Part-1

There are various software that implement a proxy server, some commercial and some free stuff. In this guide we will see how to implement a proxy server in a Windows environment is fully integrated into Active Directory at no cost. The product concerned is Squid
http://www.squid-cache.org/

, originally developed for the Linux porting is also available on the Windows platform. Integration with Active Directory, you can if we install on a machine both Linux and Windows, on Linux configuration for authentication in AD is slightly more complex than in the Windows environment. Squid can be installed on any machine of our network not necessarily with two network adapters, in which case must do also from gateway. First we must download Squid from
http://squid.acmeconsulting.it/index.html

site, follow the signs for Squid 2.7 for Windows-> Squid Download Page-> mirror mirror 1/ 2-> and here and get the latest version Stable, at the moment is the 2.7. STABLE8. Once the download unpack the .zip file in the path c:\squid. Copy these three files in the path c:\squid\etc:

* squid.conf.default == > squid.conf * mime.conf.default == > mime file * cachemgr.conf.default == > cachemgr. conf

Open the squid.conf and making some changes required for the first time: * Section OPTIONS FOR AUTHENTICATION o Remove the comment on these three rows and we complete the first so that you have:

auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth .exe auth_param ntlm children 5 auth_param ntlm keep_alive on

These parameters indicate to squid to use authentication NTLM, to use the program and mswin_ntlm_auth. xe to authenticate and use 5 concurrent processes for authentication. * ACCESS CONTROLS Section o Default Squid grants access from local networks that have private ip addresses of 3 standard

classes, if our network does not fall into these we must add it to these 3 lines:

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

o In the basic configuration Squid grants access only to the following ports:

acl acl acl acl acl acl acl acl acl acl acl

SSL_ports port 443 Safe_ports port 80 # http Safe_ports port 21 # ftp Safe_ports port 443 # https Safe_ports port 70 # gopher Safe_ports port 210 # wais Safe_ports port 1025-65535 # unregistered ports Safe_ports port 280 # http-mgmt Safe_ports port 488 # gss-http Safe_ports port 591 # filemaker Safe_ports port 777 # multiling http

Also here if we have other needs we must add the ports you want to be reached. o Immediately after the last we must insert an ACL to verify authentication in Active Directory:

acl Authenticated using proxy_auth ACL REQUIRED

and set an access rule that denies all unauthenticated sessions:

http_access deny!Authenticated

be inserted immediately after the line:

# INSERT YOUR OWN RULE (S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

* Section DISK CACHE OPTIONS o In this section we have to set the configuration parameters of the disk cache, to do this, remove the comment line:

cache_dir ufs c:/squid/var/cache 100 16 256

and edit the parameters according to our needs. Taking into account that the three parameters have this meaning: 100 = maximum size in MB of disk cache 16 = number of subdirectories (1st level) 256 = number of subdirectory of 2nd level Initially we can leave the default these 3 parameters. * LOGFILE OPTIONS Section o In this section we define the location and the type of access log file that is generated by Squid. The path is defined by the following directive:

access_log c:/squid/var/logs/squid access.log

While the type is defined by the line:

logformat squid%0% ts.3tu% 6tr% a% Ss/>% < st 03Hs%% rm% ru% a% Sh/% <% mt

in this case we define a log format called squid and use it in the command access_log. * ADMINISTRATIVE PARAMETERS Section o In case of failure or to access an unauthorized site Squid displays a page with details including an e-mal address of the system administrator. In this regard we can change this address by using the following directive:

cache_mgr <indirizzo_email>

* ERROR PAGE OPTIONS Section o The last parameter to change the language in which you want to display the error pages, to achieve this, we use this directive:

error_directory c:/squid/share/errors/English

where instead of English we insert the name of the directory that reflects the language that we use inside the folder c:/squid/share/and rrors, in the case of English we:

error_directory c:/squid/share/errors/Italian

At this point, the basic configuration Squid is finished and we can send him running for the first time. Open a dos directory, find the white flashing c:\squid\sbin and launch the command:

squid-z

in order to create the cache directory. If we have not made mistakes in the configuration file you should see something like:

C:\squid\sbin>squid -z 2010/04/24 11:33:24| Creating Swap Directories

We suggest that the creation of the directory is successful, otherwise we will see something like:

C:\squid\sbin>squid -z 2010/04/24 11:41:28| parseConfigFile: squid.conf:4257 unrecognized: 'error_directoryxxx' 2010/04/24 11:41:28| Creating Swap Directories

in which case we have committed some syntax error. (In this case was wanted!!).

