SquidGuard

------------

Step-by-step instructions

1. Install Squid, start it, and set it to start on boot.

$ su -

# yum install squid

# service squid start

# chkconfig squid on

Check to see if it is listening on port 3128.

# netstat -antp |grep squid

# ps -aux |grep squid

2. Edit the Squid configuration file to change Squid from IPv6 to IPv4. Reload Squid.

# vim /etc/squid/squid.conf

on line 62 change http_port :::3128 to http_port 0.0.0.0:3128

save and quit.

# service squid reload

# service squid restart

3. Now that squid is running you can test it out directly from your CentOS Linux machine by setting Firefox to use the Squid web proxy. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration.

set it to: 127.0.0.1:3128

Now request a web page from Firefox. The request will be forwarded to Squid, running on the local system at the loopback address and port 127.0.0.1:3128. You can also test Squid from a different computer on the network, by adjusting the computer's web browser settings to use a proxy. In Internet Explorer go to Tools > Internet options > Connections (tab) > LAN settings > Proxy server and set the address to the IP address of the proxy server and the port number to 3128. In Firefox, go to File > Options > advanced > network tab > connection settings > manual proxy configuration, and set the address and port number to the proxy server's IP address and port number 3128.

*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server's firewall is not blocking outside requests. Depending on the release and type of CentOS Linux distribution, the iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. In the meantime, for testing purposes just turn off the iptables firewall.

# service iptables stop

4. You can monitor the access log to see it working.

# tail -f /var/log/squid/access.log

Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid's access.log file to see the requests reaching Squid (issue the tail command shown above).

5. With Squid working you can now go about installing SquidGuard.

If you do not already have the EPEL repositories, you will need to install additional repositories in CentOS, in order to access to necessary software packages that are not available in the default repositories. Install the Extra Packages for Enterprise Linux (EPEL), the epel-release for the current version of Enterprise Linux (EL6). You can find it at the following website: http://fedoraproject.org/wiki/EPEL. A direct link to the RPM is in the command below. Eventually the link will be outdated and need to be replaced. For 64 bit systems you can change /i386/ to /x86_64/ in the command below.

# yum install http://ftp.osuosl.org/pub/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

Now install SquidGuard.

# yum install squidGuard

6. Now that SquidGuard is installed, open Firefox and go to the SquidGuard website: http://squidguard.org . The SquidGuard website has links to configuration documentation and websites to download blacklists. You need to download a blacklists file. You can go to http://dsi.ut-capitole.fr/blacklists/ and get the link for the blacklists.tar.gz file, then you can use wget to download blacklists.tar.gz, by copying and pasting the link, or you can download it through the Firefox web browser.Squidguard has its own blacklists.tar.gz file, and you will eventually want to replace it with the newer blacklists.tar.gz file that you downloaded. Before you do that, you can create a test blacklists file for SquidGuard to block. To do that you need to create a blacklists directory in the /var/squidGuard/ directory. Now, in the new blacklists directory use vim create and edit a text file named testdomains.

# cd /var/squidGuard

# mkdir blacklists

# cd blacklists

# vim testdomains

type in three lines of text to add some test-domains to block:

yahoo.com

msn.com

whatever-you-want-to-block.com

save and exit.

7. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.

# cp /etc/squid/squidGuard.conf /etc/squid/squidGuard.conf.BAK

# vim /etc/squid/squidGuard.conf

In the config file, add the following text elements in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. The beginning of the text file has been omitted.

#dest adult {

# domainlist blacklists/porn/domains

# urllist blacklists/porn/urls

# expressionlist blacklists/porn/expressions

# redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u

dest test {

domainlist testdomains

redirect http://www.google.com

}

acl {

admin {

pass any

}

foo-clients within workhours {

# pass good !in-addr !adult any

} else {

pass any

}

bar-clients {

pass local none

}

default {

pass !test any

rewrite dmz

redirect http://www.google.com

}

8. Now compile the SquidGuard blacklists and chown the blacklists to be accessible by Squid.

# squidGuard -b -d -C all

# chown -R squid /var/squidGuard/blacklists

9. Edit the squid.conf file and then reload Squid.

# vim /etc/squid/squid.conf

add the following line to the squid.conf file around line 28:

url_rewrite_program /usr/bin/squidGuard

# service squid reload

# service squid restart

10. Now open the Firefox browser and test to see if your testdomains are successfully blocked, while every other domain is allowed.

11. If you were successful at blocking the test domains then you can extract and decompress the blacklists.tar.gz file that you downloaded in Step 6. Copy some of the extracted blacklist folders to your /var/squidGuard/blacklists/ directory. Now you will need to edit your squidGuard.conf file to account for the new blacklists areas beyond testdomains, recompile the squidGuard database (if there are errors creating the database file/s then you will need to troubleshoot by editing the squidGuard.conf file), chown the blacklists directory recursively, restart Squid and you should be filtering tons of undesirable domains, urls, keywords, etc.

-#######################################################################

How to configure Squid basic authentication on CentOs 6.5

In this post I will introduce the step by step configuration that allows for authenticated access to the Squid service using usernames and passwords. We are going to use "ncsa_auth" that allows Squid to read and authenticate user and password information from an NCSA httpd-style password file when using basic HTTP authentication.

First let's make sure we have Squid installed

# sudo yum install squid

We will need "htpasswd" utility to create passwords collection file and generate passwords. If you have apache installed then you should already have it if not try installing it using this command:

# sudo yum install httpd-tools

Now we are going to create a file to store passwords in it and change the ownership of it so Squid can access.

