Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Xmodulo
Linux FAQs, tips and tutorials
HTTPS protocol is used more and more in today’s web. While this may be good for privacy, it
leaves modern network administrator without any means to prevent questionable or adult
contents from entering his/her network. Previously it was assumed that this problem does not
have a decent solution. Our how-to guide will try to prove otherwise.
This guide will tell you how to set up Squid on CentOS / RedHat Linux for transparent filtering
of HTTP and HTTPS traffic with help of Diladele Web Safety ICAP server, which is a
commercial solution for Linux, BSD and MacOS. The Linux installer of Diladele Web Safety
used in this tutorial contains fully featured keys which remain valid for 3 month period, so you
can test its full features during this trial period.
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Assumptions and Requirements
In this tutorial, I will assume the following. You have a network with IP addresses from
192.168.1.0 subnet, network mask is 255.255.255.0, and all workstations are set to use
192.168.1.1 as default gateway. On this default gateway, you have two NICs - one facing LAN
with IP address 192.168.1.1, the other is plugged in into ISP network and gets its public
Internet address through DHCP. It is also assumed your gateway has CentOS or RedHat
Linux up and running.
1 #!/bin/bash
2
3 # install all build tools
4 if [[ $EUID -ne 0 ]]; then
5 echo "This script must be run as root" 1>&2
6 exit 1
7 fi
8
9 # install development packages required
10 yum install -y gcc-c++ pam-devel db4-devel expat-devel libxml2-d
11
12 # squid needs perl and needs additional perl modules not present
13 curl http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-
14 rpm -Uvh epel-release-6*.rpm
15 yum install -y perl-Crypt-OpenSSL-X509
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
1 #!/bin/bash
2
3 # stop on any error
4 set -e
5
6 # rpm build MUST be run as normal user
7 if [[ $EUID -eq 0 ]]; then
8 echo "This script must NOT be run as root" 1>&2
9 exit 1
10 fi
11
12 # get squid sources
13 pushd rpmbuild/SOURCES
14 curl http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.4.tar
15 curl http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.4.tar
16 popd
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
16 popd
17
18 # build the binaries RPMs out of sources
19 pushd rpmbuild/SPECS
20 rpmbuild -v -bb squid.spec
21 popd
1 #!/bin/bash
2
3 # stop on every error
4 set -e
5
6 # install RPMs as root
7 if [[ $EUID -ne 0 ]]; then
8 echo "This script must be run as root" 1>&2
9 exit 1
10 fi
11
12 # detect current architecture (default assumes x86_64)
13 ARCH_1=`uname -m`
14 ARCH_2="amd64"
15 ARCH_3="lib64"
16
17 if [[ $ARCH_1 == 'i686' ]]; then
18 ARCH_2="i386"
19 ARCH_3="lib"
20 fi
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
20 fi
21
22 pushd rpmbuild/RPMS/$ARCH_1
23 yum localinstall -y squid-3.4.4-0.el6.$ARCH_1.rpm
24 popd
25
26 # set up the ssl_crtd daemon
27 if [ -f /bin/ssl_crtd ]; then
28 rm -f /bin/ssl_crtd
29 fi
30
31 ln -s /usr/$ARCH_3/squid/ssl_crtd /bin/ssl_crtd
32 /bin/ssl_crtd -c -s /var/spool/squid_ssldb
33 chown -R squid:squid /var/spool/squid_ssldb
34
35 # uncomment to regenerate certificates for SSL bumping if you do
36 # openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -key
37 # openssl x509 -in myca.pem -outform DER -out myca.der
38 # then copy certificates
39 # cp myca.pem /etc/opt/quintolabs/qlproxy/
40 # cp myca.der /etc/opt/quintolabs/qlproxy/
41
42 # make squid autostart after reboot
43 chkconfig squid on
1 #!/bin/bash
2
3 # stop on any error
4 set -e
5
6 # integration should be done as root
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
6 # integration should be done as root
7 if [[ $EUID -ne 0 ]]; then
8 echo "This script must be run as root" 1>&2
9 exit 1
10 fi
11
12 # allow web ui read-only access to squid configuration file
13 chmod o+r /etc/squid/squid.conf
14
15 # perform integration by replacing squid.conf file
16 mv /etc/squid/squid.conf /etc/squid/squid.conf.original &&am
17
18 # parse the resulting config just to be sure
19 /usr/sbin/squid -k parse
20
21 # restart squid to load all config
22 /sbin/service squid restart
1 #!/bin/bash
2
3 # firewall setup should be done as root
4 if [[ $EUID -ne 0 ]]; then
5 echo "This script must be run as root" 1>&2
6 exit 1
7 fi
8
9 # check kernel forwarding is enabled
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
9 # check kernel forwarding is enabled
10 enabled=`cat /proc/sys/net/ipv4/ip_forward`
11 if [[ $enabled -ne 1 ]]; then
12 echo "Kernel forwarding seems to be disabled, enable it
13 exit 1
14 fi
15
16 # set the default policy to accept first (not to lock ourselves
17 iptables -P INPUT ACCEPT
18
19 # flush all current rules from iptables
20 iptables -F
21
22 # allow pings from eth0 and eth1 for debugging purposes
23 iptables -A INPUT -p icmp -j ACCEPT
24
25 # allow access for localhost
26 iptables -A INPUT -i lo -j ACCEPT
27
28 # accept packets belonging to established and related connection
29 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
30
31 # allow ssh connections to tcp port 22 from eth0 and eth1
32 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
33
34 # allow connection from LAN to ports 3126, 3127 and 3128 squid i
35 iptables -A INPUT -i eth0 -p tcp --dport 3126 -j ACCEPT
36 iptables -A INPUT -i eth0 -p tcp --dport 3127 -j ACCEPT
37 iptables -A INPUT -i eth0 -p tcp --dport 3128 -j ACCEPT
38
39 # redirect all HTTP(tcp:80) traffic coming in through eth0 to 31
40 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -
41
42 # redirect all HTTPS(tcp:443) traffic coming in through eth0 to
43 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443
44
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
44
45 # configure forwarding rules
46 iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 22 -j ACCEPT
47 iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 22 -j ACCEPT
48 iptables -A FORWARD -p icmp -j ACCEPT
49 iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT
50 iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 80 -j ACCEPT
51 iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 53 -j ACCEPT
52 iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT
53 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCE
54 iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
55
56 # enable NAT for clients within LAN
57 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
58
59 # set default policies for INPUT, FORWARD (drop) and OUTPUT (acc
60 iptables -P INPUT DROP
61 iptables -P FORWARD DROP
62 iptables -P OUTPUT ACCEPT
63
64 # list created rules
65 iptables -L -v
66
67 # save the rules so that after reboot they are automatically res
68 /sbin/service iptables save
69
70 # enable the firewall
71 chkconfig iptables on
72
73 # and reboot machine
74 reboot
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
certificate from /etc/opt/quintolabs/qlproxy/myca.der into Trusted Root Certification on all
workstations in our network. The following screenshots show that HTTPS requests were
decrypted and filtered transparently.
