Заметки сисадмина о интересных вещах из мира IT, инструкции и рецензии. Настраиваем Компьютеры/Сервера/1С/SIP-телефонию в Москве

Установка и настройка SquidNT proxy

2007-03-08 · Posted in Windows Server 2003

Installing And Configuring Squid NT Proxy

Installing SquidNT

Download the latest version of SquidNT from here.

This guide has been written for 2.5.STABLE10-NT (download), but should work with later versions.

Unzip the squid-2.5.STABLE10-NT-bin.zip file to a temporary directory. This will create a folder called squid-2.5.STABLE10-NT-binsquid. Move the squid subdirectory to a location where you want Squid to be installed. E.g. c:squid. (NOTE: You cannot install Squid in a directory containing spaces, like C:Program Files.)

Open a command line window (cmd.exe), and change to the directory you installed Squid to. E.g. cd squid

Install the Squid service by running the following:

C:squid>sbinsquid.exe –i

Setup the default config files by copying the template configuration files in C:squid. Copy the following three files to C:squidetc.

squid.conf.default      to C:squidetcsquid.conf
mime.conf.default       to C:squidetcmime.conf
cachemgr.conf.default   to C:squidetcsquid.conf

Then create the Squid cache directories by running the following:

C:squid>sbinsquid -z

Squid is now ready to start. Start the Squid NT service from the Services Control Panel applet. (Control Panel->Administrative Tools->Services). If Squid starts correctly you will not receive an error, and the cache log file will not contain any errors (C:squidvarlogscache.log).

Configuring user authentication

In this configuration Squid is locked down to not allow any access, so the config file needs to be modified to allow connections to users on the network. Shutdown the Squid service.

Open the Squid config file (C:squidetcsquid.conf).

To enable authentication against your Windows domain or Active Directory, add the following to your config file around line 1290. This tells Squid to use NTLM authentication (i.e. automatically login users without prompting for a password).

auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on

Then define an ACL (access control list) entry that allows users on your network to use the proxy if authenticated. Go to approximately line 1830 of the file, and add the lines:

acl localnet proxy_auth REQUIRED src 192.168.1.0/24
http_access allow localnet

(But change the IP address mask as appropriate for your network. You can specify multiple network masks by separating them with spaces).

Now restart Squid and ensure that it starts correctly. Configure a browser to use the Squid proxy (port 3128 by default), and try to access an external web site. You should be able to visit the site successfully. To check that the authentication is working correctly open the C:squidvarlogsaccess.log file, and you should see log entries for the web site you visited, and importantly your username in the log file. Below are sample logs from visiting google.com. Note the username vm-domainadministrator, where vm-domain is the name of the domain, and administrator is the name of the user.

1118015367.061    703 127.0.0.1 TCP_MISS/302 405 GET http://google.com/ vm-domainadministrator DIRECT/216.239.57.99 text/html
1118015367.749    688 127.0.0.1 TCP_MISS/302 411 GET http://www.google.com/ vm-domainadministrator DIRECT/66.102.7.104 text/html

Allowing access only to members of a Window Group

The next step is to only allow users access if they belong to a Windows security group. This can be used to enforce Internet access policy on your domain, and allow PaperCut to restrict access to users who have used their entire available quota. First we need to add the external ACL types to check for Windows group membership. Go to about line 1396 and add the following:

external_acl_type win_domain_group ttl=300 %LOGIN c:/squid/libexec/win32_check_group.exe -G
external_acl_type win_local_group ttl=300 %LOGIN c:/squid/libexec/win32_check_group.exe

(The first entry is used to check domain group membership, the second is for local groups. You only have to add the lines you are going to use. Users of PaperCut typically use domain groups, so only the first line would be necessary).

Now we need to define the ACL to only allow access to members of a particular group ( e.g. a domain group called InternetUsers). Go to the line config file where the acl localnet entry was defined (approx line 1850), and replace the previsous ACL definitions with:

acl localnet proxy_auth REQUIRED src 192.168.1.0/24
acl InetAllow external win_domain_group InternetUsers
http_access allow InetAllow

Ensure that you use the IP mask appropriate for your network. In the above example InternetUsers is a domain group. Change the group name as appropriate for your network. If your group is a local group, the use the win_local_group external ACL type instead.

(Make sure you remove the http_access allow localnet line that was defined earlier, otherwise all users on the network will have access, even if they do not belong to the group.)

Restart Squid, and now only members of the InternetUsers group will have access to the Internet via the proxy.

NOTE: If you have the need to deny Internet access for members of another Windows security group, you can set up a InternetDenyGroup the same way as above and then define an InetDeny ACL. You can then specify a http_access deny rule as follows:

http_access deny InetDeny

Verifying the configuration

Restart Squid (if you have not done so already).

As a user that belongs to the InternetUsers group:

  • Make sure the browser is setup to user the proxy (port 3128 by default)
  • Browse the Internet for a few minutes (you should be allowed to view all pages).
  • Check the C:squidvarlogsaccess.log, and make sure your username is being logged.

As a user that does not belong to the InternetUsers group:

  • Make sure the browser is setup to user the proxy (port 3128 by default)
  • Try to browse the Internet (you should be denied access by the Squid proxy).
  • Check the C:squidvarlogsaccess.log, and make sure you see TCP_DENIED entries that contain the correct username.

If this all works, then you're ready to use PaperCut with SquidNT…

  • In Options->Net Charging Options, point PaperCut to the C:squidvarlogs log directory.
  • Set the log file mask to access.log
  • And then press the "Test and Apply Settings" button. You should see some summarized net access usage.

Log Rotation

Squid NT does not rotate its log files, so on large sites these files will grow very large. We recommend implementing a simple rotation policy which improves the performance of your system and allows easy archiving of old logs.

We have written a simple batch file that performs a log rotation by stopping squid, renaming access.log to access-YYYY-MM-DD.log, and then restarting Squid. Use the Windows Task Scheduler to schedule the following batch file to be run regularly (e.g. daily or weekly). NOTE: Make sure you setup the scheduled task to run as a user with permissions to stop/start the Squid service.

squid-log-rotate.bat (

@echo off

REM
REM Squid Log Rotation Script by PaperCut Software Pty Ltd
REM

REM The location of the squid log files
SET SQUID_LOG_PATH=C:squidvarlogs

REM Stop the squid service
net stop squidnt

FOR /F "tokens=1-4 delims=/, " %%i in ('date /t') do set YYYYMMDD=%%l-%%k-%%j

REM Rename the log file
ren "%SQUID_LOG_PATH%access.log" "access-%YYYYMMDD%.log"

REM Restart the squid service
net start squidnt
)

Troubleshooting

If Squid fails to start then it is best to check the following two log files. They will usually give you a hint about the cause of the problem (e.g. a syntax problem in the squid.conf file).

C:squidsbinsquid.exe.log
C:squidvarlogscache.log

Leave a Reply