Configure Squid

In order to use our redundant LDAP access and authorizations via Security Groups in Active Directory we need to create and account with permission to look up Active Directory attributes. Squid will then use this account to provide users with access.

In Active Directory create a user called "Squid Proxy" with the logon name squid@example.local and note the password down and substitute the word "squidpass" below with your password.

Ensure the following is true when creating the account.

• User must change password at next logon Un-ticked
• User cannot change password Ticked
• Password never expires Ticked
• Account is disabled Un-ticked

By default the squid account will not be able to query the "memberOf" attribute in AD. Select the top level of your active directory domain in Active Directory Users and Computers, Right click on it and choose properties, Security Tab, Add the squid user and give it read permissions (should happen by default) and allow it to read "This Object and all child objects" by going into Advanced options.

Create the following Security Groups with descriptions in Active Directory and add users to the relevant groups - if a user is not part of a group they will only be able to access sites in the whitelistsites ACL.

Members of Internet Users will not be able to access websites in the blocksites ACL.

• Internet Users | Description: Members of this group can access the Internet. Access is logged with website restrictions
• Internet Users Full Log | Description: Members of this group can access the Internet. Access is logged with full website access
• Internet Users Full NoLog | Description: Members of this group can access the Internet. Access is not logged with full website access

We then set up squid and it's associated config files.

Squid startup

Add the following configuration to /etc/default/squid3 (this file does not exist by default).

vi /etc/default/squid3

KRB5_KTNAME=/etc/squid3/PROXY.keytab
export KRB5_KTNAME

squid.conf

cp /etc/squid3/squid.conf /etc/squid3/squid.conf.default
cat /dev/null > /etc/squid3/squid.conf
vi /etc/squid3/squid.conf

Update the cache manager variable with the emails address of the person in charge of the proxy.

Study and update the following text carefully, replacing the example content (highlighted) with your networks configuration - if you get something wrong your proxy will not work.

####### /etc/squid3/squid.conf Configuration File #######
####### cache manager
cache_mgr administrator@example.com
####### kerberos authentication
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s HTTP/squidproxy.example.local
auth_param negotiate children 10
auth_param negotiate keep_alive on
####### provide access via ldap for clients not authenticated via kerberos
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \
        -b "dc=example,dc=local" \
        -D squid@example.local \
        -w "squidpass" \
        -f sAMAccountName=%s \
        -h domaincontroller1.example.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
####### ldap authorizations
# restricted proxy access logged
external_acl_type internet_users %LOGIN /usr/lib/squid3/squid_ldap_group -R -K \
        -b "dc=example,dc=local" \
        -D squid@example.local \
        -w "squidpass" \
        -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Internet Users,ou=Security Groups,ou=MyBusiness,dc=example,dc=local))" \
        -h domaincontroller1.example.local
# full proxy access no logging
external_acl_type internet_users_full_nolog %LOGIN /usr/lib/squid3/squid_ldap_group -R -K \
        -b "dc=example,dc=local" \
        -D squid@example.local \
        -w "squidpass" \
        -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Internet Users Full NoLog,ou=Security Groups,ou=MyBusiness,dc=example,dc=local))" \
        -h domaincontroller1.example.local
# full proxy access logged
external_acl_type internet_users_full_log %LOGIN /usr/lib/squid3/squid_ldap_group -R -K \
        -b "dc=example,dc=local" \
        -D squid@example.local \
        -w "squidpass" \
        -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Internet Users Full Log,ou=Security Groups,ou=MyBusiness,dc=example,dc=local))" \
        -h domaincontroller1.example.local
####### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
# format "acl, aclname, acltype, acltypename, activedirectorygroup"
acl RestrictedAccessLog external internet_users Internet\ Users
acl FullAccessNoLog external internet_users_full_nolog Internet\ Users\ Full\ NoLog
acl FullAccessLog external internet_users_full_log Internet\ Users\ Full\ Log
acl whitelistsites url_regex -i "/etc/squid3/whitelistsites.txt"
acl blockedsites url_regex -i "/etc/squid3/blockedsites.txt"
####### squid defaults
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
####### enforce auth: order of rules is important for authorization levels
no_cache deny whitelistsites
http_access allow whitelistsites
http_access allow FullAccessNoLog auth
http_access allow FullAccessLog auth
http_access deny blockedsites
http_access allow RestrictedAccessLog auth
####### logging
# don't log whitelistsites, FullAccessNoLog
access_log /var/log/squid3/access.log squid !whitelistsites !FullAccessNoLog
####### squid defaults
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

touch /etc/squid3/whitelistsites.txt
touch /etc/squid3/blockedsites.txt
invoke-rc.d squid3 restart

Proxy Auto Configuration

Install Apache2:

apt-get install apache2

Add a configuration to Apache2 to identify the file format of the proxy configuration script.

vi /etc/apache2/conf.d/wpad.dat

AddType    application/x-ns-proxy-autoconfig .dat

Create our wpad.dat file used by web browsers for configuration:

vi /var/www/wpad.dat

Change the line starting with $proxy to your proxy's FQDN (highlighted text).

