Install a proxy server (proxy) 3 Squid 4.0 on Debian 5.0 Etch and Lenny

by Pierre-Yves Landuré - last modified 2009-01-26 18:38

There are several cases or provide a proxy server can be very interesting. Installing Squid proxy may respond to several issues: save bandwidth, filter web sites visited (anti-virus, parental control, etc.), circumventing a protection-based access client IP address, etc. . This guide discusses several possible configurations for Squid in order to provide complete protection for your surfing.
Installation

First, you must install Squid 3:

/ usr / bin / apt-get install squid3

Note: By default, Squid or port awaiting connection is port 3128.

Once Squid is installed, it is necessary to configure it correctly.

First, it is necessary to enter the hostname of the proxy server. This is the name that appears in the error messages:

/ bin / sed-i-e "/ TAG: visible_hostname /,/^#[] * visible_hostname /{/#[] * visible_hostname / a \ \
visible_hostname $ HOSTNAME
;) / Etc/squid3/squid.conf

Authorize the use of the Squid server by a LAN

Once this is done, it is necessary to configure networks allowed to use your proxy Squid. Indeed, by default, only the computer that hosts the Squid server is allowed to use it. First, contact the address range used by your local network:

LAN_RANGE = 192.168.1.0/24

Inquire as an alias for your network (the alias must be a "word" without spaces or strange characters):

LAN_ALIAS = my-local-network

Allow connection from this location:

/ bin / sed-i-e "0, / INSERT YOUR OWN RULE (S) HERE / (/ / a \ \
\ \
Allowing Local # allowed-network-lan $ () LAN_ALIAS. \ \
acl allowed-language LAN_ALIAS ($ src) ($ LAN_RANGE) \ \
http_access allow lan-allowed-$ LAN_ALIAS ()
;) / Etc/squid3/squid.conf

Squid is configured to allow connection from your LAN, it only remains for you to reload the configuration to take into account:

/ reload etc/init.d/squid3

Configurations specic

You will find below some examples of configuring Squid.
Disable caching of all sites visited

If you want Squid does not cache content of all sites visited, this is done very simply by using this command:

/ bin / sed-i-e '/ TAG: cache $/,/^[ \ ]*$/{/^[ t \ t] * $ / i \
\
# Disabling cache for all sites \
cache deny all
;) '/ Etc/squid3/squid.conf

Once Squid configuration update, do not forget to reload:

/ reload etc/init.d/squid3

Disable caching of specific sites

If you want the cache is disabled for certain sites only, this can be done with this. First, fill in the domain that you do not want hidden:

Www.my-NOCACHE_DOMAIN = cms.org

Calculate the ID of the rule:

NOCACHE_ID = $ (grep-e ".* acl-nocache" / etc/squid3/squid.conf | wc - lines)

And configure Squid not to hide the field:

/ bin / sed-i-e "/ TAG: cache \ $/,/^[ \ \ t] * \ $/{/^[ \ \ t] * \ $ / i \ \
\ \
# Disable caching for domain $ (NOCACHE_DOMAIN) \ \
$ acl-nocache NOCACHE_ID) (dstdomain $ NOCACHE_DOMAIN () \ \
cache deny nocache-$ () NOCACHE_ID
;) / Etc/squid3/squid.conf

Once Squid configuration update, do not forget to reload:

/ reload etc/init.d/squid3

Setting up parental controls with DansGuardian

If you want to block access to pornographic sites to users using your proxy server, you can do simply by using DansGuardian. This software has the advantage of filtering the content of websites visited. It does not just check the URL against a blacklist of pornography.

Note: Many sites display SquidGuard as a parental control. SquidGuard is better integrated than DansGuardian Squid, and also much lighter in its daily operations. DansGuardian but to the advantage of integrating a control virus files downloaded, and filter the content of pages downloaded. For these last two characteristics that I have chosen.

