Tiny Web Proxy And Content Filtering Appliance On CentOS 6 (Version 1.4) - Page 2
Step 5. Adjust firewall settings to allow network users to connect to Squid
In order to adjust the firewall settings we need to install a console based program called system-config-firewall-tui, so type in the root terminal:
yum install system-config-firewall-tui
The settings that need to be customized are shown on the following screenshots:
Screen 1. Select customize firewall button
Screen 2. Enable access to port 80 for WWW (see description of Apache installation later) and press Forward.
Screen 3. Add port 3128 and set protocol to TCP.
Screen 4. Then press Forward and Close.
Again restart your network subsystem by typing
in the root terminal or by just restarting the virtual machine.
Verify that squid runs correctly by pointing your browser to the IP address of the proxy server (192.168.1.4) and surfing to some of your favorite websites.
Step 6. Install Apache
It is also a good idea to have a web server installed on the virtual machine. This web server will later host the status and report information for Squid and QuintoLabs Content Security. In order to install Apache type the following in the root terminal:
yum install httpd php
Make the Apache service autostart on system boot by typing
chkconfig httpd on
in the command prompt. Reboot your VM or just start Apache for the first time manually by typing
service httpd start
Open your browser and navigate to http://192.168.1.4. You should see the “It Works!” greetings from Apache.
Step 7. Install QuintoLabs Content Security 1.4.0
Next step would be to install the Content Security 1.4 for Squid from QuintoLabs (I will refer to it as qlproxy further in text). For those who do not know, QuintoLabs Content Security is an ICAP daemon/URL rewriter that integrates with existing Squid proxy server and provides rich content filtering functionality to sanitize web traffic passing into internal home / enterprise network. It may be used to block illegal or potentially malicious file downloads, remove annoying advertisements, prevent access to various categories of the web sites and block resources with explicit content (i.e. prohibit explicit and adult content).
Unfortunately QuintoLabs does not yet have online package repository for qlproxy so we have to get the CentOS / RedHat RPM package manually from QuintoLabs web site at http://www.quintolabs.com/qlicap_download.php using your favorite browser and upload the package to the system using scp. Another way is to type the following commands in the root terminal (as one line):
curl http://www.quintolabs.com/qlproxy/binaries/1.4.0/qlproxy-1.4.0-72bbf.i386.rpm > qlproxy-1.4.0-72bbf.i386.rpm
Wait a little until the download completes (approx. 21Mb) and run the following command to install the downloaded package
rpm --install qlproxy-1.4.0-72bbf.i386.rpm
The RPM manager will run for a while and the program will be installed into /opt/quintolabs/qlproxy and /var/opt/quintolabs/qlproxy.
NOTE: this howto assumes you have SELinux disabled on your machine. For specific notes considering SELinux based installation of qlproxy see their web site and sample SELinux policy installed in /opt/quintolabs/qlproxy/usr/share/selinux . In order to disable SELinux set SELINUX=disabled in /etc/selinux/config and reboot.
Now we need to configure qlproxy and integrate it with Squid. The configuration files are plain text and stored in /opt/quintolabs/qlproxy/etc/ *.conf and rather simple to modify with a handful of comments inside. I am going to perform the following modifications:
Good for now, let us issue a restart command to make the qlproxyd daemon reload the configuration /etc/init.d/qlproxy restart
Next we need to integrate it with Squid. As the qlproxy daemon supports the shiny ICAP protocol this is a little bit different from the url_rewrite_program integration described in the previous version of this howto. By the way, README file in /opt/quintolabs/qlproxy/ contains instructions on how to do that. Anyway here are the steps required:
Now restart Squid by typing service squid restart in the root terminal. After restart try surfing the same sites with your browser and see how nicely ads are blocked. Another useful test is to go to the eicar.com web site and try to download a sample artificial eicar.com virus to see that com files are blocked by the download filter.
Note: for those of you who must stick with squid 2.7 for some other reasons or if you are on Windows(!) qlproxy can be integrated with Squid as url rewriter. Open /etc/squid/squid.conf and find the url_rewrite_program section and add the following (as one line): url_rewrite_program /opt/quintolabs/qlproxy/sbin/qlproxyd_redirector --config_path=/opt/quintolabs/qlproxy/etc/qlproxyd.conf.
The last thing to do is to integrate the qlproxy with Apache to be able to see the reports on user activities generated once a day. This is actually quite easy, open the /etc/httpd/httpd.conf file and add the following near the </VirtualHost> directive:
Alias /qlproxy /var/opt/quintolabs/qlproxy/www <Directory /var/opt/quintolabs/qlproxy/www > Options FollowSymLinks AllowOverride None </Directory>
Now reload the apache by typing in the terminal
service httpd restart
You can navigate to http://192.168.1.4/qlproxy to see the generated reports. The funny thing is that qlproxy blocks access by the IP address according to our settings in httpblock.conf described earlier. Solution would be to add the 192.168.1.2 as entry to the /opt/quintolabs/qlproxy/etc/exceptions.conf or just tell the browser not to use proxy for this address.
Finally everything is in place to start the accelerated secure web surfing without adverts - point your browser to 192.168.1.4 port 3128, surf to your favorite web sites and see the difference. The IP addresses in URLs are blocked and explicitly adult content sites too. The VMware takes not more than 512 MB and surfing experience is quite acceptable. The system is automatically updated once a day for the latest url block list and advert subscriptions and requires minimal additional maintenance.
Used documentation links