Geekly Articles each Day
📜 ⬆️ ⬇️

Install squid + sams + ntlm on centos 6.4 in steps


Good day, gentlemen, I think, I will not discover America talking about the SAMS project (Squid Accaunt Management System), articles about it are quite common, including on Habrahabr. However, although I will not tell you a lot of new things, but I hope I will tell you some useful things.

The first reason for writing an article is to help fellow enikeyschikam (admins of small organizations) like me, to get another convenient, and most importantly, free administration tool. The second reason is that by trying to install this tool in my room, according to various HowTo I found that they are either incomplete or outdated and it is impossible for a person familiar with Linux to superficially (like me) get anything more workable for them, therefore getting the result decided to share with newbies.

Tasks

So, this step-by-step HowTo aims to lead you to your own transparent proxy server on CentOS 6.4 i386 which allows you to authenticate users via Active Directory. At the same time, this server will have a convenient web-interface, and most importantly, it is free (who do I want to surprise with this in the topic of Nix?).

A bit about SAMS

Best of all, of course, read the official resource sams.perm.ru. For me, SAMS is a convenient traffic reader and user surf log with a nice web interface. But still, there are pros and cons (and, of course, there are) SAMS and whether you should judge whether to use it.
')
Installation difficulties

The main problem with installing SAMS is that the stable first version (and now enthusiasts continue to develop SAMS2, I hope they will succeed) has not been updated for a long time, therefore it requires the installation of old libraries not from standard repositories. “What a nonsense!” - you will say and you are not quite right, because as I said the article, first of all, beginners are not at all familiar with Linux. Just one of the problems was that HowTo for installing on CentOS (the choice of OS is not the topic of this article, it happened) I did not find.

Preparing to install

Of course, first of all, you need to download the CentOS 6.4 image (the last one at the moment) via the link isoredirect.centos.org/centos/6/isos/i386 . Further, we all record the disc as standard and install it in a minimal configuration on our future gateway. During the installation process, you must do the following:
  1. Enter the name of our server.
  2. Configure the network (it is more convenient to do it here in the graphical interface than later edit the configuration files, although this is a matter of habit).
  3. Set time parameters.
  4. Set root password root.

OS Setup

After reboot, go to the system under the superuser. Further actions I produce on his behalf.
  1. If you forget or incorrectly configure the network, then edit the configuration of the network interfaces ifcfg-eth0, ifcfg-eth1 (we have the same gateway so there are obviously at least two interfaces)
    vi /etc/sysconfig/network-scripts/ifcfg-eth0

    Sample configuration file:
    DEVICE = "eth0"
    BOOTPROTO = none
    NM_CONTROLLED = "yes"
    ONBOOT = "yes"
    TYPE = "Ethernet"
    UUID = "57fb7ee8-e3da-4719-b5ec-d27e16fe0677"
    HWADDR = 6C: 62: 6D: B7: F0: A3
    IPADDR = 192.168.0.86
    PREFIX = 24
    GATEWAY = 192.168.0.3
    DNS1 = 192.168.0.2
    DNS2 = 192.168.0.3
    DEFROUTE = yes
    IPV4_FAILURE_FATAL = yes
    IPV6INIT = no
    NAME = "System eth0"

  2. Installing essential programs:
     yum install mc nano wget ntp -y

  3. Configure time synchronization. We specify domain controllers as time servers:
     ntpdate ntpserver vi /etc/ntp.conf

    Sample configuration file:
    server 192.168.0.1

  4. stop iptables:
     service iptables stop chkconfig iptables off

  5. We update the system:
     yum makecache && yum -y update

  6. Disable selinux. Put in / etc / sysconfig / selinux file
     vi /etc/sysconfig/selinux

    SELINUX = disabled

  7. Reboot the server with the command:
     shutdown -r now


Install the required libraries

  1. Now add the CentOS 5 repository:
     rpm -Uvh http://repo.webtatic.com/yum/centos/5/latest.rpm

  2. And install libmysqlclient15 from there:
     yum install libmysqlclient15 --enablerepo=webtatic

  3. In some cases it is required for any old scripts to downgrade PHP 5.3.3 to version 5.2.17. To install the most optimal use Atomic repository. The installation was performed on a freshly delivered server, below is the procedure.
  4. Connect Atomic repository
     wget http://www.atomicorp.com/installers/atomic sh atomic

  5. And accept the license of the installation script (press enter)
  6. Next, you should disable the ability to install packages containing PHP files in the connected standard system repositories. Use the editor and edit the /etc/yum.repos.d/CentOS-Base.repo file, making changes (adding exclude = php *) to the specified sections
     vi /etc/yum.repos.d/CentOS-Base.repo

