Install Squidguard On Windows

  1. Install Squidguard On Windows

In previous posts we discussed how to install Squid + squidGuard and how to configure squid to properly handle or restrict access requests. Please make sure you go. NOTE: There have been a couple of instances where I have had to reinstall the squid package right after I have installed the squidguard package, the reason behind this is after I install the squidguard package I am unable to access the Proxy Server Configuration, if this happens go back to the packages menu, click on. Currently only 64 bit version is provided. After downloading, double click squid.msi. You have to be an administrator to be able to install Squid on your computer. After that simply, click “Next” button till the installation is finished. When you click “Finish” the installation process is finished.

Learning has never been so easy!

Squid is complicated. No sugarcoating here. It took us weeks to research and test it. It is very customizeable. And once its installed and en route, its truely a thing of beauty.

In this how-to, I assume you have a fresh install of debian with apache2 present and a default user called 'proxy'. This how-to comes as is, and if it saves someone a few grey hair, then mission accomplished!

27 Steps total

Step 1: Installing dependancies for squid

sudo apt-get install samba krb5-user libpam-krb5 ntpdate winbind

Install configure inadyn dyndnsea. Install Configure Inadyn Dyndns. Installing inadyn - Open. Inadyn is a service you can install to automatically update your IP addres in DNS services such as Dyn. DNS so this example will be based on installing inadyn for Dyn. The output should be similar to this. Configuration File. Update Client Configurator – Generate your conf file after reading how to run inadyn. Inadyn can be configured by command line options or by a. Inadyn --username test --password test --update_period_sec 600 --alias test.homeip.net inadyn -u test -p test --update_period_sec 600 --dyndns_system. Internet Automated Dynamic DNS Client. Travis Status Coverity Status. Table of Contents. Introduction; Supported Providers; Example Configuration; Generic DDNS Plugin; Build & Install; Building from GIT; Origin & References. Inadyn is a small and simple Dynamic DNS, DDNS, client with. Oct 18, 2015. If this is the first time you have installed ddclient, you will be prompted by the installation script for the hostname(s) that you registered with DynDNS (or other Dynamic. I set up my software utility (DynDNS likes ddclient or inadyn) to constantly update the Dynamic DNS database for foobar.dyndns.org.

Step 2: Syncronise date between debian and AD

sudo ntpdate name_of_your_AD

Step 3: Configure Keberos by editing /etc/krb.conf

[libdefaults]
default_realm = YOUR.DOMAIN
ticket_lifetime = 24h
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
YOUR.DOMAIN= {
kdc = AD.your.domain:88
admin_server = AD.your.domain:749
default_domain = YOUR.DOMAIN
}
[domain_realm]
.your.domain = YOUR.DOMAIN
Your.domain = YOUR.DOMAIN

Step 4: Test Kerberos by generating a ticket

SQUID:~# sudo kinit administrateur
Password for administrateur@YOUR.DOMAIN:
If all went well you should get a response like this:
SQUID:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrateur@YOUR.DOMAIN
Valid starting Expires Service principal
01/18/11 17:49:33 01/19/11 03:49:36 krbtgt/YOUR.DOMAIN@YOUR.DOMAIN
renew until 01/19/11 17:49:33

Step 5: Configure samba by editing /etc/samba/smb.conf

[global]
netbios name = SQUID
security = ADS
realm = YOUR.DOMAIN
password server = AD.YOUR.DOMAIN
workgroup = yourdomainname
encrypt passwords = yes
idmap uid = 10000-40000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
# stop the client from becoming domain master
domain master = no
local master = no
preferred master = no
os level = 17
domain logons = no
client ntlmv2 auth = yes

Step 6: Restart samba and winbind

/etc/init.d/samba restart
/etc/init.d/winbind restart

Step 7: Join your domain

sudo net ads join -S YOURAD.YOUR.DOMAIN -U administrator

At this point, I ran into an error saying that the dns can't be updated. Dont break your head searching, its a problem of rights on the /var/run/samba/winbindd_priviledge file.

