Squid + Authentication + Dansguardian + SARG HOWTO

Author: Alan Hicks

This purpose of this document is to assist newcomers to the world of
proxy authentication and filtering with installing a powerful proxy
server that requires browser authentication and URL filtering on a
Slackware Linux machine. However, very little here is Slackware
specific so the ideas and techniques should carry over very well to
other UNIX-like operating systems.

Background
==========

Squid is the premier open source caching proxy server in the world.
Powerful, flexible, and robust, it can operate in transparent and
non-transparent modes to proxy various internet traffic for its clients.
The most common usage of squid is as an http filter, and that is what
we’ll look at.

Dansgaurdian is a web filter that technically sits in front of a web
proxy server like squid. Dansguardian passes all URLs it receives
through configurable filters, and if one matches, redirects that web
traffic to a dynamic web page that explains to the user that their
traffic has been blocked for violating those rules. If the traffic does
not match any rules, it’s passed along to the proxy server unhindered.

SARG is the Squid Analysis Report Generator. SARG gets some bad press
from time to time because people feel like it’s reports are too good and
raise privacy issues. However, if you want usage reports more than
likely you’re a business or government entity just keeping track of what
your employees are doing online while on the clock. Nothing wrong with
that.

Squid Installation
==================

The first step in setting up this system is to install and configure
squid. Squid can be compiled with quite a lot of different options, but
the following ./configure options work well for me.

# ./configure –prefix=/usr \
–exec-prefix=/usr \
–libexecdir=/usr/sbin \
–sysconfdir=/etc/squid \
–datadir=$SQLOC \
–localstatedir=$SQLOC \
–enable-delay-pools \
–enable-arp-acl \
–enable-basic-auth-helpers=”getpwnam” \
–enable-truncate \
–enable-icmp \
–enable-snmp \
–enable-removal-policies \
–enable-poll

After this point, simply run make to build the source:

# make all

Also, in order to use the NCSA authentication we’ll have to build it
seperately, even though it is included with squid:

# cd helpers/basic_auth/NCSA ; make

At this point we can install the software using make again:

# make install

Or if you wish to make a Slackware package, use the DESTDIR variable to
put everything in a nice directory for easy packaging:

# mkdir /tmp/squid-package
# make install DESTDIR=/tmp/squid-package/
# cd /tmp/squid-package
# makepkg squid.tgz

Naturally you may want to do additional configuration for your package
such as copying over documentation, stripping binaries, and naming your
package according to the proper Slackware naming convention, but I leave
that up as an excersize to the reader.

At this point you will have to create the swap directories for squid.
This is rather easy.

# squid -z

This will create the cache directory in /var/lib/squid/cache and
populate it.

Squid Configuration
===================

Squid’s configuration file is in /etc/squid/squid.conf, if you followed
my instructions and specified the right –sysconfdir option to
../configure. Otherwise, look in /usr/local/squid/etc/squid/squid.conf.

Open squid.conf in your text editor of choice (or vi for you people who
use emacs and need a real editor :^P ). This file is well commented,
almost _too_ well commented in fact.

The first option we will look at is the visible_hostname tag. If your
machine’s hostname is resolvable through DNS and rDNS you can safely
skip this step. Otherwise, add the following line:

visible_hostname hostname.domain_name.top_level_domain

This tells squid what hostname to use for error pages and the like.

Squid uses Access Controll Lists (or ACLs) to allow or deny access to
clients. ACLs allow you to divide up a network and only allow certain
users, only allow authenticated users, deny specific users, and even
allow or deny users based on a combination of factors like username and
time of day! We’ll only touch on using ACLs to allow authenticated
users and deny all others.

Starting at around line 1,278 (that’s right!) you’ll see a list of
auth_param lines, most of them commented out. You can read the comments
above to get an idea of what these options mean, or check the squid wiki
for further details. My auth_param lines look like this:

auth_param basic program /usr/bin/ncsa_auth /var/lib/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

The line that reads:

auth_param basic program /usr/bin/ncsa_auth /var/lib/squid/passwd

….is the one we’re most intrested in. This tells squid we want to use
the ncsa_auth program (remember to specift a full PATH) to authenticate
users, and it should use the /var/lib/squid/passwd file to check
username and password combinations. We’ll touch on ncsa a little bit
later.

Finally we need to create and ACL for our authenticated users and allow
them access. You create new ACLs with an acl line:

acl auth_users proxy_auth REQUIRED

Let’s break this down. The first part tells squid this line refers to
an ACL and names it “auth_users”. Next, we learn that proxy
authenticated users are included in the acl and that they are required
to authenticate. So now all we have to do is allow those users, and
disallow all others:

http_access allow auth_users
http_access deny all

The http_access lines contain either an allow or deny argument followed
by the name of an ACL, in our case “auth_users”. Since squid checks
http_access lines from top to bottom and stops on the first match, all
authenticated proxy users will be allowed access and everyone else will
be denied access. Now just save and close squid.conf; we’re done with
it!

