Web Filtering On Squid 3 With QuintoLabs Content Security 1.4 And Windows Active Directory Integration - Page 2

Step 4. Install Squid Web Caching Proxy

Now we need to install Squid proxy on the proxy.example.lan and set up the Kerberos Negotiate Authentication so that users do not enter their passwords while browsing through Squid and still we are able to see the user name in the logs.

  1. Type

    # yum install squid

  2. Open /etc/squid/squid.conf and add the following line visible_hostname proxy.example.lan. Also check that http_access allow localnet and acl localnet src are present in the config file.

  3. Make Squid autostart at system boot:

    # chkconfig squid on

  4. Reboot your VM or just start squid for the first time manually

    # service squid start

Verify that squid runs correctly by pointing your users browser from client.example.lan to the name of the proxy server (proxy.example.lan) and surfing to some of your favorite websites.

In order to enable Kerberos Negotiate Authentication on Squid do the following:

  1. Add entry to default keytab file (/etc/krb5.keytab) using Samba:

    [root@proxy ~]# net ads keytab add HTTP -U administrator

    Processing principals to add...
    Enter administrator's password:

  2. Verify the service principals were successfully written to the keytab file:


  3. Change owner of the /etc/krb5.keytab to squid:squid:

    # chown squid:squid /etc/krb5.keytab

    and set access permissions to 400 (read only)

    # chmod 400 /etc/krb5.keytab

    Note: this setup implies Squid is the only kerberized service on the machine, if more kerberized services are present then keytab should reside in /etc/squid directory and Squid must be told to use it through e.g. environment variable KRB5_KTNAME

  4. Add the following to Squid configuration file /etc/squid/squid.conf at the top of the file:

    # Setup NEGOTIATE authentication for Active Directory with Kerberos
    auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth -s HTTP/proxy
    auth_param negotiate children 10
    auth_param negotiate keep_alive on
    # to see the negotiator log messages in the /var/log/squid/cache.log uncomment
    # debug_options 29,9 and pass additional -d parameter to negotiate_kerb_auth
    acl auth proxy_auth REQUIRED

    And the following after the "INSERT YOUR OWN RULE(S)" section:

    http_access deny !auth
    http_access allow auth
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    #http_access allow localnet
    #http_access allow localhost
    # And finally deny all other access to this proxy
    http_access deny all

Finally restart the VM. Open Internet Explorer on client.example.lan, Squid should not ask for authentication and log files in /var/log/squid/*.log should contain correct name of the browsing user.


Step 5. Install Apache Web Server

In order to be able to see the status and report information for Squid and QuintoLabs Content Security it is advised to also install Apache.

  1. Typing the following in the root terminal:

    # yum install httpd php mod_wsgi

  2. Make Apache autostart on boot:

    # chkconfig httpd on

  3. Reboot your VM or just start Apache for the first time manually by typing

    service httpd start

Open your browser and navigate to http://proxy.example.lan. You should see the “It Works!” greetings from Apache.


Step 6. Install QuintoLabs Content Security 1.4.2

Next step is to install the Content Security 1.4.2 for Squid from QuintoLabs (I will refer to it as qlproxy further in text). For those who do not know, QuintoLabs Content Security is an ICAP daemon/URL rewriter that integrates with existing Squid proxy server and provides rich content filtering functionality to sanitize web traffic passing into internal home / enterprise network. It may be used to block illegal or potentially malicious file downloads, remove annoying advertisements, prevent access to various categories of the web sites and block resources with explicit content (i.e. prohibit explicit and adult content).

Unfortunately QuintoLabs does not yet have online package repository for qlproxy so we have to get the CentOS / RedHat RPM package manually from QuintoLabs web site at http://www.quintolabs.com/qlicap_download.php using your favorite browser and upload the package to the system using scp. Another way is to type the following commands in the root terminal (as one line):

curl http://quintolabs.com/qlproxy/binaries/1.4.2/qlproxy-1.4.2-32d12.i386.rpm > qlproxy-1.4.2-32d12.i386.rpm

Wait a little until the download completes (approx. 21Mb) and run the following command to install the downloaded package

rpm --install qlproxy-1.4.2-32d12.i386.rpm

The RPM manager will run for a while and the program will be installed into /opt/quintolabs/qlproxy and /var/opt/quintolabs/qlproxy.