VI into /etc/init.d/winbind and change line 33 to

chgrp proxy $PIDDIR/winbindd_privileged/ return 1

and add a line afterwards

chown root $PIDDIR/winbindd_privileged/ return 1

Next, restart winbind and all should be set.

Step 8: Install Squid3

apt-get install squid3

Step 9: Delete and recreate /etc/squid3/squid.conf with the following lines:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on
#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param basic children 5
#auth_param basic realm YOURAD.YOUR.DOMAIN
#auth_param basic credentialsttl 2 hours
####Access Controll lists definitions###################
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl DHCP src 192.168.2.0/24 #your ip adresses
acl password proxy_auth REQUIRED
#acl YOUR_DOMAIN_NAME srcdomain your.domain
##############Authorization list#################
#http_access allow YOUR_DOMAIN_NAME
#http_access deny !YOUR_DOMAIN_NAME
http_access allow password
http_access allow lan-proxy
http_access allow lan-test
http_access allow DHCP
#http_access allow password YOUR_DOMAIN_NAME
#http_access allow !YOUR_DOMAIN_NAME
#http_access allow DHCP
#http_access deny !password
http_access allow manager
http_access allow manager localhost
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access deny all
############# Proxy Port ################
http_port 8080
####### DONT cache the following URL’s###
hierarchy_stoplist cgi-bin ?
############ Where to find the log files #########
access_log /var/log/squid3/access.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin ?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
log_mime_hdrs on
append_domain .your.domain
########### Cache directory ####################
coredump_dir /var/spool/squid3
#cache_dir ufs /var/spool/squid 200 16 256
cache_effective_user proxy
cache_effective_group proxy
cache_mgr you@your_email
store_avg_object_size 5 GB
cachemgr_passwd cachemgr all
cache_mem 2048 MB
maximum_object_size_in_memory 128 KB
maximum_object_size 16384 KB
###### Dont cache these pages ############
acl DYNAMIC_CONTENT urlpath_regex cgi-bin .cgi .pl .php3 .asp .php
no_cache deny DYNAMIC_CONTENT
########## Use SquidGuard as a redirection programme ###
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
url_rewrite_children 5
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf

Step 10: Change rights attributes

chown -R proxy:root /var/log/squid
chown -R proxy:root /var/run/samba/winbindd_privileged
/etc/init.d/squid3 restart

Step 11: Test if Squid authenticates using NTLM

/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
Next, type a user’s name on the domaine followed by their password;
User Password
You will get a reply “ok” if all is well, if not ‘err’.

Step 12: Modify /etc/nsswitch.conf

passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

Step 13: Modify the following files :

/etc/pam.d/common-account ;

account sufficient pam_winbind.so
account sufficient pam_unix.so

/etc/pam.d/common-auth:

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so

/etc/pam.d/common-session :

session_required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

/etc/pam.d/common-password

password required pam_unix.so nullok obscure md5

Step 14: Modify line 33 of /etc/init.d/winbind

chgrp proxy $PIDDIR/winbindd_privileged/ return 1

Step 15: Create /home/squid/kerb.sh and add the following;

#! /bin/sh
echo 'domainepassword' kinit administrator

Step 16: Give reading rights for this file;

chmod +x kerb.sh

Step 17: Add the following lines in crontab with the « crontab –e » command;

Install Squidguard On Windows

1 0 * * * /usr/sbin/ntpdate YOUR_AD
@reboot /usr/sbin/ntpdate YOUR_AD
0 7 * * * /home/squid/kerb.sh
@reboot /home/squid/kerb.sh

Step 18: Now we come to squidGuard and the Berkley Db. First, lets install some dependancies

apt-get install bison flex gcc make ldap-utils libldap2-dev

Step 19: Download and install Berkley DB and SquidGuard

wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz

tar zxvf db-xxxxxxx.tar.gz
cd db-xxxxxxx
cd build_unix
./dist/configure
make
make install

tar -xvf squidGuard-1.4.tar.gz
cd squidGuard-1.4
./configure --with-squiduser=proxy --with-ldap=yes --with-db=/usr/local/BerkeleyDB.4.6/
make
make install

Step 20: Create a script to keep the blacklists up to date “vim /home/squid/script/blacklist.sh”

#! /bin/sh
cd /usr/local/squidGuard/db
if wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gzd
then
rm -rf blacklists
tar -xvf blacklists.tar.gz
rm -rf blacklists.tar.gz
else
echo 'URL non-accessible'
exit
fi

The ftp specified here is the Univarsity of Toulouse, France. They keep these lists up to date. If however there is an institution closer to you, feel free to modify it.

