Tiny Content Filtering And Web Acceleration Appliance (Ubuntu, Squid, Apache, VMWare)
This small HOWTO will show you how to set up a small virtual machine to speed up and secure your home / small enterprise web surfing network using Ubuntu Server 10.10, Squid 3.1 and Content Security 1.0 deployed in a VMWare Virtual Player running on Windows 7 x64 as a host operating system.
Previously I tested interesting applications using VMWare Virtual Server 1.0 and later 2.0 but always was frustrated by the complex setup procedure of such a heavy weight browser based virtualization beast. Not a long time ago I found out that VMWare Virtual Player is capable of creating virtual machines and was very pleased with its performance and simplicity of the installation.
Step 1. Download and Install Ubuntu Server 10.10
Go to http://www.ubuntu.com/server and get the latest version of Ubuntu server (10.10) 32-bit. The site says the recommended version is x64 bit but as we are trying to create a small virtual machine the 32bit will suffice for our purposes.
Start up the VMWare Virtual Player and create a new virtual machine with the following hardware parameters: name - virtual-qlproxy, hard disk - 8Gb. Press the "Customize the hardware" button and delete the floppy, USB controller, printer and sound card, set the amount of memory to 256Mb. Switch the network adapter from "NAT" mode into "Bridged". Point the virtual CDROM to the ISO image of Ubuntu Server that you have downloaded and start the virtual machine.
Follow the steps of the Ubuntu install wizard mostly accepting the defaults. The only settings that need to be configured are - the hostname (I set it to virtual-qlproxy) and login name and password (I set them to user and P@ssw0rd respectively). Now wait a little till the installation is complete and reboot the system.
Step 2. Perform post install configuration of Ubuntu
The IP address of the network interface card of our freshly installed Ubuntu server is set to DHCP. While it is possible to leave it like this it means that every time the server is restarted it may be assigned a different IP address so accessing this server later by IP address may become a little irritating. The easiest way is to set the IP address to static one. To do it we must change the file located at /etc/network/interfaces by typing the following in the terminal:
sudo nano /etc/network/interfaces
Find this line in the file iface eth0 inet dhcp and replace it with:
iface eth0 inet static address 192.168.1.2 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1
NOTE: The provided above settings (IP addresses) are valid for my environment that connects to the ISP using the Cisco/LinkSys Wireless N Broadband Router that has a DHCP server built in that gives out internal IP addresses from the 192.168.1.* private subnet. Your router may give other addresses so please beware :) !
One more thing left to do is adjust the DNS settings. Run the following command in the terminal...
sudo vi /etc/resolv.conf
... and add the IP address of the DNS server that runs on router:
nameserver 192.168.1.1
Now restart your networking by typing...
sudo /etc/init.d/networking
... in the terminal or just restarting the virtual machine. After restart confirm that the networking functions correctly by typing in the terminal:
ping -c 3 192.168.1.1
nslookup google.com
There should not be any errors in the outputs on these commands.
Step 3. Install Squid Web Caching Proxy
Next we need to install the latest version of the squid proxy server. In order to do that type the following in the terminal:
sudo apt-get install squid3
The squid package is downloaded from the Internet and is installed automatically. The only thing to do is to let the external users from our network access the squid. Open the squid configuration file by typing...
sudo nano /etc/squid3/squid.conf
... and uncomment the following lines acl localnet src 192.168.0.0/16 and http_access allow localnet.
Save the file and restart the squid by typing:
sudo /etc/init.d/squid restart
To verify that squid runs correctly point your browser to the IP address of the proxy server (192.168.1.2) and surf to some web sites.
Step 4. Install Apache 2
It is also a good idea to have a web server installed on the virtual machine. This web server will later host the status and report information for Squid and Content Security for Squid Proxy. In order to have the Apache2 installed issue the following commands in the terminal...
sudo apt-get install apache2 libapache2-mod-php5
... then open your browser and navigate to http://192.168.1.2. You should see the "It Works!" greetings from Apache.