NOTE: If we install squid in the default directory c:\squid we should never specify the location of the configuration file, if instead we use a different path is necessaroio change all references in the squid.conf file and use the parameter -f configfile every time I launch the commandsquid.exe. Now we can install Squid as a service and start to test it. To do this, launch the command:

C:\squid\sbin>squid -i Registry stored HKLM\SOFTWARE\GNU\Squid\2.6\Squid\ConfigFile value c:/squid/etc/squid.conf Squid Cache version 2.7.STABLE8 for i686-pc-winnt installed successfully as Squid Windows System Service. To run, start it from the Services Applet of Control Panel. Don't forget to edit squid.conf before starting it.

If all is successful you will create the service Squid. If we want to call it differently, we need to add the parameter -n servicename. Once you have created the service we need to start it with the command:

net start Squid

and we will get output like:

The Squid service is starting. The Squid service was started successfully.

We verify that Squid is actually listening via the command:

C:\squid\sbin > netstat -na | findstr :3128 0.0.0.0 0.0.0.0: 3128 TCP: 0 LISTENING

As you can see clearly squid is listening on the default port 3128. Open Internet Explorer on a client and to configure the proxy settings using the menu Tools > Internet Options-> Connections-> LAN Settingsand set the proxy server as shown in Figure:

replacing the address and port of the server with those of our configuration. Let's go back to the browser and try to reach a site any, if everything works you should see the page without any problem. To verify the actual use of the proxy, we can use one of several test online type

http://www.lagado.com/proxy-test

or check the file access.log in the folder C:\squid\var\logs. If you see a window like this:

We ask for your login credentials means that the proxy is working but there is some problem with NTLM authentication. In this case we change the LAN Manager authentication level in value:

Send LM and NTLM use NTLMv2 session security if negotiated

For simplicity we can change the Default Domain Policy so you want to configure all machines in the domain. The setting is located in the key:

Computer Configuration-> Policies-> Windows Settings-> Security Settings-> Local Policies> Security Options-> Network security: LAN Manager authentication level

Once change expect the policy is applied or forziamola with the command GPUDATE/force, then try again and if everything went well this time the request for username and password should appear. With the procedures specified so far according to Squid configuration has finished, access is granted to all for any site and a log is generated for each login. In next part we will see some parameters for optimization of Squid and how to configure the proxy settings in the browser automatically

Part-2
In the first part of the guide we saw how to configure the service squid, we will see now how to configure automatic clients to use it and some optimizations to the service itself. Client configuration The easiest way, but more laborious, to configure clients to modify by hand your Internet Explorer settings to use the proxy server that we configured. The same operation can be automated using the GPO (Group Policy Object). Edit the Default Domain Policy or any policy to configure the proxy settings in this way:

that were found in the path User Configuration Windows > Settings > IEM > Connection. This configuration works well but has the disadvantage of set the proxy in the client permanently, could then arise problems using them in other networks where there is a proxy or still exists but with different access parameters. To resolve this problem, we can use the automatic configuration feature of Internet Explorer. In practice through GPO to configure Internet Explorer to use the automatic configuration and then we configure the DNS and a configuration file to ensure that the proxy parameters are configured in each session.

In this case the policy you want to change is the automatic configuration of browsers that are always in the same location User Configuration Windows > Settings > IEM > connection.

