About Something…

It has been a long time I have not touch the squid configuration and installation. Recently, when I tried to install it again, I found that the howtos in Internet was a little bit confusing and I did not manage to setup. Until I viewed the log file (/var/log/auth.log) then I understood what went wrong and managed to solve the problem.

My  objective is to create a new proxy server with limited access controlled by using PAM authentication. The original howto is from this page.  I modified it to suit my environment which is using Ubuntu 8.10 server installed on my ESX server (Virtualization is awesome!).

The steps i did:

1. Update the APT installer to find the latest packages

$ sudo apt-get update

2. Installed your squid and any dependencies.
In Intrepix Ibex, they use squid3 name instead of just squid. It made me mistakenly edited the wrong files several times.

$ sudo apt-get install squid3

3. Edit the main configuration files
We need to add 2 entry here to enable PAM authentication and force the PAM authentication. edit the squid.conf.

$ sudo vi /etc/squid3/squid.conf.

and add this lines to enable PAM authentication

auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 5
auth_param basic realm Squid
auth_param basic credentialsttl 2 hours

And add this to force authentication to every user using it

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl pam proxy_auth REQUIRED
http_access allow pam

4. Configure the pam modules for Squid
Create a new file with name squid in /etc/pam.d/ and populate with this entry.

$ sudo vi /etc/pam.d/squid

Add the below lines. This is the alteration i did from the previously mentioned  howto.

auth             required        pam_unix.so
account         required        pam_unix.so

5. Start the squid service

$ sudo /etc/init.d/squid start

The service should starts smoothly if you are using the same distro and packages that i used. Actually configuring squid is quite straightforward but maintaining and managing different distros with different styles and packages versions is the confusing part.

Often multimedia streaming is not good for the office environment. It will dry out the bandwidth of our network, thus slows it down. We can block the multimedia streaming using squid filter. Below is the example of how I did it using squid:

In the /etc/squid/squid.conf :

<—–snipped—–>
# streaming download
acl fails rep_mime_type ^.*mms.*
acl fails rep_mime_type ^.*ms-hdr.*
acl fails rep_mime_type ^.*x-fcs.*
acl fails rep_mime_type ^.*x-ms-asf.*
acl fails2 urlpath_regex dvrplayer mediastream mms://
acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
acl x-type req_mime_type -i ^application/octet-stream$
acl x-type req_mime_type -i application/octet-stream
acl x-type req_mime_type -i ^application/x-mplayer2$
acl x-type req_mime_type -i application/x-mplayer2
acl x-type req_mime_type -i ^application/x-oleobject$
acl x-type req_mime_type -i application/x-oleobject
acl x-type req_mime_type -i application/x-pncmd
acl x-type req_mime_type -i ^video/x-ms-asf$

acl x-type2 rep_mime_type -i ^application/octet-stream$
acl x-type2 rep_mime_type -i application/octet-stream
acl x-type2 rep_mime_type -i ^application/x-mplayer2$
acl x-type2 rep_mime_type -i application/x-mplayer2
acl x-type2 rep_mime_type -i ^application/x-oleobject$
acl x-type2 rep_mime_type -i application/x-oleobject
acl x-type2 rep_mime_type -i application/x-pncmd
acl x-type2 rep_mime_type -i ^video/x-ms-asf$
http_reply_access deny deny_rep_mime_flashvideo
http_reply_access deny deny_rep_mime_shockwave
<—–snipped—–>
<—–snipped—–>
#streaming files
http_access deny fails
http_reply_access deny fails
http_access deny fails2
http_reply_access deny fails2
http_access deny x-type
http_reply_access deny x-type
http_access deny x-type2
http_reply_access deny x-type2
<—–snipped—–>

And of course, you have to force your users to use your squid proxy server.