Configure the Squid Proxy Server

Make a backup of /etc/squid/squid.conf and eddit it.

cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
nano -c /etc/squid/squid.conf

Change line 73 to http_port 127.0.0.1:3128 transparent
and line 74 to http_port 8080
and line 593 to cache_peer 127.0.0.1 parent 8081 0 no-query login=*:nopassword.

Uncomment line 1791 through 1783 and replace <uncomment ... activate> with /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

Uncomment line 1800 through 1803 and replace <uncomment ... activate> with /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

Change line 2449 to acl ntlm_auth proxy_auth REQUIRED
and line 2579 to http_access allow ntlm_auth
and line 3161 to forwarded_for off

Now save the config file.

The last line is a very important one because if left to its default, squid will send your internal IP to every site that you visit.

Squid needs access to /var/run/samba/winbindd_privileged. We can easly fix this but the permissions will reset when we reboot. So Jesse Waters on ubuntuforums.org posted a script that will set the permissions on every system boot.

Edit /etc/init.d/winbind-ch.sh and paste the following into it.

#!/bin/sh
#set -x
WINBINDD_PRIVILEGED=/var/run/samba/winbindd_privileged
chmodgrp() {
chgrp proxy $WINBINDD_PRIVILEGED || return 1
chmod g+w $WINBINDD_PRIVILEGED || return 1
}
case "$1" in
start)
chmodgrp
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
#EOF

update-rc.d winbind-ch.sh start 21 2 3 4 5 .

Configure Dansguardian

Edit /etc/dansguardian/dansguardian.conf and comment out line 3.
Go to line 62 and change 8080 to 8081.
Change filtergroups = 1 on line 102 to filtergroups = 2 and create your group files.

cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian/dansguardianf2.conf
nano -c /etc/dansguardian/dansguardianf2.conf

Go to line 29 and change to naughtynesslimit = 100.

Anti-Virus definitions should not be scanned as they will most definitely be blocked.

Edit /etc/dansguardian/exceptionvirussitelist and add your AV software's definition site name to the list.
For example: activeupdate.trendmicro.com

You may also want to add the domain to the site exception list too.
Edit etc/dansguardian/exceptionsitelist and add the domain.
For example: trendmicro.com

Restart Dansguardian:

/etc/init.d/dansguardian restart

Configure the firewall

Ipmasq is a very flexible automatic firewall/router configuration utility and it is what we will use for configuring the firewall.

apt-get install ipmasq -y

To enable transparent proxying for squid we have to redirect all outgoing http requests to port 8081 as defined earlier in dansguardian. The following config file does this for us:

cp /usr/share/doc/ipmasq/examples/basics/I89tproxy.rul /etc/ipmasq/rules/I89tproxy.rul

If you have an internal server that needs ports forwarded to it then take a look at:
/usr/share/doc/ipmasq/examples/dnat/C50dnat.rul

Install the Dansguardian Webmin module

Open a web browser to https://192.168.1.1:10000/ and log in with root. Go to Webmin > Webmin Configuration > Webmin Modules. Select "From ftp or http URL" and paste the link below into the dialog box and click Install Module.

http://internap.dl.sourceforge.net/sourceforge/dgwebminmodule/dg-0.5.10-pr5.wbm

Ok now for the final tests, reboot and point your web browser to use this machine's IP address and port 8080 for its proxy. If all goes well and your machine is joined to the domain it should automatically logon and connect to the Internet.

Keep in mind that Internet Explorer requires you to specify the domainname\username in the username dialog if NTLM fails.

Next, test another computer that is not joined to the domain and is not configured to use a proxy

Now login to Webmin and check you dansguardian logs. It should show the domain computer's username and the site you visited earlier.

Look for the non-domain computer, notice how the IP of the domain computer has the IP of 127.0.0.1? This is because the domain computer goes through squid then dansguardian then back through squid. The non-domain computer goes directly to dansguardian and then through squid.

If it does not work, check your syslog for errors.

Links:

• http://contentfilter.futuragts.com/
  
• http://ubuntuforums.org/
  

This page is licensed under a Creative Commons License.