Configuring Squid 3 + QuintoLabs Content Security 1.4 and Active Directory Integration

I won’t talk about Squid , but I’ll tell you about QCS features.

What QuintoLabs Content Security can do
* Removes annoying ads
* Ban on downloading files
* Group control
* Exclude any domain, subnet, ip from the filter
* High performance
* Easy setup and maintenance
* Support for RedHat, CentOS, Fedora, Debian, Ubuntu distributions



For We have pre-configured bundles
1) dc.example.lan [192.168.28.20] - Win2K2008 with DNS and Active Direcory
2) 192.168.28.2 - Gateway
3) DNS [192.168.28.20]
3) example.lan - Domain
4) proxy.example.lan - Our CentOS 6 server
5) client.example.lan - Win7 Client

Next, we will configure it on a proxy server (CentOS), taking into account that the server on Win2K2008 with the services we need is configured. We configure a

static ip in / etc / sysconfig / network-scripts / ifcfg-eth0: Set the gateway / etc / sysconfig / network: Specify dns in /etc/resolv.conf: Restart network interfaces Ping: If everything is successful. then we can move on. We update: and after that we install additional packages: install ntp, add it to autoload. Open /etc/ntp.conf and add it to the domain controller in the config. Stop the service: We synchronize with our dc: and start the ntp service back:
BOOTPROTO=static
NETMASK=255.255.255.0
IPADDR=192.168.28.21
ONBOOT=yes

GATEWAY=192.168.28.2

nameserver 192.168.28.20

/etc/init.d/network restart

$ping -c 3 192.168.28.2



yum update

yum install bind-utils

yum install ntp

chkconfig ntpd on




service ntpd stop

ntpdate -b dc.example.lan

service ntpd start
Install kerberos:
yum install krb5-workstation krb5-libs
Set the /etc/krb5.conf config to the same form: Try to get a ticket: If everything went smoothly, then check the ticket issued to us: and we see: We reboot : Install sabma and start our server in the domain; add to bootstrapping: Open samba config /etc/samba/smb.conf and make it look like this: Restart samba: Initialize kerberos: Open the AD snap-in and check if our proxy server appears in OU “Computers” We see a positive result and reboot again: Install Squid: Open / etc / squid / squid.conf, find the lines we need and replace them: Add to startup:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.LAN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac

[realms]
EXAMPLE.LAN = {
kdc = dc.example.lan
admin_server = dc.example.lan
default_domain = example.lan
}

[domain_realm]
.example.lan = EXAMPLE.LAN
example.lan = EXAMPLE.LAN


kinit Administrator@EXAMPLE.LAN

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@EXAMPLE.LAN
Valid starting Expires Service principal
12/07/11 11:07:58 12/07/11 21:08:00 krbtgt/EXAMPLE.LAN@EXAMPLE.LAN
renew until 12/14/11 11:07:58

shutdown -r now

yum install samba

chkconfig smb on

[global]
workgroup = EXAMPLE
realm = EXAMPLE.LAN
server string = Samba Server Version %v
security = ADS
log file = /var/log/samba/log.%m
max log size = 50
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No


service smb restart

kinit Administrator@EXAMPLE.LAN
klist

net ads join -S dc.example.lan -U Administrator%P@ssw0rd






shutdown -r now

yum install squid

visible_hostname proxy.example.lan
http_access allow localnet and acl localnet src 192.168.28.0/24

chkconfig squid on
Restart the service:
service squid start
Add the default entry to the file /etc/krb5.keytab Change the owner of the file: and set chmod: Change the contents of the config in /etc/squid/squid.conf: After that we reboot our server, and on the client’s car, open ie and checking authentication. If everything went well then in the /var/log/squid/*.log logs we will see our user Next, install apache Add to startup Start apache: Go to the final part, install QuintoLabs Content Security 1.4.2 Download: Install: To block ads, it’s enough uncomment the subscription we need in the file /opt/quintolabs/qlproxy/etc/adblock.conf
net ads keytab add HTTP -U administrator
Processing principals to add...
Enter administrator's password:



chown squid:squid /etc/krb5.keytab

chmod 400 /etc/krb5.keytab

auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth -s HTTP/proxy
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access deny !auth
http_access allow auth

http_access deny all



yum install httpd php mod_wsgi

chkconfig httpd on

service httpd start



curl quintolabs.com/qlproxy/binaries/1.4.2/qlproxy-1.4.2-32d12.i386.rpm > qlproxy-1.4.2-32d12.i386.rpm

rpm --install qlproxy-1.4.2-32d12.i386.rpm

Optionally, you can increase the filter heuristic for online games in the file /opt/quintolabs/qlproxy/etc/adultblock.conf
We search for the line:
heuristics_level = normal
and normal change to high:
heuristics_level = high
In the config /opt/quintolabs/qlproxy/etc/exceptions.conf you can configure parental control that supports html filtering of pages for forbidden words and phrases.
And in the /opt/quintolabs/qlproxy/etc/httpblock.conf config, you can configure protection against trojans and viruses that often send requests over IP:
http://\d+\.\d+\.\d+\.\d+/.*
After all the changes, restart the daemon:
/etc/init.d/qlproxy restart
Open the squid /etc/squid/squid.conf config and make changes for interacts with our filter: Overload the squid service: Next, edit the apache /etc/httpd/httpd.conf config and add: Overload apache
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all

service squid restart

WSGIScriptAlias /qlproxy.cgi /var/opt/quintolabs/qlproxy/www/data/qlproxy.wsgi

WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
Alias /qlproxy /var/opt/quintolabs/qlproxy/www

Options FollowSymLinks
AllowOverride None


service httpd restart

And accordingly we check all server work and filtering as well.
A few links

• www.centos.org
• docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/index.html
• www.squid-cache.org
• acksyn.org/diary/?p=460
• www.quintolabs.com/qlicap_info.php
• issues.quintolabs.com/trac/quintolabs_qlicap/wiki/QlicapDocs

PS If you find a small cell, write to the PM, I will correct :)