About Something…

It has been a long time I have not touch the squid configuration and installation. Recently, when I tried to install it again, I found that the howtos in Internet was a little bit confusing and I did not manage to setup. Until I viewed the log file (/var/log/auth.log) then I understood what went wrong and managed to solve the problem.

My  objective is to create a new proxy server with limited access controlled by using PAM authentication. The original howto is from this page.  I modified it to suit my environment which is using Ubuntu 8.10 server installed on my ESX server (Virtualization is awesome!).

The steps i did:

1. Update the APT installer to find the latest packages

$ sudo apt-get update

2. Installed your squid and any dependencies.
In Intrepix Ibex, they use squid3 name instead of just squid. It made me mistakenly edited the wrong files several times.

$ sudo apt-get install squid3

3. Edit the main configuration files
We need to add 2 entry here to enable PAM authentication and force the PAM authentication. edit the squid.conf.

$ sudo vi /etc/squid3/squid.conf.

and add this lines to enable PAM authentication

auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 5
auth_param basic realm Squid
auth_param basic credentialsttl 2 hours

And add this to force authentication to every user using it

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl pam proxy_auth REQUIRED
http_access allow pam

4. Configure the pam modules for Squid
Create a new file with name squid in /etc/pam.d/ and populate with this entry.

$ sudo vi /etc/pam.d/squid

Add the below lines. This is the alteration i did from the previously mentioned  howto.

auth             required        pam_unix.so
account         required        pam_unix.so

5. Start the squid service

$ sudo /etc/init.d/squid start

The service should starts smoothly if you are using the same distro and packages that i used. Actually configuring squid is quite straightforward but maintaining and managing different distros with different styles and packages versions is the confusing part.

Ketika sedang troubleshoot network (DNS server problem) kat tempat aku, aku terjumpa tool ni. Very good and quite easy to deploy. First time tengok laman web dia dah terasa ada something interesting la.

OpenDNS ialah public DNS server yang turut tawarkan web content filtering. Senang citer dns server yang ble prevent orang dari pi kat laman2 web yang tak senonoh tu. haaa tu dia. nak guna dia senang je.

1. create satu akaun untuk manage content filterer
2. setkan ip yang korang selalu guna, ada option static ip and dynamic ip kat sini
3. kat internet browser tu setkan dns server untuk guna server OpenDNS ni
   (208.67.222.222 and 208.67.220.220)

Lepas tu bila orang nak pi ke laman tak sepatutnya, ia akan blok site tu dari dilayari. contoh macam bawah ni:

Untuk network kat tempat aku, oleh sebab dah ada dns server sendiri dan perlu hos domainname company maka aku tak ble guna cara yang straight forward untuk block users. jadi aku setkan forwarders kat setting dns server aku (kira macam set dns proxy la ni). senang je oooiiii. dua line je dah jalan.

Macam ni, kat file /etc/init.d/named.conf atau /var/named/chroot/etc/init.d/named.conf tu appendkan dua line ni kat bahagian options. macam gambar ni:

Lines yang perlu ditambah dalam config file

Ok! dah settle. reload semula server tu. tak yah restart la, buang masa je.

/etc/init.d/named reload

ok, dah reload tu. lps tu korang akan dapat result yang sama dengan bila korang terus adjust setting web browsers. tapi lebih mudah untuk buat deployment sebab tak ada perubahan lain korang buat pada komponen lain dalam network korang atau setiap browsers pengguna.

Sekarang dah web filter dah jalan dah tapi aku nasihatkan korang untuk ketatkan security firewall, setkan semua connection ke dns server ke luar harus melalui dns server korang. jangan bagi diorang bypass dns server tu. ala guna iptables command je.

Often multimedia streaming is not good for the office environment. It will dry out the bandwidth of our network, thus slows it down. We can block the multimedia streaming using squid filter. Below is the example of how I did it using squid:

In the /etc/squid/squid.conf :

<—–snipped—–>
# streaming download
acl fails rep_mime_type ^.*mms.*
acl fails rep_mime_type ^.*ms-hdr.*
acl fails rep_mime_type ^.*x-fcs.*
acl fails rep_mime_type ^.*x-ms-asf.*
acl fails2 urlpath_regex dvrplayer mediastream mms://
acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
acl x-type req_mime_type -i ^application/octet-stream$
acl x-type req_mime_type -i application/octet-stream
acl x-type req_mime_type -i ^application/x-mplayer2$
acl x-type req_mime_type -i application/x-mplayer2
acl x-type req_mime_type -i ^application/x-oleobject$
acl x-type req_mime_type -i application/x-oleobject
acl x-type req_mime_type -i application/x-pncmd
acl x-type req_mime_type -i ^video/x-ms-asf$

acl x-type2 rep_mime_type -i ^application/octet-stream$
acl x-type2 rep_mime_type -i application/octet-stream
acl x-type2 rep_mime_type -i ^application/x-mplayer2$
acl x-type2 rep_mime_type -i application/x-mplayer2
acl x-type2 rep_mime_type -i ^application/x-oleobject$
acl x-type2 rep_mime_type -i application/x-oleobject
acl x-type2 rep_mime_type -i application/x-pncmd
acl x-type2 rep_mime_type -i ^video/x-ms-asf$
http_reply_access deny deny_rep_mime_flashvideo
http_reply_access deny deny_rep_mime_shockwave
<—–snipped—–>
<—–snipped—–>
#streaming files
http_access deny fails
http_reply_access deny fails
http_access deny fails2
http_reply_access deny fails2
http_access deny x-type
http_reply_access deny x-type
http_access deny x-type2
http_reply_access deny x-type2
<—–snipped—–>

And of course, you have to force your users to use your squid proxy server.