Once the policy is applied, or we have forced the application with the command gpupdate/force, in LAN settings of the tab Connections ofInternet Options should see the flags automatically detect settings flagged. So far we have configured Internet Explorer to use the automatic settings, now we must create the file with the settings and ensure that it can be found. Create a text file with:

function FindProxyForURL( url, host ) { if( isPlainHostName( host ) || // se nessun dominio viene specificato dnsDomainIs( host, ".dominio.local") || isInNet( host, "192.168.1.0", "255.255.255.0" ) || ) return "DIRECT"; // Non si usa alcun proxy else return "PROXY 192.168.1.10:3128" }

where .local domain and 192.168.1.0/255.255.255.0 put your data that can contain multiple lines added with the operator || (or). Save the file with the name WPAD.dat any location that is accessible via the web, for example, we can put in the root of a server with IIS so that you can achieve with http://192.168.1.10/wpad.dat or http://srv-sbs/wpad.dat.

If you try one of the addresses above and get an error like:

It is likely that you are using IIS and the .dat extension is configured in the list of MIME Extensions. To do this, open the IIS management console and in server properties, click the button MIME types and add the extension .dat so configured:

and restart IIS. You should be able to see the WPAD.dat file within Internet Explorer. Now that we have created the file we need to configure the system so it is read automatically from Internet Explorer. To do this we can exploit the DNS and/or DHCP. Let's see now how to configure DNS for DHCP service, please refer to this article on TechNet:
http://technet.microsoft.com/en-us/library/cc713344.aspx

Open the DNS management console and in the forward lookup zone for your domain, create a CNAME record called wpad that points to the server where you saved the WPAD.dat file. Then make sure that everything works by opening an Internet Explorer window and typing:
http://wpad.dominio.local/wpad.dat

If everything is configured correctly you should see the contents of the WPAD.dat file. If you cannot resolve the name wpad.dominio.local make sure that the name wpad is not included in the the Global Query Block List:
http://www.indented.co.uk/index.php/2009/05/21/windows-2003-dns-global-query-block-list/

Now we just have to open Internet Explorer and verify the actual use of the proxy server. Using automatic configuration with the WPAD.dat file turns out to be very handy if you often need to access the internet through the proxy, portable external to your network. Log configuration The default format of proxy access log, as well as others, are useful in the case are to be interpreted by external software. If you want to a format that is more understandable for us humans and easily importable in Excel you can create a new type with these specs:

logformat my "%>a","%ul","%rm %ru HTTP/%rv","%Hs","%<st","%Ss:%Sh","%tl"

and then set up squid for use with the line:

access_log c:/squid/var/logs/access.log my

With time you will notice that the log files, especially the access.log file will tend to grow significantly, we can then use the works logrotate of squid to create several files at certain times. The easiest way is to schedule the command:

squid n squid k rotate

Maybe once a month so you can store the log file. Whenever we execute the command files will be renamed according the following scheme:

access.log.x access.log.x + 1 > cache.log.x cache.log.x + 1 > store.log.x store.log.x + 1 > access.log 2.0 > 1 access.log. log cache cache >. 1 store .log 2.0 > store .log. 1 access.log > access.log. 0 log cache cache >. 0 store log > store .log. 0

The number of file versions that are maintained by squid depends on the value set for the parameter:

logfile_rotate 60

In this case will be preserved 60 copies of logs, which rotated each month if correspond to 5 years. Various Configurations Default squid sends to the real site visited the address of your machine then we will see private:

X-Forwarded-For: 192.1.2.3

If you want to hide your private IP you have to edit this parameter in the following way:

forwarded_for off

Configuring permissions If you've come this far you will have a fully functioning system where all users in Active Directory can access any site, and all those who are not authenticated do not have access to the outside. Often arises the need to allow access to some web sites without having to authenticate and to block more or less selective access sites, for example we may want to allow downloading Windows updates or virus definitions on all PCs. To do this we must first create a text file with the list of free sites:

windowsupdate.com. . windowsupdate.Microsoft.com update.microsoft.com your

and salviamolo as C:\squid\etc\URL_consentiti.txt, then edit the squid configuration file to use this newly created list. At the end of the ACL directives we add this line:

acl link-consentiti url_regex "c:/squid/etc/URL_consentiti.txt

in order to create an Access Control List URL_consentiti call that contains all URLs in the file, then add the line:

http_access allow URL_consentiti

just before the one that denies access to unauthenticated users (http_access deny!Authenticated). Once restarted Squid verified that links present in the file are also made available without authentication. The same way we can define a list of users who have unlimited access to the web. Create a file containing users with the domain:

domain\user1 dominio\utente2 dominio\utenten

and salviamolo as C:\squid\etc\Utenti_illimitati.txt and edit the squid configuration file for loading this ACL using the line:

acl Utenti_illimitati proxy_auth "c:/squid/etc/Utenti_illimitati.txt"

Finally, we allow access to this ACL:

http_access allow Utenti_illimitati

immediately after the previously inserted directive http_access. Now we can create a list of sites that will be blocked for all users except for those listed Utenti_illimitati. Let's create a new text file calledC:\squid\etc\URL_bloccati.txt that will contain the list of sites like:

. facebook.com youtube.com

We create the usual ACL with the line:

acl URL_bloccati url_regex "c:/squid/etc/URL_bloccati.txt"

and finally we deny access to this ACL with the line:

http_access deny URL_bloccati

be inserted immediately after the previously inserted directive http_access. For each file change squid.conf goes restart Squid service. If you want to create lists of addresses allowed per user, you must create a file containing one or more users and a file containing links allowed for that user (s). Then create two ACLS, one for users and one for the link:

acl Utente1 proxy_auth "c:/squid/etc/Utente1.txt" acl Utente1_Link url_regex "c:/squid/etc/Utente1_Link.txt"

and placed within the same directive in order to be satisfied both:

http_access allow Utente1 Utente1_Link

Notes Whether to install Squid on a machine where you installed the DNS most likely after a reboot you will find yourself in the situation that Squid fails to start because some ports are down state used by the DNS service. The default ports of Squid, not all are enabled:

* * * *

3128 3130 3135 4827

TCP TCP TCP TCP

We must therefore provide to set a parameter in the Windows Registry for Reserved configure them as so that DNS does not use them. the procedure is very simple and is reflected in the article: How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
http://support.microsoft.com/kb/812873/en-us

1. Start Registry editor (Regedit.exe). 1. Locate and select the following registry subkey KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\Tcpip\Parameters: 2. Choose new Edit menu, and then multi-string value. 3. , Right-click the new value, click Rename to, type ReservedPorts and then press ENTER. 4. Double-click the ReservedPorts value, type the range of ports that you want to reserve, and then click OK on. Note You must type the range of ports in the following format:

xxxx-yyyy To specify a single port, use the same value x and of y. For example, to specify port 4000, type 4000-4000. Warning If you specify ports continue separately and if a port is reserved and is not used properly the next door is not confidential and is used. 5. Click OK on.

Qun l truy cp internet vi Squid proxy

Hu ht cc t chc, doanh nghip c va v nh u c nhu cu gii hn truy cp internet ch cho 1 s ngi dng v tit kim bng thng internet. Mt trong nhng gii php m, min ph v rt hiu qu hin nay l s dng Squid trn nn Linux lm 1 Proxy Server. Ngi s dng cu hnh trnh duyt web ca h kt ni internet thng qua Squid Server thay v kt ni trc tip. Khi 1 yu cu duyt web n t ngi dng, Squid s kim tra trong cache ca n thng tin v trang web . Nu tm thy, n s gi trang web v trnh duyt ngi dng m khng cn kt ni vo internet. Nu khng thy, n bt u kt ni vo a ch trang v ti v ri chuyn tip cho trnh duyt. iu ny lm gim ng k lng d liu ti v t internet. Mt li ch khc na l chng ta c th cu hnh firewall ch cho php kt ni web thng qua Squid, cn li tt c cc my trong mng ni b u khng c php kt ni trc tip internet. Do , ta c th kim sot truy cp internet ca ngi dng thng qua c ch xc thc User/Password.

