Monday, December 26, 2011

Proxy Server Configuration Linux

[root@localhost ~]# yum install squid* -y

To start, stop, and restart squid after booting use the service command:
[root@bigboy tmp]# service squid start
[root@bigboy tmp]# service squid stop
[root@bigboy tmp]# service squid restart


[root@localhost ~]# vim /etc/squid/squid.conf
 
The http_port is the port number on the local server that Squid binds itself to and listens for incoming requests, its default port is 3128 but can be changed if needed (8080 is also a common cache port). Which ever port is used here, it will need to be set in all the workstations that will attach to and use the proxy

http_port 8080 
we can say when swap utilization want to cross 95% of total swap utilization, then swap automatically delete up to 90% . Automatically will be continuing
cache_swap_low 90
cache_swap_high 95
Objects larger than this size will NOT be saved on disk. The value is specified in kilobytes, and the default is 4 MB. If you wish to get a high BYTES hit ratio, you should probably increase this (one 32 MB object hit counts for 3200 10 KB hits). If you wish to increase speed more than your want to save bandwidth, you should leave this low. During the initial downloading of a file, the downloading time seems to be a normal one, but if you download the same file again, the time it takes for download will be very minimum. This indicates that, the file comes from the Cache.
 maximum_object_size 2000 KB
Objects smaller than this size will NOT be saved on disk.  The value is specified in kilobytes, and the default is 0 KB,  which means there is no minimum.
minimum_object_size 0 KB

 
 cache_mem 256 MB
Objects greater than the size specified in this tag will not be kept in the memory cache. This should be set high enough to keep objects accessed frequently in memory to improve performance at the same time low enough to keep larger objects from hoarding
 maximum_object_size_in_memory 16 KB
The cache_dir tag specifies the location where the cache will reside in the filesystem. ufs identifies the storage format for the cache. The "256" specifies the maximum allowable size of the cache (in MB), and should be adjusted to suit your needs. The 32 and 1024 specify the number1 of directories contained inside the first and second level cache store.
cache_dir ufs /var/spool/squid/cache 250 32 1024
The following tags specify the standard log file locations.
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

 cache_effective_user squid

cache_effective_group squid


[root@mail ~]# vim /etc/squid/squid.conf
acl support src 192.168.100.0/24 192.168.50.0/24

http_access allow support

Password Authentication Using NCSA :

You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd program that comes installed with Apache to create your passwords. Here is how it's done:

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it's universally readable.
[root@bigboy tmp]# touch /etc/squid/squid_users
[root@bigboy tmp]# chmod o+r /etc/squid/squid_users
2) Use the htpasswd program to add users to the password file.
 [root@mail ~]# htpasswd /etc/squid/squid_users saiful
New password:
Re-type new password:
Adding password for user saiful
[root@mail ~]# htpasswd /etc/squid/squid_users rajan
New password:
Re-type new password:
Adding password for user rajan 
3) Find your ncsa_auth file using the locate command.
[root@mail ~]# find / -name ncsa_auth
/usr/lib/squid/ncsa_auth
 
4) Edit squid.conf; specifically, you need to define the authentication 
program in squid.conf, which is in this case ncsa_auth. Next, create an 
ACL named ncsa_users with the REQUIRED keyword that forces Squid to use 
the NCSA auth_param method you defined previously. Finally, create an 
http_access entry that allows traffic that matches the ncsa_users ACL 
entry. Here's a simple user authentication example; the order of the 
statements is important:
[root@mail ~]# vim /etc/squid/squid.conf
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_users
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users 
 

Specifying Organisational Policies (Restricted web Sites) : 

procedure no 1:Single website block by using acl

[root@localhost ~]# vim /etc/squid/squid.conf  

acl bad dstdomain .yahoo.com 

http_access deny bad

procedure no 2 : Block multiple websites by using domain name

[root@localhost bin]# touch /etc/squid/blocksites.txt

[root@localhost bin]# vim /etc/squid/blocksites.txt
facebook.com
google.com
youtube.com
gmail.com

[root@localhost ~]# vim /etc/squid/squid.conf  

acl block dstdomain "/etc/squid/blocksites.txt"

http_access deny block

procedure no 3 : Block websites by using string matching squid linux

[root@localhost ~]# touch /etc/squid/block.txt

[root@localhost ~]# vim /etc/squid/block.txt

facebook
google 
 

[root@localhost ~]# vim /etc/squid/squid.conf 

acl block url_regex -i "/etc/squid/block.txt"
http_access deny block


some example for string matching site block :

