Tiny Web Proxy And Content Filtering Appliance (Version 1.2) With Debian Squeeze - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by sichent (Contact Author) (Forums) on Fri, 2011-04-15 14:20. ::

Step 4. Install Apache 2

It is also a good idea to have a web server installed on the virtual machine. This web server will later host the status and report information for Squid and Content Security for Squid Proxy. In order to have the Apache2 installed issue the following commands in the root terminal:

# apt-get install apache2 libapache2-mod-php5

Then open your browser and navigate to http://192.168.1.2. You should see the “It Works!” greetings from Apache.

 

Step 5. Install QuintoLabs Content Security 1.2

Next step would be to install the Content Security 1.2 for Squid from QuintoLabs (I will refer to it as qlproxy further in text). NOTE: this part was upgraded from the previous version of this howto. The 1.2 version of qlproxy now supports ICAP based integration with Squid and is much easier to install.

For those who do not know, qlproxy is a content filtering server to be used as a companion to the Squid web proxy that (citation) "allows the administrator to filter/block web downloads, remove advertisements and banners and control web site usage by the proxy clients" (i.e. prohibit explicit and adult content).

Unfortunately QuintoLabs does not yet have online package repository with qlproxy but I heard it will change in the future :). So until it happens we have to get the Debian 6 package of qlproxy manually from the QuintoLabs web site at http://www.quintolabs.com/qlicap_download.php using your favorite browser (thorough your new squid of course :) ) and upload the package to the system using scp. Another (much easier) way would be to type the following commands in the root terminal:

# wget http://www.quintolabs.com/qlproxy/binaries/1.2.217.0/qlproxy-1.2-debian-1.2.217_i386.deb

Wait a little until the download completes (approx. 20Mb) and run the following command to install the downloaded package

# dpkg –install qlproxy-1.2-debian-1.2.217_i386.deb

Installer will run and after a short while the program will be installed into /opt/quintolabs/qlproxy.

Now we need to configure it and integrate it with Squid. The configuration files are plain text and stored in /opt/quintolabs/qlproxy/etc/*.conf and rather simple to modify with a handful of comments inside. I am going to perform the following modifications:

  1. Change the default blocked template to the minimal by commenting out the blocked_page=/opt/quintolabs/qlproxy/redirect/blocked.html and uncommenting blocked_page=/opt/quintolabs/qlproxy/redirect/blocked_minimal.html. This is done to get the empty blank page on the screen when qlproxy blocks something. The idea for this is to have nothing on the browser screen instead of default text “this item was blocked…”. When QuintoLabs adds a default 1x1 pixel for blocked ads in the next version this step would be irrelevant… but for now it is ok.
  2. I personally do not like excessive advertizing on the web sites so as I often browse through Russian and German web sites I will also enable adblock filtering by uncommenting the corresponding Russian and German adblock subscriptions in /opt/quintolabs/qlproxy/etc/adblock.conf file. I also do not like sites tracking me so I usually uncomment easy_privacy subscription in the same file.
  3. My kids sometimes play online games on my computer so I prefer to set the level of adult blocking heuristics to high in the /opt/quintolabs/qlproxy/etc/adultblock.conf file –by changing from heuristics_level = normal to heuristics_level = high. If anything is falsely blocked by the qlproxy I can later add it to the exceptions.conf file to have it passed through.
  4. I heard that worms, trojans and other malware related software often connect to the world by IP addresses so I put a magic regexp into the /opt/quintolabs/qlproxy/etc/httpblock.conf file to filter them out url = http://\d+\.\d+\.\d+\.\d+/.*

Good for now, let us issue a restart command to make the qlproxyd daemon reload the configuration:

#/etc/init.d/qlproxy restart

Next we need to integrate it with Squid. As the qlproxy daemon now supports the shiny ICAP protocol this is a little bit different from the url_rewrite_program integration described in the previous version of this howto. By the way, README file in /opt/quintolabs/qlproxy/ contains instructions on how to do that. Anyway here are the steps required:

  1. Open the /etc/squid3/squid.conf in nano by typing

    #nano /etc/squid3/squid.conf

    in the root terminal
  2. Find and change the icap_enable off directive to icap_enable on
  3. Uncomment icap_preview_enable on directive
  4. Uncomment and change icap_preview_size -1 directive to icap_preview_size 4096
  5. Uncomment directive icap_persistent_connections on
  6. Uncomment and change directive icap_send_client_ip off to icap_send_client_ip on
  7. Uncomment and change directive icap_send_client_username off to icap_send_client_username on
  8. Find the icap_service section with commented out samples for different services and add somewhere there two lines icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod and icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
  9. Find the adaptation_access section and add the following two lines adaptation_access qlproxy1 allow all and adaptation_access qlproxy2 allow all
  10. Write the changes to file and close nano by typing Ctrl+o and then Ctrl+x

Now restart the squid by typing

# service squid3 restart

in the root terminal. After restart try surfing the same sites with your browser and see how nicely ads are blocked. Another useful test is to go to the eicar.com web site and try to download a sample artificial eicar.com virus to see that com files are blocked by the download filter.

Note: for those of you who must stick with squid 2.6 for performance reasons the url rewriter integration is quite straightforward. Open /etc/squid3/squid.conf and find the url_rewrite_program section. Add the following url_rewrite_program /opt/quintolabs/qlproxy/sbin/qlproxyd_redirector --config_path=/opt/quintolabs/qlproxy/etc/qlproxyd.conf

The last thing to do is to integrate the qlproxy with Apache to be able to see the reports on user activities generated once a day. This is actually quite easy, open the /etc/apache2/sites-enabled/default file and add the following to it near the </VirtualHost> directive:

Alias /reports /opt/quintolabs/qlproxy/reports
   <Directory /opt/quintolabs/qlproxy/reports >
        Options FollowSymLinks
        AllowOverride None
   </Directory>

Now reload the apache by typing in the terminal #service apache2 restart.

You can navigate to http://192.168.1.2/reports to see the generated reports. The funny thing is that qlproxy blocks access by the IP address according to our settings in httpblock.conf described earlier. Solution would be to add the 192.168.1.2 as entry to the /opt/quintolabs/qlproxy/etc/exceptions.conf or just tell the browser not to use proxy for this address.

 

Resume

Finally everything is in place to start the accelerated secure web surfing without adverts – point your browser to 192.168.1.2 port 3128 and browse to your favorite website and see the difference. The IP addresses in URLs are blocked and explicitly adult content sites too. The VMWare takes not more than 256 MB and surfing experience is quite acceptable. The system is automatically updated once a day for the latest url block list and advert subscriptions and requires minimal additional maintenance.

 

Used Documentation Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Mon, 2011-04-18 17:50.

Hi all,

I would like to add a few quick notes for those who are using this setup where the server is not 192.168.1.2.

  1.  You must disable your web filters IP by adding "client =  <Your Server's IP>" in exceptions.conf to allow you server to get updates.
  2. You must add "server = <Your Server's IP>" to exceptions.conf as well. By adding your ip to the server list you will be able to access your servers reports.
  3. Lastly, I would recommend running /opt/quintolabs/qlproxy/sbin/qlproxy_update in order to get the latest blacklists.

 Otherwise, everything worked properly.

 

Submitted by seb (not registered) on Sat, 2011-04-16 14:56.

Hi,

Thank you for this nice tuto, it's really cool.

Just a few comments:

Page 2, step 5, use

dpkg --install qlproxy-1.2-debian-1.2.217_i386.deb

instead of

dpkg -install qlproxy-1.2-debian-1.2.217_i386.deb

Amazingly, following your advices, I'm still able to download the eicar.com file.

Nevertheless, Big up for you !