Configuring Squid 3 + QuintoLabs Content Security 1.4 and Integration with Active Directory

I will not tell you about Squid , but I’ll tell you about the features of QCS.

What can do QuintoLabs Content Security
* Removes annoying ads
* Ban on file uploads
* Group control
* Exclusion of any domain, subnet, ip from the filter
* High performance
* Easy setup and maintenance
* Support for RedHat, CentOS, Fedora, Debian, Ubuntu distributions


')
To configure the bundle, we have a pre-configured
1) dc.example.lan [192.168.28.20] - Win2K2008 with DNS and Active Direcory
2) 192.168.28.2 - Gateway
3) DNS [192.168.28.20]
3) example.lan - Domain
4) proxy.example.lan - Our CentOS 6 Server
5) client.example.lan - Win7 client

Next, we will configure the proxy server (CentOS), taking into account that the server on Win2K2008 with the services we need is configured

Configuring static ip in / etc / sysconfig / network-scripts / ifcfg-eth0:
BOOTPROTO=static
NETMASK=255.255.255.0
IPADDR=192.168.28.21
ONBOOT=yes
We set the gateway / etc / sysconfig / network:
GATEWAY=192.168.28.2
Specify dns in /etc/resolv.conf:
nameserver 192.168.28.20
Restart Network Interfaces
/etc/init.d/network restart
Pinging:
$ping -c 3 192.168.28.2

If all is well. then you can move on
Updating:
yum update
and after we put additional packages:
yum install bind-utils
install ntp
yum install ntp
add to startup
chkconfig ntpd on
Open /etc/ntp.conf and add to the domain controller in the config


Stop the service:
service ntpd stop
Synchronize with our dc:
ntpdate -b dc.example.lan
and start the ntp service back:
service ntpd start
Install kerberos:
yum install krb5-workstation krb5-libs
We give the configuration of /etc/krb5.conf to a similar form:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.LAN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac

[realms]
EXAMPLE.LAN = {
kdc = dc.example.lan
admin_server = dc.example.lan
default_domain = example.lan
}

[domain_realm]
.example.lan = EXAMPLE.LAN
example.lan = EXAMPLE.LAN

We are trying to get a ticket:
kinit Administrator@EXAMPLE.LAN
If everything passed without any problems, then we check the ticket issued to us:
klist
and see:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@EXAMPLE.LAN
Valid starting Expires Service principal
12/07/11 11:07:58 12/07/11 21:08:00 krbtgt/EXAMPLE.LAN@EXAMPLE.LAN
renew until 12/14/11 11:07:58
Reboot:
shutdown -r now
Install sabma and get our server to the domain
yum install samba
add to load:
chkconfig smb on
Open the samba config /etc/samba/smb.conf and bring it to this form:
[global]
workgroup = EXAMPLE
realm = EXAMPLE.LAN
server string = Samba Server Version %v
security = ADS
log file = /var/log/samba/log.%m
max log size = 50
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

Restart the samba:
service smb restart
Initialize kerberos:
kinit Administrator@EXAMPLE.LAN
klist

net ads join -S dc.example.lan -U Administrator%P@ssw0rd


Open the AD snap-in and check if our proxy server appeared in the Computers OU


We see a positive result and again a reboot:
shutdown -r now
Install Squid:
yum install squid
Open /etc/squid/squid.conf, find the lines we need and replace them:
visible_hostname proxy.example.lan
http_access allow localnet and acl localnet src 192.168.28.0/24
Add to autoload:
chkconfig squid on
Restart the service:
service squid start
Add a default entry to the /etc/krb5.keytab file
net ads keytab add HTTP -U administrator
Processing principals to add...
Enter administrator's password:


Change the owner of the file:
chown squid:squid /etc/krb5.keytab
and set chmod:
chmod 400 /etc/krb5.keytab
Change the contents of the config in /etc/squid/squid.conf:
auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth -s HTTP/proxy
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access deny !auth
http_access allow auth

http_access deny all
After that, we reboot our server, and on the client car, open ie and check the authentication. If everything went well then in the logs /var/log/squid/*.log we will see our user

Next, install apache
yum install httpd php mod_wsgi
Add to startup
chkconfig httpd on
Run apache:
service httpd start
Go to the final part, install QuintoLabs Content Security 1.4.2

Download:
curl quintolabs.com/qlproxy/binaries/1.4.2/qlproxy-1.4.2-32d12.i386.rpm > qlproxy-1.4.2-32d12.i386.rpm
Install:
rpm --install qlproxy-1.4.2-32d12.i386.rpm
To block ads, simply uncomment the subscription we need in the /opt/quintolabs/qlproxy/etc/adblock.conf file.
Optionally, you can improve the filter heuristics for online games in the /opt/quintolabs/qlproxy/etc/adultblock.conf file
Looking for the string:
heuristics_level = normal
and normal change to high:
heuristics_level = high
In the /opt/quintolabs/qlproxy/etc/exceptions.conf config, you can configure parental controls that support filtering html pages for prohibited words and phrases.
And in the config /opt/quintolabs/qlproxy/etc/httpblock.conf, you can configure protection against Trojans and viruses that often send requests over IP:
http://\d+\.\d+\.\d+\.\d+/.*
After all changes, restart the daemon:
/etc/init.d/qlproxy restart
Open the squid config /etc/squid/squid.conf and make changes to interact with our filter:
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
Overload the squid service:
service squid restart
Next, edit the apache /etc/httpd/httpd.conf config and add:
WSGIScriptAlias /qlproxy.cgi /var/opt/quintolabs/qlproxy/www/data/qlproxy.wsgi
<Directory /var/opt/quintolabs/qlproxy/www/data>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
Alias /qlproxy /var/opt/quintolabs/qlproxy/www
<Directory /var/opt/quintolabs/qlproxy/www>
Options FollowSymLinks
AllowOverride None

Reload apache
service httpd restart

And accordingly we check all server work and filtering including.
Few links

• www.centos.org
• docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/index.html
• www.squid-cache.org
• acksyn.org/diary/?p=460
• www.quintolabs.com/qlicap_info.php
• issues.quintolabs.com/trac/quintolabs_qlicap/wiki/QlicapDocs

PS If you find ochemyatku, write to the drug, I will fix :)