NCSA Configuration
==================

The very first thing to check for here are permissions. Since squid
runs as user nobody and group nobody, that user or group must be able to
execute ncsa_auth. The permissions on my file are set thusly:

-rwxr-x— 1 root nobody 10456 2005-09-08 13:59 ncsa_auth*

By default, its permissions were:

-rwxr-x— 1 root root 10456 2005-09-08 13:59 ncsa_auth*

Now we have to create the password file. NCSA uses regular plain-text
password files with clear-text usernames and encrypted passwords. In
order to create such a password file, we’ll need the htpasswd command.
This command is typically included with Apache. If you have Apache
installed, you should have this file. Otherwise, acquire this command
from your distribution or by building it from source code. That is
however, beyond the scope of this document.

# htpasswd -c /var/lib/squid/passwd alan

The -c option to htpasswd tells it to create the file. It is only used
when the password file does not yet exist. htpasswd takes two
additional arguments: the password file itself, and the user whom you
are adding or changing the password for. After this, it will ask you to
enter the password twice (the text is not echoed) and will enter it in
an encrypted form to the password file.

Now we can startup squid and test it using a web browser or the included
squid-client binary.

# squid

If you are having difficulties with squid, you may wish to start it in
debugging mode:

# squid -d 0

For more debugging, simply incriment the argument to -d. If you are
using a package built by your distribution, you may have a startup
script for squid already, and if so, I recommend you use that instead.

A Note on Password Security
===========================

In this configuration the user passwords are base64 encoded when sent to
the squid proxy server; however, base64 encoding is _not_ encryption.
Intercepting the username and passwords, then unencoding them to
plaintext is trivial. If you need higher levels of security, you should
look into other authentication options.

Dansguardin Installation
========================

Here we simply untar the source code, configure, make, and install it.

# ./configure && make && make install

Dansgaurdian is a particularly easy compile, but difficult to package.
Since it fails to honor the DESTDIR install variable, creating a DG
package is tedius, but not impossible. The defaults install
dansguardian into /usr/bin with it’s configuration information in /etc.
If you would rather install it into /usr/local, then you will need to
pass commandline options to ./configure.

Dansguardian Configuration
==========================

The config file you want is /etc/dansguardian/dansguardian.conf. we’ve
very little to do here. Around line 72 you will see an
accessdeniedaddress line. Simply edit this to reflect your machine’s
DNS name or IP address. You should also check the filterport, proxyip,
and proxyport lines just above it to ensure that the right information
is present. By default, dansguardian is setup to talk to a squid server
running on the localhost.

Now we can startup dansgaurdian:

# dansguardian

At this point, simply change your proxy server information on your
web-browsers to point at dansgaurdian and you should be all set. By
default, DG includes a lot of blacklisted URLs and regeular expressions
that should match most offensive internet websites and redirect the user
to a web page that tells them not to go there again. You may wish to
tighten or loosen what it considers offensive. That is currently beyond
the scope of this document.

SARG Installation
=================

Like DG, SARG just doesn’t honor DESTDIR, so I decided against making a
package. It’s install is as easy as DG’s:

# ./configure && make && make install

This puts SARG in /usr/local/sarg. You’ll need to edit the sarg.conf
file stored there.

First we’ll check the access_log line. This tells SARG where to find
squid’s access log:

access_log /var/lib/squid/logs/access.log

If you installed squid elsewhere, you’ll have to put the proper value
there of course.

Now, where to put sarg’s reports?

output_dir /var/www/html/squid-reports

Naturally, change this line to suit your tastes.

Finally, we have to tell SARG where DG keeps its config file:

dansguardian_conf /etc/dansguardian/dansguardian.conf

Alright, that’s it! Save it up! Now when you run sarg it will parse
log files from dansguardian and squid, put them in a nice, easily
readable HTTP format, and give you an idea of who keeps trying to go to
sex.com. :^)

Read more at nixforums.org

Advertisements

One response to “Squid + Authentication + Dansguardian + SARG HOWTO

  1. Allow me to introduce a better blacklist, we are Squidblacklist.org, the worlds leading publisher of native acl blacklists tailored specifically for use with Squid proxy, as well as we also publish multiple alternative formats for all major third party plugins as well as many other filtering platforms, such as UFDBGuard and Barracuda Networks devices..

    There is room for better blacklists, we intend to fill that gap.

    It would be our pleasure to serve you.

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s