Howto Setup Squid 2.6 Proxy with LDAP Authentication and SARG on Ubuntu 7.04
Last Updated on Friday, 29 January o 06:44 Written by admin Monday, 7 July o 09:11
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on Unix and Windows and is licensed under the GNU GPL.
Sarg – Squid Analysis Report Generator is a tool that allow you to view “where” your users are going to on the Internet.
Sarg provides many informations about Squid users activities: times, bytes, sites, etc…
This Howto is going to be done in two sections.
1.) Install Squid
1.1) Configure squid.conf
1.1.a) Visible Host Name
1.1.b) HTTP Access Control Lists
1.1.c) HTTP Port
1.1.d) Log the users by name (Identd)
1.1.e) Have the user authenticate against Windows Active Directory with LDAP
2.) Install SARG (get the source, compile it and install it.) The reason for this is that the Ubuntu package version does not work nicely and hangs most of the time.
I am assuming that your box has two network cards and that it is routing correctly.
Now that you know what this is all about, lets get started:
Section one
1.) Install Squid
sudo apt-get install squid
1.1) Now that Squid is installed we need to configure it to allow access for our users.
We will be editing the /etc/squid/squid.conf file for the changes that need to be made.
I use Midnight Commander to edit my files, but you can use any other editor that you like.
sudo mcedit /etc/squid/squid.conf
1.1.a) Visible Host Name
Squid will fail to start if you don’t give your server a hostname. You can set this with the visible_hostname parameter.If you would like to have your browser show which proxy it was getting the error from, you will need to do this. Please note that each hostname will need to be different to each proxy.I will name my proxy crashinit6. You can also have the FQDN if you want.
visible_hostname crashinit6
1.1.b) HTTP Access Control Lists
This part of the howto will focus on creating an ACL which will allow specific parts of your network access to the HTTP port on your proxy and denying others.I will be using two different Vlans in this example.
Vlanone = 172.16.10.1-254
Vlantwo = 172.16.11.1-254
I want to give Vlanone access to the internet and deny Vlantwo.
The part of the squid.conf file you need to edit looks like this:
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
#
# And finally deny all other access to this proxy
http_access deny all
The part we will add our Rules to are under:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
But above:
# And finally deny all other access to this proxy
http_access deny all
NOTE on default values:
If there are no “access†lines present, the default is to deny the request.
In other words, if you don’t have your network range specified in an ACL all requests will be denied and no one can use your proxy.
Our ACl is going to look like this:
acl Vlanone src 172.16.10.1-254/255.255.255.0
http_access allow Vlanone
#
acl Vlantwo src 172.16.11.1-254/255.255.255.0
http_access deny Vlantwo
You can add as many ACL as you want and there are many more different ACL’s but that is out of the scope of this Howto. You can find more info about ACL’s on squid’s site.
1.1.c) HTTP Port
The default port that squid uses to serve the HTTP protocol over is 3128.
Through my experience it is wise to change it to some other port other than the default.
The part of the configuration file to change looks like this:
# Squid normally listens to port 3128
http_port 3128
1.1.d) Log the users by name (Identd)
I had the problem where I had squid installed on Linux and there was no easy way for me to have my windows users logon names recorded by squid. The easiest way for me was to use Ident to query the users logon name and send it back to squid.You can also create an ACL which can deny and allow users to the proxy according to User Names and or Client Addresses.
The downside to this method is that you will need to install an Identd service on your windows clients.
You can download one from sourceforge: http://sourceforge.net/projects/retinascan/
Look for the settings below in the squid.conf file.
acl ident_aware_host
ident_lookup_access
This is how my ACL looks like (allow lookups for Vlanone):
acl ident_Vlanone src 172.16.10.1-254/255.255.255.0
ident_lookup_access allow ident_Vlanone
#ident_lookup_access deny all
Please note that I have commented out ident_lookup_access deny all as I don’t want to deny access according to my Ident ACL. All I want to do is resolve the Username.
1.1.e) Have the user authenticate against Windows Active Directory with LDAP.
This part will need a working Active Directory (mine is a windows 2000 AD environment) otherwise it will be pointless to read further on.
My example FQDN is going to look like this:
LDAP authentication is possible with Squids own authentication tool which is located at /usr/lib/squid/ldap_auth. There are a few command line switches that can and is very useful which we will use.
Descriptions of command switches:
We are going to now check whether or not we can get a successful connection to our AD Server.
You will see nothing but the blinking cursor on the console.
You will have to type in your Username and Password in the same line with a space between them. Please note that the Username you use must already be created in AD.
You should get a success message like the one above.
Once this is done, we will now edit the squid.conf file.
We have to comment in all the auth_param basic entries and have to create both acl and http_access rules.
We will now edit the /etc/squid.squid.conf file
sudo mcedit /etc/squid/squid.conf
Find the Section: # TAG: auth_param
We will now put the following in. Remember the console command to get it working, you wil need that info for this part.
N.B: This must be in one line
# TAG: auth_param
auth_param basic program /usr/lib/squid/ldap_auth -v3 -R -b "dc=your,dc=domain,dc=here" -D "cn=FullUserNameHere,cn=Users,dc=your,dc=Domain,dc=Here" -w "UsersPassword" -f "(sAMAccountName=%s)" -h YourDomainControllerHere
Directly below this add these line.
auth_param basic children 5
auth_param basic realm LOCALDOMAIN
auth_param basic credentialsttl 1 minutes
auth_param basic casesensitive off
The Realm part is what appears in the authentication box:You can change this to whatever you want.
You can read about these settings and more here from squid’s site.
Find the Section: # ACCESS CONTROLS
This will tell squid that LDAP authentication is needed.
acl ldap proxy_auth REQUIRED
Find the Section: # TAG: http_access
This will allow an authenticated user to use the proxy for browsing.
http_access allow ldap
Thanks to PaperCut© and kreienbrock for their materials. The combined information has made it possible for me to do the AD authentication in squid only.
Section Two
2.) Install SARG (get the source, compile it and install it.)The reason why I compiled SARG myself was that I had an issue where SARG crashed on me every time I wanted to generate web reports.You might be lucky and have it working for you, but if not…
Download SARG from http://sarg.sourceforge.net/sarg.php
Once downloaded, unzip the package and then cd into the folder
tar -xvf file.tar.gz
Configure
./configure
Compile the Package
make
Installing the Package
sudo make install
You can now access SARG either through Webmin or have a Cron job execute commands to generate your reports. Please look at the section Sarg users implementations on SARG’s site.
You can find out more about compiling on Ubuntu by following these two links: https://help.ubuntu.com/community/CompilingSoftware and https://help.ubuntu.com/community/CompilingEasyHowTo.
I hope that you have had success with this howto.
Enjoy.
Wow! You really covered this topic well. Are there other resources that I should check out?
Hi Cristopher,
I would go to Squid’s site and read up on any updates and there have been a few howto’s on the web. You just need to read and test and re-test till it works for you. Squid is a great proxy once it is configured to your specs but it will take time and patience. Good luck and let me know if you have a few questions and I’ll do my best to help.
hi guys…
hi guysI would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well and i have start my own blog now, , thanks for your effort…
thanks man