function FindProxyForURL(url, host)
{
        $proxy = "PROXY squidproxy.example.local:3128";
        // URLs within this network are accessed direct
        if (isInNet(host, "192.168.0.0", "255.255.0.0"))        {return "DIRECT";}
        if (isInNet(host, "172.16.0.0", "255.240.0.0"))         {return "DIRECT";}
        if (isInNet(host, "10.0.0.0", "255.0.0.0"))             {return "DIRECT";}
        if (isInNet(host, "127.0.0.0", "255.0.0.0"))            {return "DIRECT";}
        //Return proxy for EVERYTHING else
        else return $proxy;
}

Restart Apache2:

invoke-rc.d apache2 restart

WPAD DNS entries

Warning: Once you add the following DNS entry the proxy will become live. Stop at this point and check.

1. That client browsers are using Integrated Windows Authentication
2. That you have added all users to the relevant Internet Users security groups in AD
3. That all client browsers are set to use automatically detect proxy settings for internet access. Using group policy is a sensible option here or perhaps restrict outbound HTTP access on your firewall to weed out users without auto-detection configured.

Test access with Internet Explorer by Ticking "Use automatic configuration script" and insert http://squidproxy.example.local/wpad.dat (change the proxy FQDN to yours of course) in the address field and then access any websites. Good luck, I hope it works! Stop here and troubleshoot if it is not working or else you will end up with a lot of angry users!

Add a CNAME record in DNS to point wpad.example.local to squidproxy.example.local

Note: Server 2008 comes with a security measure that blocks wpad, I have also seen it on server 2003

To remove the wpad DNS restriction, but leave the Blocklist enabled, run Regedit and open the following location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList

Server 2008 will likely have the entries of WPAD and ISATAP. Remove the WPAD entry and restart the DNS service for it to reload the Blocklist. You should then be able to resolve wpad.example.local

Then set your browser to use Proxy auto configuration. All modern web browsers follow the wpad standard and will attempt to lookup http://wpad.example.local/wpad.dat for their configuration information.

More information about WPAD can be found here: http://wiki.squid-cache.org/Technology/WPAD/DNS

Check your squid logs to see that the browsers are using the proxy.

Optional: Install Cyphin Reporter

With the proxies we operate we need decent reporting. Programs like sarg, mysar etc. were not cutting it as decent reporting options for monitoring user internet usage. Cyfin Reporter by Wavecrest has proven to be a very capable and intuitive reporting system with plenty of features.

This is how to setup and install Cyfin Reporter with squid on Debian Squeeze.

The latest Cyfin Reporter version at the time of writing is version 8.5. Check the following locations depending on your architecture before you download and update the following commands where necessary.

So your install might look something like this...

cd /usr/local/src/
wget "http://downloads.wavecrest.net/release/cyfin/linux32/v850/c850linux32.bin.gz"
gunzip c850linux32.bin.gz
chmod +x c850linux32.bin

N.B The Install Anywhere program screws around with PS1, so changing this for the current shell resolves the issue.

export PS1=">"
./c850linux32.bin

When prompted about the install path enter it as

 ENTER AN ABSOLUTE PATH, OR PRESS  TO ACCEPT THE DEFAULT
      : /opt/wavecrest/cyfin

Accept everything else as default.

We need to create an initscript to start and stop cyfin the Debian way.

vi /etc/init.d/cyfin

#! /bin/sh
### BEGIN INIT INFO
# Provides:          cyfin
# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: cyfin reporter initscript
### END INIT INFO
NAME=cyfin
SCRIPTNAME=/etc/init.d/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
case "$1" in
        start)          sh /opt/wavecrest/cyfin/cyfin start
        ;;
        stop)           sh /opt/wavecrest/cyfin/cyfin stop
        ;;
        status)         sh /opt/wavecrest/cyfin/cyfin start
        ;;
        restart)        sh /opt/wavecrest/cyfin/cyfin restart
        ;;
        *)              echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2
                        exit 3
        ;;
esac
:

chmod +x /etc/init.d/cyfin
update-rc.d cyfin defaults

Configuring Cyfin Reporter would require a brand new tutorial so here is the basics.

Access the configuration GUI via http://squidproxy.example.local:7999. The logon by default is "admin" for the username and password.

• Use the help in the GUI as the documentation is very good.
• Check the FAQs at http://www.wavecrest.net/support/cyfin/reporter/faqs.html
• Use the Quick Start menu to setup the basics, which are fairly straight forward.
• Enable the Data Manager to import log files and setup a log file import schedule.
• use the integration into Active Directory, you can use the squid account created for LDAP auth to also extract information from Active Directory.
• Configure a schedule to import User lists from Active Directory.
• You should ensure your users are part of a security group or distribution group in Active Directory and add these groups to Cyfin Reporter.
• Assign the departments Manager as the recipient of email reports.
• Setup access accounts for staff with permission to view the logs.

If you use Cyfin Reporter you need to account for additional memory usage so be sure to allocate enough resources to run it.

That concludes the tutorial. Hope it helps.

This page is licensed under a Creative Commons License.