Step 5. Install QuintoLabs Content Security 1.0
Next step would be to install the Content Security 1.0 for Squid from QuintoLabs (I will refer to it as qlproxy further in text). In order to do it go to the download area of QuintoLabs web site and download the DEB package for Ubuntu from there http://quintolabs.com/qlicap_download.php. For those who do not know, qlproxy is a content filtering server to be used as a companion to the Squid web proxy that lets you filter/block web downloads, remove advertisements and banners and control web site usage by the proxy clients (i.e. prohibit explicit and adult content).
For now the program integrates with Squid as URL rewriter but the ICAP and/or eCAP integration is on the way. Anyway current URL rewriter capability will suffice for our needs. So in order to install the qlproxy navigate to the downloaded *.deb package in the terminal and type the following command:
sudo dpkg --install qlproxy_1.0.950.0_i386.deb
The installer will run and after a short while the program will be installed into /opt/quintolabs/qlproxy. Now we need to configure it and integrate it with Squid. The configuration files are plain text and stored in /opt/quintolabs/qlproxy/etc/ *.conf and rather simple to modify with a handful of comments inside. I am going to perform the following modifications:
- Redirect the proxy clients to the local instance of Apache server when the traffic is being blocked - to do it open the qlproxyd.conf file and find the qls_redirect_url = http://www.quintolabs.com/redirect/index.php line and change it to qls_redirect_url = http://192.168.1.2/redirect/index.php.
- I personally do not like excessive advertising on the web sites so as I often browse through Russian and German web sites I will also enable adblock filtering by uncommenting the corresponding russian and german adblock subscriptions in qladb.conf file.
- My kids sometimes play online games on my computer so I prefer to set the level of adult blocking heuristics to high in the qlproxyd.conf file - by changing from qlurlb_heuristics_level = normal to qlurlb_heuristics_level = high. If anything is blocked by the qlproxy I can later add it to the exceptions.conf file to have it passed through.
- I heard that worms, trojans and other malware related software often connect to the world by IP addresses so I put a magic regexp into the qlhttpb.conf file to filter them out url = http://\d+\.\d+\.\d+\.\d+/.*
Good for now, let us issue a restart command to make the qlproxyd daemon reload the configuration:
sudo /etc/init.d/qlproxy stop && /etc/init.d/qlproxy start
Next we need to integrate it with Squid. As the qlproxy now uses the url rewriter functionality of Squid the integration is straightforward and works for both Squid 3 and Squid 2. Open /etc/squid3/squid.conf and find the url_rewrite_program section. Add the following url_rewrite_program /opt/quintolabs/qlproxy/sbin/qlproxyd_redirector --config_path=/opt/quintolabs/qlproxy/etc/qlproxyd.conf.
The number of url rewriters needs to be set to a reasonable value (default is 5). These 5 would fit nice for the kind of networking environment I have in place so ensure you have the url_rewrite_children set to 5. The URL rewriter is single threaded so it is better to leave the url_rewrite_concurrency at its default value.
So the integration with squid is now complete and we can restart the squid and see of it is able to start the url rewriters. Issue the following command in the terminal...
sudo /etc/init.d/squid3 restart
... after restart finishes the...
ps aux | grep qlproxy
... should show you the running 5 instances of qlproxyd_redirector created by squid and the qlproxyd daemon itself.
The last thing to do is to integrate the qlproxy with Apache to be able to see the reports on user activities (generated once a day) and redirect pages that could explain the users why their request was blocked. This is actually quite easy, open the /etc/apache2/sites-enabled/default file and add the following to it:
Alias /redirect /opt/quintolabs/qlproxy/redirect Options FollowSymLinks AllowOverride None Alias /redirect /opt/quintolabs/qlproxy/reports Options FollowSymLinks AllowOverride None
Now reload the apache by typing in the terminal:
sudo /etc/init.d/apache2 restart
Resume
Finally everything is in place to start the accelerated secure web surfing without adverts - point your browser to 192.168.1.2 port 3128 and browse to your favourite website and see the difference. The IP addresses in URLs are blocked and explicitly adult content sites are too. The VMWare takes not more than 256 MB and surfing experience is quite acceptable. The system is automatically updated once a day for the latest url block list and advert subscriptions and requires minimal additional maintenance.