    [base]
    exclude = php *
    [updates]
    exclude = php *

  7. Then save the file (: wq) and remove the packages of the installed PHP 5.3.3 by executing the command in the shell
     yum remove php*

  8. After PHP is removed (phpmyadmin and squirrelmail will also be removed for dependencies) you will need to install the correct version and related extensions with the commands
     yum install php-5.2.17 php-mcrypt-5.2.17 php-gd-5.2.17 php-mbstring-5.2.17 php-pdo-5.2.17 php-mysql-5.2.17

  9. Make sure all necessary extensions are installed and there are no errors.
     php -m

  10. Then install back phpMyAdmin and squirrelmail
     yum install phpmyadmin yum install squirrelmail

  11. Put the configuration files back in place.
     mv /etc/phpMyAdmin/config.inc.php.rpmsave /etc/phpMyAdmin/config.inc.php mv /etc/squirrelmail/config.php.rpmsave /etc/squirrelmail/config.php mv /etc/httpd/conf.d/squirrelmail.conf.rpmsave /etc/httpd/conf.d/squirrelmail.conf

  12. After that, you should disable the ability to automatically install PHP extensions from the atomic repository to avoid an unplanned PHP version change when installing any software - edit the /etc/yum.repos.d/atomic.repo file as well as edit other repository files
     vi /etc/yum.repos.d/atomic.repo

    [atomic]
    exclude = php *

  13. Finally, restart the Apache web server using the command
     /etc/init.d/httpd restart

    If you need to install any PHP extensions, in addition, the easiest way to install from rpm is to download http://www2.atomicorp.com/channels/atomic/centos/6/i386/RPMS/

Install and configure SAMS

  1. Software installation:
     yum install pcre-devel squid mysql-server mysql-devel gd-devel gcc make samba-server samba-client samba bind-utils –y

  2. Add the necessary to the autoload:
     chkconfig mysqld on && chkconfig httpd on && chkconfig squid on

  3. Create a tempo directory for building SAMS:
     mkdir -p /usr/src/sams cd /usr/src/sams

  4. Downloading the STABLE version of SAMS (SAMS Documentation):
     wget http://nixdev.net/release/sams/sams-1.0.5.tar.bz2

    If the link does not work, then you can try
     wget http://sams.perm.ru/index.php\?option=com_doqment\&task=files.download\&cid=12

    Unpack the archive and install
     tar xf sams-1.0.5.tar.bz2 cd sams-1.0.5 ./configure && make && make install chkconfig sams on cd / && rm -fr /usr/src/sams

    Alternative installation method:
    Downloading the STABLE version of SAMS (SAMS Documentation), the compiled package for CentOS (itself adds the web directory for apache)
     wget http://www.nixdev.net/release/sams/packages/CentOS_5/i386/sams-1.0.5-91.1.i386.rpm yum localinstall –nogpgcheck sams-1.0.5-91.1.i386.rpm chkconfig sams on cd / && rm -fr /usr/src/sams

  5. Next, configure Apache, add to /etc/httpd/conf.d/sams.conf
     vi /etc/httpd/conf.d/sams.conf

    Alias ​​/ sams / usr / local / share / sams
    <Directory / usr / local / share / sams />
    Order Allow, Deny
    Allow from all
    Deny from none

     vi /etc/httpd/conf/httpd.conf

    uncomment and specify for the variable ServerName we specify the name of our gateway
    ServerName Proxy - ????

    If it is inconvenient to use the vi editor,
    you can use the nano editor or use the Midnight Commander file manager, the mc command (Edit the F4 file). To exit vi type: wq or simply: x! If you need to exit without saving, dial: q!
     (nano /etc/httpd/conf.d/sams.conf)


  6. After sams.conf has been added, you need to restart Apache:
     service httpd restart

  7. Next we edit /etc/sams.conf, in which we change only two entries:
     vi /etc/sams.conf

    MYSQLPASSWORD = PASSWORD # (For SAMS user)
    MYSQLVERSION = 5.0 # (We are using MySQL server version 5, with a value of 4.0, problems are possible)

    Also comment out everything related to squidguard, ldap and rejik (if you do not plan to use)
  8. Next on the MySQL queue, we start the server and do everything that the first launch script suggests, that is, we set the root password and after the installation server setup:
     /usr/bin/mysql_secure_installation service mysqld start