[root@localhost ~]# touch /etc/squid/block_advertisers.txt

[root@localhost ~]# touch /etc/squid/block_entertainment.txt

[root@localhost ~]# touch /etc/squid/block_porn.txt

[root@localhost ~]# touch /etc/squid/block_webmail.txt

[root@localhost ~]# vim /etc/squid/squid.conf 

acl block_advertisers   url_regex -i "/etc/squid/block_advertisers.txt"acl block_entertainment url_regex -i "/etc/squid/block_entertainment.txt"acl block_webmail       url_regex -i "/etc/squid/block_webmail.txt"acl block_porn          url_regex -i "/etc/squid/block_porn.txt"

http_access deny block_advertisers
http_access deny block_entertainment
http_access deny block_porn
http_access deny block_webmail

 

Restricting Web Access By Time :

Squid TIME acls cannot wrap from one day to the next, so to get from 4:30 in the afternoon until 8:00 the next morning, we have to actually specify one acl for 4:30 to midnight and another acl for midnight to 8 in the morning.
 
Time of day, and day of week
            
Usage acl aclname time [day-abbreviations] [h1:m1-h2:m2]
day-abbreviations:
S - Sunday
M - Monday
T - Tuesday
W - Wednesday
H - Thursday
F - Friday
A - Saturday
h1:m1 must be less than h2:m2
Example
acl ACLTIME time M 9:00-17:00
ACLTIME refers day of Monday from 9:00 to 17:00.

[root@localhost ~]# vim /etc/squid/squid.conf

acl deployment src 192.168.50.1-192.168.50.10
acl sales           src 192.168.50.11-192.168.50.19
acl noc             src 192.168.50.21-192.168.50.30
acl deployment_workhours time SMTWH    08:00-14:00
acl sales_workhours           time TWH         10:00-16:00
acl noc_workhours             time SMTWHFA 08:00-19:00
 
http_access allow deployment deployment_workhours
http_access deny deployment
http_access allow sales sales_workhours
http_access deny sales
http_access allow noc noc_workhours
http_access deny noc

Example 1 : To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24

acl ip_acl  src 192.168.2.0/24
acl time_acl  time MTWHF 9:00-17:00
http_access allow ip_acl time_acl
http_access deny all

To restrict multitime access control list for different users for different timing.

acl abc src 172.161.163.85
acl xyz src 172.161.163.86
acl asd src 172.161.163.87
acl morning time 06:00-11:00
acl lunch time 14:00-14:30
acl evening time 16:25-23:59

Access Controls
http_access allow abc morning
http_access allow xyz morning lunch
http_access allow asd lunch
 

Example 2 : To restrict access to websites

Specifying which network IPs we will support in squid 

acl subnet_lab1     src ip-address_lab1/netmask
acl subnet_lab2     src ip-address_lab2/netmask
acl subnet_pub      src ip-address_pub/netmask
 
Specifying Time intervals we will support
acl TIMEafterhoursMORN time MTWHF 00:00-08:00
acl TIMEafterhoursAFT     time MTWHF 16:30-24:00
acl TIMEsatMORN             time  A 00:00-07:00
acl TIMEsatAFT                 time  A 17:00-24:00
acl TIMEsundALLDAY        time  S 00:00-24:00 
  
Restricting Internal Access - relevant to   organisational policies
http_access deny subnet_pub TIMEafterhoursMORN
http_access deny subnet_pub TIMEafterhoursAFT
http_access deny subnet_pub TIMEsatMORN
http_access deny subnet_pub TIMEsatAFT
http_access deny subnet_pub TIMEsundALLDAY 
 
How To Bind MAC with IP in SQUID:
[root@localhost ~]# ping 192.168.50.24
PING 192.168.50.24 (192.168.50.24) 56(84) bytes of data.
64 bytes from 192.168.50.24: icmp_seq=1 ttl=128 time=2.64 ms
64 bytes from 192.168.50.24: icmp_seq=2 ttl=128 time=0.727 ms

--- 192.168.50.24 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.727/1.685/2.643/0.958 ms
[root@localhost ~]# arp 192.168.50.24
Address                    HWtype     HWaddress            Flags Mask            Iface
192.168.50.24            ether      00:0D:56:C5:13:B7      C                         eth0
 
[root@mail ~]# vim /etc/squid/squid.conf
acl pc1_mac arp 00:0D:56:C5:13:B7
acl pc1_ip src 192.168.50.24
http_access deny pc1_mac pc1_ip
 