Step 21: Add this script in your crontab

0 0 1,15 * * /home/squid/script/blacklists.sh

Step 22: Now we need a script that redirects users to a page that explains why they have been blocked.

#sudo -s
#cd /usr/src/
#wget http://pixxlisation.net/public/images/informatique/SQUID_SQUIDGUARD/squidguard-simple.zip
#unzip squidguard-simple.zip
#mv squidGuard-simple.cgi /usr/lib/cgi-bin/
#cd /usr/lib/cgi-bin/
#chown www-data:www-data squidGuard-simple.cgi
#chmod +x squidGuard-simple.cgi

Step 23: Edit the script to suit your needs ( add your company’s logo for example )

Copy your logo to /var/www/logo.jpg

Change line 84 of squidGuard-simple.cgi to:
print '

Step 24: move and modify your squidGuard.conf to /usr/local/squidGuard/squidGuard.conf

This file is to each his own. Just make sure you have ldap settings correcty configured;
#Configuration pour l'authentification LDAP
ldapbinddn cn=administrator, ou=Tec, ou=Informatique, ou=MER - Merignac, ou=Utilisateurs, dc=your, dc=domain
ldapbindpass password

Also, when adding a group use this ldap syntax to get your group info on AD;

ldapusersearch ldap://ip_of_AD:3268/dc=exemple,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Groupname%2cOU=Location1%2cOU=Location%2cOU=Users%2cDC=exemple%2cDC=com))
DO NOT USE SPACES!! Use %20 to represent a space.

Step 25: Now we want to install webmin and Sarg to create reports based on log files. Firstly Add the following lines to /etc/apt/sources.list ;

deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

Step 26: Now do the following

cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
apt-get update
apt-get install webmin
apt-get install sarg

Step 27: Now you can connect on https://ip_of_squid:10000

Under “servers” click on Squid Report Generator. Next go to 'Report options'.You can view internet usage by user for example, depending on laws and company policy. Configure those as is usefull to you. Next, go to 'Log Source and Report Destination', and make sure the path to your access.log is /var/log/squid3/access.log

Its possible that I muddled some steps up. So if 'it doesnt work', its more than likely because of that. Another way to see wheather Kerberos is connecting with AD is to type 'wbinfo -g'. This will show all your groupes in AD. Good luck to all of you ;-)

A few troubleshooting tips;

Install Squidguard On Windows

If ever you see 'could not obtain winbind separator!' after you ran '/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic', it's probally due to a previledge problem on the /var/log/squid3/cache.log file. So run 'chmod 777 -R /var/run/samba/winbindd_privileged' to rectify this issue.

Published: Feb 17, 2011 · Last Updated: Feb 09, 2012

References

  • Most helpfull tuto I found, though its in french.

15 Comments

  • Anaheim
    MattCollins Feb 17, 2011 at 09:30am

    Thanks, that's a brilliant how-to!

  • Cayenne
    Tihomir Vlahovski Feb 17, 2011 at 02:18pm

    I can say only one big WOW!!!!!
    Tomorrow I will give it a try.

    Thanks

  • Mace
    Bryan Doe Feb 17, 2011 at 03:34pm

    Nice work! I'll have to try this with my Squid machine sometime.

  • Jalapeno
    Chunky Monkey Feb 25, 2011 at 03:05am

    Thank you gents. If you have tried it and got stuck, dont worry. Re-read this tuto as I have made some modifications. I reinstalled my squid and came across some issues that werent mentioned and modified this how-to accordingly.