Browsing to Google and searching for an adult term (e.g. NSFW), we get the HTTPS request
filtered and blocked transparently.
Resume
We now have the default gateway in our network capable of transparently filtering HTTP and
HTTPS traffic. All workstations in our network trust the root certificate from proxy, and thus
get their HTTPS request decrypted and filtered. Browsing environment in our network
became much safer.
Links
Archive with all scripts mentioned in this HOWTO
Online documentation of Diladele Web Safety
Squid proxy wiki
Download this article as ad-free PDF (made possible by your kind donation):
Subscribe to Xmodulo
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Do you want to receive Linux FAQs,
detailed tutorials and tips published
at Xmodulo? Enter your email address
below, and we will deliver our Linux
posts straight to your email box, for
free. Delivery powered by Google
Feedburner.
Subscribe
Support Xmodulo
Did you find this tutorial helpful? Then please be generous and support Xmodulo!
Rafael Akchurin
Diladele Web Safety for Squid Proxy Server is an ICAP server that
integrates with existing Squid proxy server and provides rich content and
web filtering functionality to sanitize Internet traffic passing into internal
home/enterprise network. It may be used to block illegal or potentially
malicious file downloads, remove annoying advertisements, prevent
access to various categories of the web sites and block resources with
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
explicit content.
Related FAQs:
How to set up Squid as a transparent web proxy on CentOS or RHEL
How to analyze Squid logs with SARG log analyzer on CentOS
How to set up MailScanner, Clam Antivirus and SpamAssassin in CentOS mail
server
How to close an open DNS resolver
How to block network traffic by country on Linux
Don't forget to create your own ssl certificate and install it on all your
LAN hosts.
If you have problem with your generated certificates try this tip: Rebuild ssldb
sudo service squid3 stop
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
sudo rm -R /var/spool/squid3_ssldb
sudo mkdir /var/spool/squid3_ssldb
sudo /bin/ssl_crtd -c -s /var/spool/squid3_ssldb
sudo chown -R proxy:proxy /var/spool/squid3_ssldb
sudo /usr/sbin/squid3 -k parse
The SSL bump is only appropriate in cases when you are the sole
owner of a network (like home for example). In any case doing SSL bump may
be fully illegal in some countries so consult your lawyer first when planning to implement it.
This article describes only technical means of performing HTTPS filtering which may be
required for some deployments (think schools, libraries etc). More info can be found on
the Squid's web site (search for Squid SSL Bump Wiki).
This line:
echo "This script must be run as root" 1>&2
Won't work very well if just blindly copied and pasted (as you seem to be suggesting users
do)
They were just due to the HTML encoding problem of our site. Not to
blame the author.
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
They are all fixed now.
Hi everybody,
The post is great. But i've got something that's not OK.
Transparent HTTP is OK but when it is HTTPS, squid crashed.
i've got that logs:
Am I right in saying that implementing this method, whilst much better for an academic
network (IE School), it will prevent Diladele from being able to log which Active Directory
accounts visit which websites?
If this is true how could one get workstations to Auth somehow and populate the logs with
their account names again?
Leave a comment
Your email address will not be published. Required fields are marked *
Comment
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Name *
Email *
Website
Post Comment
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Search
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
How to configure How to monitor
firewall via user login history on
command line on CentOS with
Linux utmpdump
Ask Xmodulo
How to fix “configure: error: pcre.h not
found”
How to enable and use logging module in
Python
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
How to remove all network namespaces at
once on Linux
How to plot a bar graph on Gnuplot
How to disable MAC learning in a Linux
bridge
How to enable .htaccess in Apache HTTP
server
How to add bookmarks to a PDF document
on Linux
How to record a particular area of desktop
screen on Linux
How to add proxy exceptions on Ubuntu
desktop
How to set up NFS server and client on
CentOS 7
Xmodulo List
Kryo
Apache Maven
Graphite
Cool Reader
netdata
Anjuta
ClamAV
GNU Octave
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Audacity
CodeLite
Hosted by Stablehost
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com