How To Install And Configure Dansguardian With Multi-Group Filtering And Squid With NTLM Auth On Debian Etch - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by archerjd (Contact Author) (Forums) on Mon, 2008-07-14 02:27. ::

Configure the Squid Proxy Server

Make a backup of /etc/squid/squid.conf and eddit it.

cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
nano -c /etc/squid/squid.conf

Change line 73 to http_port 127.0.0.1:3128 transparent
and line 74 to http_port 8080
and line 593 to cache_peer 127.0.0.1 parent 8081 0 no-query login=*:nopassword.

Uncomment line 1791 through 1783 and replace <uncomment ... activate> with /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

Uncomment line 1800 through 1803 and replace <uncomment ... activate> with /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

Change line 2449 to acl ntlm_auth proxy_auth REQUIRED
and line 2579 to http_access allow ntlm_auth
and line 3161 to forwarded_for off

Now save the config file.

The last line is a very important one because if left to its default, squid will send your internal IP to every site that you visit.

Squid needs access to /var/run/samba/winbindd_privileged. We can easly fix this but the permissions will reset when we reboot. So Jesse Waters on ubuntuforums.org posted a script that will set the permissions on every system boot.

Edit /etc/init.d/winbind-ch.sh and paste the following into it.

#!/bin/sh
#set -x
WINBINDD_PRIVILEGED=/var/run/samba/winbindd_privileged
chmodgrp() {
chgrp proxy $WINBINDD_PRIVILEGED || return 1
chmod g+w $WINBINDD_PRIVILEGED || return 1
}
case "$1" in
start)
chmodgrp
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
#EOF

update-rc.d winbind-ch.sh start 21 2 3 4 5 .

 

Configure Dansguardian

Edit /etc/dansguardian/dansguardian.conf and comment out line 3.
Go to line 62 and change 8080 to 8081.
Change filtergroups = 1 on line 102 to filtergroups = 2 and create your group files.

cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian/dansguardianf2.conf
nano -c /etc/dansguardian/dansguardianf2.conf

Go to line 29 and change to naughtynesslimit = 100.

Anti-Virus definitions should not be scanned as they will most definitely be blocked.

Edit /etc/dansguardian/exceptionvirussitelist and add your AV software's definition site name to the list.
For example: activeupdate.trendmicro.com

You may also want to add the domain to the site exception list too.
Edit etc/dansguardian/exceptionsitelist and add the domain.
For example: trendmicro.com

Restart Dansguardian:

/etc/init.d/dansguardian restart

 

Configure the firewall

Ipmasq is a very flexible automatic firewall/router configuration utility and it is what we will use for configuring the firewall.

apt-get install ipmasq -y

To enable transparent proxying for squid we have to redirect all outgoing http requests to port 8081 as defined earlier in dansguardian. The following config file does this for us:

cp /usr/share/doc/ipmasq/examples/basics/I89tproxy.rul /etc/ipmasq/rules/I89tproxy.rul

If you have an internal server that needs ports forwarded to it then take a look at:
/usr/share/doc/ipmasq/examples/dnat/C50dnat.rul

 

Install the Dansguardian Webmin module

Open a web browser to https://192.168.1.1:10000/ and log in with root. Go to Webmin > Webmin Configuration > Webmin Modules. Select "From ftp or http URL" and paste the link below into the dialog box and click Install Module.

http://internap.dl.sourceforge.net/sourceforge/dgwebminmodule/dg-0.5.10-pr5.wbm

Ok now for the final tests, reboot and point your web browser to use this machine's IP address and port 8080 for its proxy. If all goes well and your machine is joined to the domain it should automatically logon and connect to the Internet.

Keep in mind that Internet Explorer requires you to specify the domainname\username in the username dialog if NTLM fails.

Next, test another computer that is not joined to the domain and is not configured to use a proxy

Now login to Webmin and check you dansguardian logs. It should show the domain computer's username and the site you visited earlier.

Look for the non-domain computer, notice how the IP of the domain computer has the IP of 127.0.0.1? This is because the domain computer goes through squid then dansguardian then back through squid. The non-domain computer goes directly to dansguardian and then through squid.

If it does not work, check your syslog for errors.

 

Links:


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Wed, 2009-09-23 09:17.

This howto is great, but needs to be updated with at least the exact configuration parameters that need to be changed instead of "uncomment/change line 123", because default conf files of squid, samba, dansguardian change with release versions.

To be more specific, I am trying this on debian lenny and having trouble at  what exactly needs to be changed in samba and squid configurations.

Submitted by gimili (registered user) on Fri, 2009-03-27 13:17.

First this was very helpful and I appreciate the info but I ran into two problems.  First I could no longer login to a secure website as java applet would not load.

After searching google and trying different things this seemed to work:

In /etc/squid/squid.conf
#added for java
acl Java browser Java/1.4 Java/1.5 Java/1.6 Java/1.6.0_13 jupload/0.87
http_access allow Java

I think they need to be before "acl ntlm_auth proxy_auth REQUIRED" line.

 The second thing is that  /etc/dansguardian/lists/exceptioniplist because all the ips are 127.0.0.1.  I am not sure how to fix this problem yet.

Thanks again.  It is great to have filter groups working!

Submitted by Squidblacklist (not registered) on Tue, 2014-08-26 22:42.
Allow me to introduce a better blacklist, we are Squidblacklist.org, the worlds leading publisher of native acl blacklists tailored specifically for use with Squid proxy, as well as  we also publish multiple alternative formats for all major third party plugins as well as many other filtering platforms, such as UFDBGuard and Barracuda Networks devices..

There is room for better blacklists, we intend to fill that gap.


It would be our pleasure to serve you.

Signed,

Benjamin E. Nichols
http://www.squidblacklist.org