First, install DansGuardian:

/ usr / bin / apt-get install dansguardian lha unrar

Configuring DansGuardian

If you wish, you can ensure that messages warning of DansGuardian are in french. To do this, use this command line:

/ bin / sed-i-e "s / ^ \ (language [\ t] *= \ ).*$/ \ 1 'french' /" \
          / etc / dansguardian / dansguardian.conf

To preserve a minimum of surfing privacy of our users, and reduce the size of log files generated, we reduce the logging level:

/ bin / sed-i-e 's / ^ \ (LogLevel [\ t] *= \ ).*$/ \ 1 1 /' \
          / etc / dansguardian / dansguardian.conf

If you want your download to be scanned for viruses, enable the plugin for ClamAV DansGuardian (Caution: This option is very consuming system resources):

/ bin / sed-i-e 's / ^ [\ t #] * \ (contentscanner [\ t ]*=.* clamav .* $ \) / \ 1 /' \
          / etc / dansguardian / dansguardian.conf

Once your configuration tailored to your needs, it remains only to comment on the "unconfigured" to activate DansGuardian:

/ bin / sed-i-e 's / ^ .* Unconfigured .*$/# \ 0 /' \
          / etc / dansguardian / dansguardian.conf

It is also possible to use blacklists of SquidGuard with DansGuardian. To do this, it is necessary to create the folder to contain these blacklists SquidGuard if not installed:

/ bin / mkdir - parent / var / lib / squidguard / db
/ bin / chown-R proxy: proxy / var / lib / squidguard / db

Now turn up the cron script to update the list daily:

/ bin / echo '#! / bin / bash

# Downloading the adult site blacklist update
/ usr / bin / wget-q ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/adult.tar.gz \
     - output-document = / tmp / adult.tar.gz

/ bin / tar - directory / var / lib / squidguard / db-xzf / tmp / adult.tar.gz

# SquidGuard must be able to update db files.
/ bin / chown-R proxy: proxy / var / lib / squidguard / db

# SquidGuard We update the database with the downloaded data:
if [-x / usr / bin / squidguard]; then
   / bin / proxy su-c "/ usr / bin / C squidguard-all> / dev / null 2> & 1"
fi '\
     | / Usr / bin / tee / etc / cron.daily / update-squidguard-blacklist
/ bin / chmod + x / etc / cron.daily / update-squidguard-blacklist

Run the first update to initialize the list:

/ etc / cron.daily / update-squidguard-blacklist

Create a symbolic link to the blacklist to the appropriate location for DansGuardian:

/ bin / ln-s / var / lib / squidguard / db / adult / / etc / dansguardian / lists / blacklists /

Finally, configure DansGuardian to use this blacklist:

/ bin / sed-i-e 's / [\ t #] * \ (.* Include adult .* .* \) $ / \ 1 /' / etc / dansguardian / lists / bannedsitelist

You can now restart DansGuardian:

/ etc / init.d / dansguardian restart

To use DansGuardian, set your browser to connect to port 8080 proxy server.
Configuring Squid

Normally, there is no change to the default configuration of the Squid. However, if you have authorized one or more local networks to use Squid directly (see the method above), it is necessary to edit the file / etc / squid / squid.conf to remove lines configurations that allow the connection . In fact, your users should not be allowed to directly connect to Squid port 3128, otherwise, they are able to bypass DansGuardian, and connect to undesirable sites.

If you followed this guide, the handling is simple. Just run the command line:

/ bin / sed-i-e '/ allowed-lan-/ d' / etc/squid3/squid.conf

And reload the configuration of Squid:

/ reload etc/init.d/squid3

Setting up parental controls with SquidGuard

Although less elaborate than DansGuardian, SquidGuard is also much lighter to implement. Indeed, SquidGuard is to check that the sites are not part of the blacklist.

