the squid daemon and you're done. On most current Linux distributions, you would do this using the command: service squid restart On older versions of squid, there are a number of configuration lines to add to the squid.conf file to make it operate as a transparent proxy, but we will not delve into this here since it is generally simpler to just upgrade your squid software to a current version.
The keyword "url_regex" stands for "URL regular expressions," which means the file we specified may include wild-card expressions to describe the names we wish to blacklist. So, let's create the file we specified (/etc/squid/blocked_sites in our example) using a standard text editor. Let's assume we want to preclude our users from accessing YouTube and Facebook. To do this, we would add the following lines to that file: .youtube.com .facebook.com This would match any domain name containing these strings, such as "www.youtube.com" or "facebook.com/login.php." IMPORTANT: Be sure to start domain names with a dot if you want to block all sub-domains belonging to that domain. For instance, ".youtube.com" will block "www.youtube.com" while "youtube.com" will only block "youtube.com" and no sub-domains of it. The following lines would block any domain name with the strings "porn", "sex" or "gambl" in them: porn sex gambl This would successfully block sites like "thegambler.com" and "gambling.com." However, these broad restrictions might also have unintended effects, such as blocking access to legitimate sites such as "sussex.com" which happen to contain one of our forbidden text strings. Unfortunately, there is no easy way to block all sites dealing with a particular subject matter, such as pornography or gambling, since they may be listed under domain names that give no indication as to their nature. However, there are people on the Internet who maintain lists of known "undesirable" sites and you should be able to locate a suitable list with a small amount of research.
IMPORTANT: The order in which the instructions are specified in squid.conf matters. For instance, setting a rule to deny a particular access after another rule that allows this access to "all" will have no effect, so be careful to place your instructions logically. If things don't work as expected on your first try, just keep fiddling with your settings; it can all be made to work!
5 of 7
10/7/2013 2:19 PM
http://cottagedata.com/security/squid/squid.html
or ports we want to affect, and then creating an http_access deny rule to preclude this access. For instance, to disallow Web traffic (port 80) on our LAN, we would create the following instructions: acl some_name port 80 http_access deny some_name For instance, if we choose to label our acl "blocked_port," our entries in squid.conf would look like this:
acl blocked_port port 80 http_access deny blocked_port
What is we wanted to give Web access to one particular computer on our network while disallowing all others? We would create a second acl corresponding to the IP address of the privileged computer, and then specify that the "deny" rule does not apply to it by preceding that acl label with an exclamation mark, which indicates the negative. For instance, in the following segment, we are creating an acl named "allowed_pc" corresponding to a given source address (src), and then we negate it in the http_access deny clause, thus excluding it from the rule:
acl blocked_port port 80 acl allowed_pc src 192.168.1.123 http_access deny blocked_port !allowed_pc
These instructions tell squid: "Deny access to the access list specified by 'blocked_port' but not to the access list specified by 'allowd_pc'."
6 of 7
10/7/2013 2:19 PM
http://cottagedata.com/security/squid/squid.html
Lucky for us, there is a utility named sarg, the Squid Analysis Report Generator, that can be used to parse this log, gather useful statistics from it, and generate a friendly and convenient Web-browsable report that you can examine with any Web browser. In its simplest form, you invoke sarg with the name of the log file you wish to examine, like this: sarg /var/log/squid/access.log In mere seconds, sarg will have created an HTML report that you can then examine with your Web browser. By default, the report is created in /var/lib/sarg under a subdirectory named after the date range covered by the log file you specified as an argument. For instance, if the log file covered the period March 17 to April 5, 2011, the HTML report will be found in a directory named /var/lib/sarg/2011Mar17-2011Apr05. To read it, point your browser to the file index.html in that directory. On that page, you will get a summary of usage as well as clickable links to list the top sites, sites and users, downloads and denied accesses. The sarg utility features a number of command-line options to modify its default behavior, and can also be configured through its configuration file, /etc/sarg/sarg.conf. This file specifies the default location of the squid log, the output directory for the HTML report, and numerous display options for the final report, including custom titles and font styles. We are not going to examine all these options here, but you are encouraged to check out the documentation and examine the contents of sarg.conf to help you customize your reports as desired. Finally, if entering commands from the shell prompt isn't your thing and you just want to be able to check out the usage log every morning to see who's doing what, you can simply create a crontab* entry to run the report once a day automatically. This way, all you need to do is point your browser to the latest HTML report when you get to work in the morning.
*Note: crontab is a standard service on Unix-type operating systems to schedule periodic tasks, such as this daily report. A description of how to use this service is unfortunately outside the scope of this tutorial.
Conclusion
We have only scratched the surface of squid's impressive set of features in this document. The rich array of configuration options offered by squid should allow you to implement just about any set of controls and restrictions you wish to have on your network. Fortunately, there is a lot of information available on squid, starting with the generous comments in squid.conf and the documentation that comes with the package (look in /usr/share/doc/squid). Of course, the Internet is also full of helpful blogs and documentation.
7 of 7
10/7/2013 2:19 PM