  • Pimiento
    Kenny432 Apr 6, 2011 at 04:53am

    hey thx for your tutorial, i've made a translation and some modifications in french, you can find it here :
    https://kennyvoice.no-ip.org/mediawiki/index.php/Tuto:SquidActiveDirectory

  • Anaheim
    jdeslaur Apr 6, 2011 at 03:57pm

    FYI if you are getting BH NT_STATUS_ACCESS_DENIED or
    Login for user xxx]@[ITSA-XP] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set correctly

    change line 35 of /etc/init.d/winbind to chown root:proxy $PIDDIR/winbindd_privileged/ return 1

  • Jalapeno
    Chunky Monkey Apr 11, 2011 at 02:35am

    @ Kenny432

    Merci! J'ai vu ton tuto et franchement, tres bien joué monsieur!! Par contre, je pense que t'as oublié le partie bdd Berkley, car si on vas configurer notre Squidguard et le bdd n'est pas la.

    Sinon, nickel!!

  • Jalapeno
    FRUX Aug 10, 2012 at 02:21am

    For use with Windows 2008 R2 put in /etc/krb5.conf :
    default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
    default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
    permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

  • Anaheim
    Steve Wray Oct 13, 2012 at 10:40am

    I haven't been able to make this work with a transparent proxy. Apparently browsers won't allow this. See: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy see 'Why can't I use authentication together with interception proxying?'

    I have to ask; what is the point in doing this without a transparent proxy? All a user has to do is not use the proxy. I guess you could push the proxy through GPO but there are surely ways around this (I'm guessing that people can use stand-alone browsers which don't respect the proxy set by GPO in Internet Settings).

    All I can think of is this: egress filter outgoing web traffic on the firewall. Allow only outgoing web traffic from the proxy.

  • Cayenne
    justinjacob Nov 13, 2013 at 12:03pm

    i think must initialize the squidguard using command

    squidGuard -C all -P -b

  • Pimiento
    chetan-simplewall Jan 20, 2014 at 11:10am

    Thanks for nice written post step by step awesome job !!!

  • Pimiento
    Jamesloker Jan 29, 2014 at 03:38pm

    Hi,
    Having an issue with :
    FATAL: Bungled squid.conf line 38: http_access allow lan-proxy
    Squid Cache (Version 3.1.20): Terminated abnormally.
    CPU Usage: 0.016 seconds = 0.012 user + 0.004 sys
    Maximum Resident Size: 15024 KB
    Page faults with physical i/o: 0
    failed!

  • Poblano
    Nick3869 Feb 24, 2014 at 03:39pm

    Hi, I've just set this up and the install seemed to go ok, however, when I put the proxy details into a web browser, it comes back with 'could not connect to proxy server' I tried to telnet onto the proxy server (by IP & netbios name) on port 3128 and it can't open a connection. It seems like the port isn't opening, I've tried changing the port and that doesn't work either.. any idea's??

  • Pimiento
    brunobarbosa3 Jul 9, 2014 at 03:50pm

    HI,
    I had the same error that the Jamesloker
    Someone managed to solve?
    THX

  • Pimiento
    miesteralwin Jun 25, 2015 at 07:35am

    Hello,

    Thanks for this tutorial. Saved me some time configuring my squid + squidguard server.

    The day I completed the project, proxy server is logging everything and blocking restricted sites. The next day, it suddenly stops. I tried to check if something was changed and there was none.

    Here is the error:
    2015/06/25 15:29:02 kid1 Starting new helpers
    2015/06/25 15:29:02 kid1 helperOpenServers: Starting 1/50 'squidGuard.conf' processes
    2015/06/25 15:29:02 kid1 ERROR: URL rewrite helper returned invalid result code. Wrong helper? {result=Unknown}
    2015/06/25 15:29:02 kid1 ipcCreate: /usr/lib/squidguard/squidGuard.conf: (13) Permission denied
    2015/06/25 15:29:02 kid1 WARNING: redirector #Hlpr0 exited
    2015/06/25 15:29:02 kid1 Too few redirector processes are running (need 1/50)

    Permission denied? Tried chown proxy:root -r for /usr/lib/squidguard -- no go.
    Another interesting error is: ERROR: URL rewrite helper returned invalid result code. Wrong helper? {result=Unknown}

    I have no idea where that error comes from and what have caused it. Can someone shed some light on me? Thanks.

Posted :