Download v Ci t Squid Package

Hin nay, hu ht cc phn mm trn Linux u ph bin 2 dng c bin dch sn l RPM (dnh cho distro Redhat Linux) v DEB (cho Debian Linux). Vic download v ci t cc gi phn mm ny khng kh. Trong tt c cc distro ny u h tr c ch ci t t ng (trnh ci t s kt ni n Server ca hng v ti gi phn mm c yu cu v v tin hnh ci t). Vi nhng phin bn mi nht, Squid l 1 ty chn ci t trong qu trnh ci t h iu hnh. Trong bn demo ny, ti tin hnh trn bn Fedora Core 8, mt phin bn rt n nh ca Redhat Linux, yu cu cu hnh khng cao, d cu hnh, qun tr. i vi nhng qun tr vin c kinh nghim v Linux, c th s dng bn Ubuntu Server 7.10 (ch c giao din command line). y l bn cng thch hp cho mi trng doanh nghip c trung bnh, phc v khong 1000-2000 ngi dng.

Khi ng Squid
S dng lnh chkconfig cu hnh chy Squid mi khi khi ng my: [root@proxy tmp]# chkconfig squid on S dng cu lnh service start, stop, v restart Squid sau khi khi chy: [root@proxy tmp]# service squid start [root@proxy tmp]# service squid stop [root@proxy tmp]# service squid restart S dng cu lnh pgrep kim tra Squid c ang chy hay khng: [root@proxy tmp]# pgrep squid Kt qu cu lnh trn s l ProcessID ca Squid Hoc bn cng c th dng cu lnh: [root@proxy tmp]# ps aux

File cu hnh Squid: /etc/squid/squid.conf

File cu hnh chnh ca Squid l squid.conf. cu hnh Squid, cn phi chnh sa cc thng s cn thit trong file cu hnh v khi ng li Squid

Thng s Visible Host Name

Squid s khng th khi chy nu khng c cung cp tn my. cung cp thng s ny, hiu chnh thng s visible_hostname. y, hostname l tn ca Proxy server visible_hostname proxy

Cc danh sch truy cp: Access Control Lists

gii hn ngi dng duyt web, chng ta s dng access control lists (ACLs). Mi dng ACL nh ngha mt loi gii hn hot ng c th, v d nh thi gian truy cp hoc mng ngun (thng l LAN). Cc dng ACL sau c lin kt ti cc pht biu http_access tng ng, cung cp thng tin cho Squid Allow hay Deny yu cu khi yu cu nm trong phm vi ca ACL Squid so snh mi yu cu truy cp web m n nhn c bng cch kim tra danh sch http_access t u ti cui. Nu n tm thy 1 pht biu ph hp, n s p dng Allow hay Deny v dng khng c tip cc pht biu pha di na. Do vy, chng ta cn phi cn thn khi sp sp cc pht biu. Khng c t cc pht biu Deny bn trn cc pht biu Allow trong khi mun Allow cc ACL tha mn pht biu . Cui cng, phi c pht biu: http_access deny all t chi tt c cc yu cu m khng c ni n trong cc pht biu trc .

MT VI V D
Gii hn truy cp web theo thi gian
Chng ta c th to ACL vi cc thng s l thi gian. V d, nu mun ch cho php truy cp web trong thi gian lm vic, trong khi cm truy cp n host 192.168.1.123, chng ta thc hin nh sau: # # Thm cc dng ACL ny vo pha trn trong on ACL trong squid.conf # acl home_network src 192.168.1.0/24 acl business_hours time M T W H F 9:00-17:00 acl RestrictedHost src 192.168.1.23 # # Thm cc pht biu sau vo phn di cng ca on http_access trong file squid.conf # http_access deny RestrictedHost http_access allow home_network business_hours #ch rng pht biu deny phi t trc Hoc nu ch mun cho truy cp vo bui sng: # # Thm dng ACL ny vo pha trn trong on ACL trong squid.conf