Next step is to configure qlproxy and integrate it with Squid. The configuration files are plain text and stored in /opt/quintolabs/qlproxy/etc/ *.conf, simple to modify with a handful of comments inside. I am going to perform the following modifications:

  1. As I personally do not like excessive advertising on the web and as I often browse through Russian and German sites I will enable extended adblock filtering by uncommenting the corresponding Russian and German AdBlock subscriptions in /opt/quintolabs/qlproxy/etc/adblock.conf file. I also do not like sites tracking me so I usually uncomment easy_privacy subscription in the same file.
  2. My kids sometimes play online games on my computer so I prefer to set the level of adult blocking heuristics to high in the /opt/quintolabs/qlproxy/etc/adultblock.conf by changing from heuristics_level = normal to heuristics_level = high. If anything is falsely blocked by the qlproxy I can later add it to the exceptions.conf file to have it passed through.
  3. The Parental Controls module of 1.4.2 supports filtering of HTML page contents for banned words and phrases (like Dansguardian) and I will enable it too.
  4. The urlblock module that uses community developed database of categorized domains incorrectly puts blogspot.com into an adult category... so I add it to the exception list in /opt/quintolabs/qlproxy/etc/exceptions.conf to be able to read some of my favorite blogs hosted there.
  5. I know that worms, trojans and other malware related software often connect to the world by IP addresses so I put a magic regexp into the /opt/quintolabs/qlproxy/etc/httpblock.conf file to filter them out url = http://\d+\.\d+\.\d+\.\d+/.*

After performing changes make the qlproxyd daemon reload the configuration by

/etc/init.d/qlproxy restart

Next we need to integrate it with Squid. As the qlproxy daemon supports the ICAP protocol this is quite easy, just follow these steps:

  1. Open the /etc/squid/squid.conf in vi by typing

    vi /etc/squid/squid.conf

    in the root terminal.
  2. Add the following lines somewhere at the end of the file:
    icap_enable on
    icap_preview_enable on
    icap_preview_size 4096
    icap_persistent_connections on
    icap_send_client_ip on
    icap_send_client_username on
    icap_service qlproxy1 reqmod_precache bypass=0 icap://
    icap_service qlproxy2 respmod_precache bypass=0 icap://
    adaptation_access qlproxy1 allow all
    adaptation_access qlproxy2 allow all

Now restart Squid by typing

service squid restart

in the root terminal. After restart try surfing the same sites with your browser and see how nicely ads are blocked. Another useful test is to go to the eicar.com web site and try to download a sample artificial eicar.com virus to see that com files are blocked by the download filter.

The last thing to do is to integrate the qlproxy with Apache to be able to see the reports on user browsing activity. This is actually quite easy, open the /etc/httpd/httpd.conf file and add the following near the </VirtualHost> directive:

   WSGIScriptAlias /qlproxy.cgi /var/opt/quintolabs/qlproxy/www/data/qlproxy.wsgi
   <Directory /var/opt/quintolabs/qlproxy/www/data>
	WSGIApplicationGroup %{GLOBAL}
	Order deny,allow
	Allow from all

   Alias /qlproxy /var/opt/quintolabs/qlproxy/www
   <Directory /var/opt/quintolabs/qlproxy/www>
        Options FollowSymLinks
        AllowOverride None

Reload the apache by typing in the terminal

service httpd restart

You can navigate to http://proxy.example.lan/qlproxy to see the generated reports. The Negotiate authentication setup described earlier should help with displaying correct user names and not just IP addresses in the activity reports.



Everything is in place to start the web surfing without needs to provide passwords and without much of the internet trash out there - just point your users browsers to proxy.example.lan port 3128 and enjoy.


Special thanks to Sabry Sadiq for testing it all out!

Share this page:

1 Comment(s)

Add comment


From: rfmatos

Apparently you miss some steps:

1. The Fedora EPEL Repository installation;

2. The mod_wsgi installation by yum is made with that repository;

3. Nevertheless you need to add an additional  line in the httpd.conf:

       LoadModule wsgi_module modules/mod_wsgi.so

in order for the httpd to properly work.