First, install SquidGuard:

/ usr / bin / apt-get install squidguard

Note: In Debian 4.0 Etch, SquidGuard depends Squid 2, so we have to disable Squid 2 after installing SquidGuard:

/ etc / init.d / squid stop
/ usr / sbin / update-rc.d-f squid remove

Once done, configure Squid for SquidGuard be used to filter URLs:

/ bin / sed-i-e '/ TAG: url_rewrite_program /,/^#[] * /{/#[ none] none * / a \
url_rewrite_program / usr / bin / squidguard
;) '/ Etc/squid3/squid.conf

We update the location of the file's log SquidGuard to match the configuration of Squid 3:

/ bin / sed-i-e 's | ^ .* $ logdir | logdir / var/log/squid3 |' \
          / etc / squid / squidGuard.conf

It is also necessary to enable content filtering in the configuration SquidGuard. To do this, begin by informing the destination URL of the redirect. Personally, I plan to redirect the Internet XD:

SQUIDGUARD_DESTINATION = http://www.perdu.com/

Now configure SquidGuard to reiterate adult sites to your site replacement:

/ bin / sed-i-e 's / ^ [#] * \ (dest adult .* \) $ / \ 1 /' \
             -e '/ ^ dest adult /,/}/{ s /^#//;)' \
             -e "/ ^ dest adult /,/}/{ s | ^ \ (.* redirect [\ t] * \) .* \ $ | \ 1 $ SQUIDGUARD_DESTINATION () |;)" \
          / etc / squid / squidGuard.conf

And enable this configuration for all users:

/ bin / sed-i-e '/ ^ [\ t] * default /,/}/{ s / ^ \ (.* pass [\ t] * \ ).*$/ \ 1! adult;)' \
          / etc / squid / squidGuard.conf

Now that SquidGuard is configured, set up the cron script to update daily the blacklist of banned adult sites:

/ bin / echo '#! / bin / bash

# Downloading the adult site blacklist update
/ usr / bin / wget-q ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/adult.tar.gz \
     - output-document = / tmp / adult.tar.gz

/ bin / tar - directory / var / lib / squidguard / db-xzf / tmp / adult.tar.gz

# SquidGuard must be able to update db files.
/ bin / chown-R proxy: proxy / var / lib / squidguard / db

# SquidGuard We update the database with the downloaded data:
if [-x / usr / bin / squidguard]; then
   / bin / proxy su-c "/ usr / bin / C squidguard-all> / dev / null 2> & 1"
fi '\
     | / Usr / bin / tee / etc / cron.daily / update-squidguard-blacklist
/ bin / chmod + x / etc / cron.daily / update-squidguard-blacklist

Run the first update to initialize the list:

/ etc / cron.daily / update-squidguard-blacklist

Now you can reload the configuration of Squid:

/ etc/init.d/squid3 restart

Allow access SSL on a nonstandard port for a given web server

If you want to access via Squid servers using HTTPS ports other than port 443, it is necessary to configure Squid to explicitly authorize it. First, fill in the name of the server using a non-standard port for HTTPS:

WEIRD_HTTPS_SERVER = www.some-server.org

Inquire then the port number used:

WEIRD_HTTPS_PORT = 8080

Calculate the ID of the rule:

WEIRD_HTTPS_ID = $ (grep-e "weird-ssl .* domain dst" / etc/squid3/squid.conf | wc - lines)

And allow the CONNECT method for this site:

/ bin / sed-i-e "0, / Deny CONNECT to other than SSL ports / (/ / i \ \
\ \
# Allowing non-standard SSL port declaration: $ (WEIRD_HTTPS_SERVER): $ () WEIRD_HTTPS_PORT. \ \
weird-acl-ssl $ (domain)-WEIRD_HTTPS_ID $ dst) (WEIRD_HTTPS_SERVER \ \
weird-acl-ssl $ (WEIRD_HTTPS_ID)-port $ (port) WEIRD_HTTPS_PORT \ \
http_access allow CONNECT-weird-ssl $ ()-WEIRD_HTTPS_ID domain weird-ssl-WEIRD_HTTPS_ID $ (port) \ \

;) / Etc/squid3/squid.conf

Squid is configured to allow connection to the server, it only remains for you to reload the configuration to take into account:

/ reload etc/init.d/squid3

Thanks to Author, source http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-un-serveur-mandataire-proxy-squid-3-sur-debian-4-0-etch-et-5-0-lenny