# acl mornings time 08:00-12:00 # # Thm pht biu sau vo phn di cng ca on http_access trong file squid.conf # http_access allow mornings

Gii hn truy cp ti cc website xc nh

gii hn ngi dng khng truy cp n nhng website khng c php, chng ta c th lu danh sch cc website vo trong 1 file. Squid c th c nhng file cha danh sch cc website hoc domain s dng trong cc ACL. V d, chng ta c 2 danh sch c lu trong 2 file: /usr/local/etc/allowed-sites.squid /usr/local/etc/restricted-sites.squid. Vi ni dung cc file nh sau: # File: /usr/local/etc/allowed-sites.squid www.openfree.org www.ncsteam.com # File: /usr/local/etc/restricted-sites.squid www.porn.com illegal.com Chng ta c th s dng ngn chn cc site b gii hn v cho php truy cp cc site khng b gii hn trong sut thi gian lm vic nh v d di y: # # Thm vo pha di ca on ACL trong squid.conf # acl acl acl acl home_network src 192.168.1.0/24 business_hours time M T W H F 9:00-17:00 GoodSites dstdomain "/usr/local/etc/allowed-sites.squid" BadSites dstdomain "/usr/local/etc/restricted-sites.squid"

# # Thm vo phn u tin ca on http_access trong squid.conf # http_access deny BadSites http_access allow home_network business_hours GoodSites

Gii hn truy cp web theo IP

Chng ta c th to cc ACL gii hn truy cp web ca ngi dng c th thng qua a ch IP m h s dng. Trong v d di, chng ta nh ngha gii a ch LAN l 192.168.1.0 # # Thm vo pha di ca on ACL trong squid.conf # acl home_network src 192.168.1.0/255.255.255.0 Thm pht biu http_access tng ng cho php cc a ch IP tha mn ACL # # Thm vo phn u tin ca on http_access trong squid.conf # http_access allow home_network

Ngoi ra, chng ta c th cu hnh xc thc ngi dng thng qua User name v password. Tham kho thm ti liu v Squid bit thm chi tit.

Bt buc tt c ngi dng phi s dng Squid

bt buc tt c ngi dng truy cp web u phi thng qua Squid, chng ta phi thit lp firewall (Iptables) ch cho php duy nht Squid server c kh nng truy cp internet. Ngi dng mun truy cp internet phi thng qua Squid.

Cu hnh Squid Server trong sut i vi ngi dng

gii hn ch cho Squid server truy cp web m khng phi chnh sa g cc thng s proxy trong trnh duyt ca ngi dng, chng ta phi cu hnh Squid t ng nhn cc yu cu kt ni web (transparent) ca ngi dng. Cc version trc 2.6: Chng ta cu hnh cc thng s nh sau: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Cc Version t 2.6 tr v sau: thm t kha transparent ng sau dng khai bo port: http_port 8080 transparent

Cu hnh Iptable h tr Squid Transparent Proxy

bt buc tt c cc yu cu kt ni web u phi thng qua Squid proxy, chng ta thc hin cu hnh Iptable nh sau: iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ -j REDIRECT --to-port 3128 iptables -A INPUT -j ACCEPT -m state \ --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp \ --dport 3128 iptables -A OUTPUT -j ACCEPT -m state \ --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \ --dport 80 iptables -A INPUT -j ACCEPT -m state \ --state ESTABLISHED,RELATED -i eth0 -p tcp \ --sport 80 iptables -A OUTPUT -j ACCEPT -m state \ --state ESTABLISHED,RELATED -o eth1 -p tcp \ --sport 80 Vi eth0 kt ni ra internet, eth1 kt ni ti mng ni b, Squid v Iptables nm trn cng 1 server bit thm chi tit trong cc trng hp khc, nh nhiu LAN, Iptables v Squid nm trn server khc nhau, cc th thut optimize Squid......cc bn hy tham kho thm ti liu chi tit v Squid (ti www.squid-cache.org) v ti liu qun tr vn hnh Linux.