# sudo touch /etc/squid/passwd # sudo chown squid /etc/squid/passwd

Suppose that "john" is our username for accessing the Squid proxy server, we will use this command to generate password for that username. You will need to type the password and retype it again for confirmation.

the -d argument in this command will force the "htpasswd" to use CRYPT encryption of the password; Looks like ncsa_auth in CentOS 6.4+ no longer accepts the md5 form of passwords anymore but I don't know why.

# sudo htpasswd -d /etc/squid/passwd john New password: Re-type new password: Adding password for user john

To test if the username and password will work with Squid you can type this command and in the following file enter the username and password seprated by space. You should get a "OK". Otherwise there is a problem with your password or encryption type.

# /usr/lib64/squid/ncsa_auth /etc/squid/passwd john pass OK

Now open the Squid configuration file located in /etc/squid/squid.conf and add following lines to the top of file. and save it.

auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd:

Specify squid password file and helper program location

auth_param basic children 5:

The number of authenticator processes to spawn.

auth_param basic realm Squid proxy-caching web server:

Part of the text the user will see when prompted their username and password

auth_param basic credentialsttl 2 hours:

Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.

auth_param basic casesensitive off:

Specifies if usernames are case sensitive. It can be on or off onlyacl ncsa_users

proxy_auth REQUIRED:

The REQURIED term means that any authenticated user will match the ACL named ncsa_users

http_access allow ncsa_users:

Allow proxy access only if user is successfully authenticated.

Now lets start the squid and also make sure it will be started next time you reboot the server.

# sudo service squid restart # chkconfig squid on

And now you can configure your browser or any client to use the proxy server using the username and password you have specified above.

You can always update user password the same command that you used to created a password.

To remove a username you need to open the password file (/etc/squid/passwd) and remove the line that represent the user. it's something like this:

john:ehHDxD10B5KAu

Remember to restart the Squid service after deleting the user line in the file.

Anonymizing Traffic

In order to mask your IP address from servers you connect to, you will need to add the following lines to the Squid configuration file and restart the service.

forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all

--------------------------------------

SquidGuard Configure

# yum install http://ftp.osuosl.org/pub/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

=========================================================================

[root@aueq-sproxy02 ~]# yum install http://ftp.osuosl.org/pub/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

Loaded plugins: product-id, security, subscription-manager

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Setting up Install Process

Examining /var/tmp/yum-root-8mVrB3/epel-release-6-8.noarch.rpm: epel-release-6-8.noarch

Marking /var/tmp/yum-root-8mVrB3/epel-release-6-8.noarch.rpm to be installed

Resolving Dependencies

–> Running transaction check

—> Package epel-release.noarch 0:6-8 will be installed

–> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================================================================================================================

Package Arch Version Repository Size

Installing:

epel-release noarch 6-8 /epel-release-6-8.noarch 22 k

Transaction Summary

Install 1 Package(s)

Total size: 22 k

Installed size: 22 k

Is this ok [y/N]:

==========================================================================

Now install SquidGuard.

# yum install squidGuard

[root@aueq-sproxy02 ~]# yum install squidGuard

Loaded plugins: product-id, security, subscription-manager

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Setting up Install Process

epel/metalink | 2.8 kB 00:00

epel | 4.3 kB 00:00

epel/primary_db | 5.9 MB 00:00

Resolving Dependencies

–> Running transaction check

—> Package squidGuard.x86_64 0:1.4-10.el6 will be installed

–> Finished Dependency Resolution

Dependencies Resolved

Package Arch Version Repository Size

Installing:

squidGuard x86_64 1.4-10.el6 epel 7.1 M

Transaction Summary

Install 1 Package(s)

Total download size: 7.1 M

Installed size: 7.4 M

Is this ok [y/N]:

2. cd /var/squidGuard/

tar -zxvf blacklists.tar.gz

mkdir db

mkdir log

chown -R squid:squid db

chown -R squid:squid log

mv blacklists/* db/

chown -R squid:squid db/*

3. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.

[root@aueq-sproxy02 db]# cp /etc/squid/squidGuard.conf /etc/squid/squidGuard.conf.BAK

# vi /etc/squid/squidGuard.conf —> and change as following.

=============================================================

# Mohammad Alam 23/09/2016

# initial conf file for squidGuard

logdir /var/squidGuard/log

dbhome /var/squidGuard/db

dest whitelist {

domainlist whitelist/domains

urllist whitelist/urls

}

dest specBlacklist {

domainlist specBlacklist/domains

urllist specBlacklist/urls

}

dest ads {

domainlist ads/domains

urllist ads/urls

}

dest adult {

domainlist adult/domains

urllist adult/urls

}

dest aggressive {

domainlist aggressive/domains

urllist aggressive/urls

}

acl {

default {

pass whitelist !specBlacklist !ads !adult !aggressive !audio-video !drugs !porn !chat !warez !phishing !malware !in-addr all

redirect http://10.80.0.37/ERR_ACCESS_DENIED.html

}

==================================================================

4. Add this line to /etc/squid/squid.conf

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

5. Reload squidGuard db

squidGuard -b -d -C all

6. Restart Squid.

/etc/init.d/squid reload

7. Check the log file at /var/squidGuard/log

[root@aueq-sproxy02 log]# ls

squidGuard.log

[root@aueq-sproxy02 log]# tail -f squidGuard.log

2016-09-26 11:11:51 [2388] squidGuard 1.4 started (1474852311.153)

2016-09-26 11:11:51 [2388] squidGuard ready for requests (1474852311.167)

2016-09-26 11:11:51 [2389] squidGuard 1.4 started (1474852311.160)

2016-09-26 11:11:51 [2389] squidGuard ready for requests (1474852311.171)

-----------