  9. Create a MySQL user sams and give him the rights to the necessary tables:
     mysql -u root -p

    Enter “PASSWORD” for root in mysql
     GRANT ALL ON squidctrl.* TO sams@localhost IDENTIFIED BY «» WITH GRANT OPTION; GRANT ALL ON squidlog.* TO sams@localhost IDENTIFIED BY «» WITH GRANT OPTION; flush privileges; quit

  10. For the database creation scripts to run on mysql 5, you need to edit them.
    # Replace everywhere TYPE = MyISAM with ENGINE = MyISAM
    /usr/local/share/sams/data/sams_db.sql
    /usr/local/share/sams/data/squid_db.sql

  11. Pouring SAMS dumps into the database:
     mysql -u root -p < /usr/local/share/sams/data/sams_db.sql mysql -u root -p < /usr/local/share/sams/data/squid_db.sql

  12. Squid's turn has come, we collect squid swap, and after we start the proxy server.
     vi /etc/squid/squid.conf

    find and edit the following lines
    visible_hostname Proxy - ????

    in the absence of add lines
    redirect_program / usr / local / bin / samsredir
    redirect_children 5
    auth_param ntlm program / usr / bin / ntlm_auth - help-protocol = squid-2.5-ntlmssp #NTLM authenticator
    auth_param ntlm children 150 # (The number of users simultaneously on the internet!)
    auth_param ntlm keep_alive on
    auth_param basic program / usr / bin / ntlm_auth --helper-protocol = squid-2.5-basic
    auth_param basic children 20
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 8 hours

    Restart and start squid
     squid –z reboot service squid start

  13. C version 1.0 SAMS works in safe_mode php. We configure php to work in safe mode
     vi /etc/php.ini

    file content
    safe_mode = On
    safe_mode_exec_dir = "/ usr / local / share / sams / bin"
    disable_functions = # if it is not empty, remove from it the prohibition of calling phpinfo functions system shell_exec exec

  14. Well, at the very end we launch SAMS:
     service sams start


Enter the gateway to the domain

  1. Edit the file (add a list of your domain controllers)
     vi /etc/samba/lmhosts

    "IP_Address_DC1" "Network_name_DC1" # (for example: 192.168.100.8 serverDC01)
    "IP_address_dc2" "Network_name_dc2"

  2. Editing the samba configuration file
     vi /etc/samba/smb.conf

    [global]
    workgroup = "Domain Name" # (for example: serverDC01)
    realm = "FQDN_domain" # (for example: serverDC01.firma.ru)
    server string = Samba Server Version% v

    netbios name = Proxy - ???? # gateway name

    interfaces = lo eth0 "Interface_IP_Address + Mask" # (for example: 192.168.10.1/24)
    hosts allow = 127. 192.168.

    winbind separator = \\
    winbind use default domain = yes
    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    template homedir = / home / winnt /% D /% U
    template shell = / bin / bash
    max log size = 50
    security = domain
    password server = "IP_address_DC1" "IP_address_DC1" # (for example: 192.168.100.8 192.168.100.10 must be separated by a space)
    encrypt passwords = yes

  3. Restart the service and enter into the domain
     service smb restart net join –w «_» –S «__DC» –I «IP__DC» –U «___ ___»

  4. Restart services and check the response from the domain
     service smb restart

  5. service winbind start
     wbinfo –t wbinfo –p wbinfo -u

    If everything is in order, add to startup
     chkconfig smb on && chkconfig winbind on

  6. Add around in the middle of the rules allow rules for the iptables firewall in / etc / sysconfig / iptables and restart it:
     vi /etc/sysconfig/iptables

    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
    Alternative:
    -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT # rule for port 80 on http
    -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT # rule for 3128 proxy port

     service iptables restart

    If, for some reason, you need to disable the firewall, then you need to dial:
     chkconfig iptables off chkconfig ip6tables off


SAMS setup

  1. In the browser, go to the Proxy page - ???? / sams (or by ip-address)
  2. Login: admin
    Password: qwerty
    Need to change password.
  3. Then I decided not to tire my dear readers with numerous pictures and obvious details of the final configuration via the web interface, especially since this work was already done for me (including here habrahabr.ru/post/130335 ).

Conclusion

Realizing that the text is a lot bukof and that it is impossible to embrace the immense, I end this article. I hope that this guide will be useful to you.
My thanks
Many thanks to Likhomanov Anton, Korostylev Alexander, Poroshin Konstantin and Klyushenkov Ivan whose guides I used.

Source: https://habr.com/ru/post/199302/

More articles:


All Articles