Examples:
(1) To allow http_access for only one machine with MAC Address
00:08:c7:9f:34:41
To use MAC address in ACL rules. Configure with option -enable-arp-acl.
acl all src 0.0.0.0/0.0.0.0
acl pl800_arp arp 00:08:c7:9f:34:41
http_access allow pl800_arp
http_access deny all
This rule defines an ACL called BADPC with a single sourceIP address
of 192.168.1.25.It then denies access to the ACL.

acl BADPC src 192.168.1.25
http_access deny BADPC 

The following two rules will block all files that end in the file extensions ".mp3"and ".exe"
respectively. The "-i"means treat them as case insensitive which matches both upper 
and lower case.
acl FILE_MP3
urlpath_regex -i \.mp3$
http_access deny FILE_MP3
 
acl FILE_EXE
urlpath_regex -i \.exe$
http_access deny FILE_EXE 
Proxy Error Webpage Configuration :
 
[root@mail ~]# vim /etc/squid/errors/ERR_ACCESS_DENIED
<P>Your cache administrator is : Md Saiful Islam Chowdhury <br>
Mobile : 01190115978
<A HREF="mailto:%w">%w</A>.
 
Trnasparent proxy :
 
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 192.168.50.30

iptables -t nat -A PREROUTING -s 192.168.100.0/24  -p tcp --dport 80 -j REDIRECT --to-port 8080

OR

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


Install and configure squid log analyzer Squint :
wget http://www.linux-bd.com/app/squint.tar.gz
https://www.linux-bd.com/app/
[root@localhost ~]# cd Desktop/
[root@localhost Desktop]# ls
squint.tar.gz
[root@localhost Desktop]# tar -zxvf squint.tar.gz
[root@localhost Desktop]# ls
squint-0.3.18  squint.tar.gz
[root@localhost Desktop]# cd squint-0.3.18/
[root@localhost squint-0.3.18]# cp squint.pl squint.cron.sh /usr/local/bin/
[root@localhost squint-0.3.18]# squint.cron.sh init
[root@localhost squint-0.3.18]# squint.cron.sh all






Now there is a bug in crontab format of squint in /etc/crontab to work the squint properly we have to fix that. Open the crontab file and see what exits for squint section.

[root@localhost squint-0.3.18]# vim /etc/crontab
# squint squid reports
# Weekly, on Mondays
00    01    *    *    Monday    root   /usr/local/bin/squint.cron.sh weekly
# Monthly, on the first day of the month
00    02    1    *    *    root   /usr/local/bin/squint.cron.sh monthly
# Daily at 3am
*/1    03    *    *    *    root   /usr/local/bin/squint.cron.sh daily

[root@localhost squint-0.3.18]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                              [  OK  ]
[root@localhost squint-0.3.18]# /etc/init.d/squid restart
Stopping squid: ................                           [  OK  ]
Starting squid: ..                                           [  OK  ]

http://192.168.50.20/squint/ 




Acl Type: port
Description
Access can be controlled by destination (server) port address
Usage acl aclname port port-no
Example
This example allows http_access only to the destination 172.16.1.115:80 from network 172.16.1.0
acl acceleratedhost dst 172.16.1.115/255.255.255.255
acl acceleratedport port 80
acl mynet src 172.16.1.0/255.255.255.0
http_access allow acceleratedhost acceleratedport mynet
http_access deny all

Acl Type: arp
Usage acl aclname arp ARP-ADDRESS
Description
Ethernet (MAC) address matching This acl is supported on Linux, Solaris, and probably BSD variants.
To use ARP (MAC) access controls, you first need to compile in the optional code.
Do this with the --enable-arp-acl configure option:
% ./configure --enable-arp-acl ...
% make clean
% make
If everything compiles, then you can add some ARP ACL lines to your squid.conf
Default acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
Example
acl ACLARP arp 11:12:13:14:15:16
ACLARP refers
MACADDRESS of the ethernet 11:12:13:14:15:16
Note
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.

1. edit your squid.conf. Add these acl..
acl mac1 arp 00:14:85:99:3B:8D
acl ip1 arp 192.168.0.1

2. Add this before "http_access deny all"
http_access allow mac1 ip1
 

URL Port (port)

Matches the destination port number of the request.
acl aclname port number
acl aclname port range
Example
acl web_port  port 80
acl voip_port port 10000-11000