Squid1-ntlm + DansGuardian + Squid2-cache

This howto is so you can setup two instances of squid, one running the NTLM authentication process & one running the Cache process. The way it will work is when a website request first comes into the Proxy server it will get the required authentication from the first instance of squish running the NTLM authentication process then it will be passed onto DansGuardian for content filtering and if it passes the DansGuardian check then it will be passed onto the second instance of squid for cacheing.

Name: Squid
HomePage: http://www.squid-cache.org/
Function: proxy caching server for web clients

Name: Samba
HomePage: http://www.samba.org/
Function: Samba is a suite of programs that enables interoperability between Linux/Unix servers and Windows client

Name: DansGuardian
HomePage: http://dansguardian.org/
Function: web content filter

Name: Webmin
HomePage: http://www.webmin.com/
Function: A web-based interface for system administration for Unix

1. Download webmin from

http://www.webmin.com/download/

2. Login into webmin at http://webmin-server-ip-address:10000

3. Go to 'webmin' section, then to 'Webmin Configuration' & then choose 'Webmin Modules', after that click on the 'Clone Module' button

4. Clone the 'squid proxy server' module and call it 'Squid Proxy Server ntlm'

5. Prepare the second instance of squid

cp /etc/squid/squid.conf /etc/squid-ntlm/squid.conf

cp /usr/sbin/squid /usr/sbin/squid-ntlm

mkdir /var/spool/squid-ntlm

mkdir /var/log/squid-ntlm

chown squid:squid /var/spool/squid-ntlm

chown squid:squid /var/log/squid-ntlm

6. Now setup the second instance of squid, to to webmin again, then click on the 'servers' section and once there go to the 'Squid Proxy Server ntlm' module and press the 'Module Config' link and fill in the details.

Full path to squid config file: /etc/squid-ntlm/squid.conf

Command to start squid: /etc/init.d/squid-ntlm start

Command to stop squid: /etc/init.d/squid-ntlm start

Command to apply changes:

Squid executable: /usr/sbin/squid-ntlm

Full path to PID file: /var/run/squid-ntlm.pid

Full path the cache directory: /var/spool/squid-ntlm

Full path the log directory: /var/log/squid-ntlm

7. Download DansGuardian from http://www.dansguardian.com/download/

8. Install DansGuardian

rpm -ivh DansGuardian.rpm

9. Download the DansGuardian webmin module

sourceforge.net/projects/dgwebminmodule/

10. Install DansGuardian webmin module, go to webmin, select the 'webmin' icon, then go to 'Webmin Configuration' & then choose 'Webmin Modules' and choose 'install Module'

11. Lets set the the instances of squid to run on different ports

nano /etc/squid/squid.conf

squid.conf:http_port 3128

nano /etc/squid-ntlm/squid.conf

squid.conf:http_port 3030

12. Set the following information in your, dansguardian.conf file

nano /etc/dansguardian/dansguardian.conf

dansguardian.conf:usernameidmethodproxyauth = on
filterip = 127.0.0.1
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3030

13. Now it's time to setup NTLM authentication in the first squid. edit the squid.conf file

add the following lines

nano /etc/squid-ntml/squid.conf

squid.conf:auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

14. Once the NTLM authentication programs have been set it's time to set the http_access & the acl rules

nano /etc/squid-ntml/squid.conf

squid.conf:# (in the acl's area)
acl ntlm proxy_auth REQUIRED

# (in the http_access area)
http_access allow localhost
http_access allow ntlm

make sure that the http_access rules are the first in the list.

15. Now that the first squid server is set do use ntlm authentication it's time to winbind to authenticate against Active Directory. stop both winbind and samba services

/etc/init.d/smb stop
/etc/init.d/winbind stop

17. Edit Kerberos files to have the right configuration

nano /etc/krb5.conf

krb5.conf:[libdefaults]
default_realm = WINDOWS.SERVER.INT

[realms]
WINDOWS.SERVER.INT = {
kdc = mc1.windows.server.int
default_domain = WINDOWS.SERVER.INT
kpasswd_server = mc1.windows.server.int
admin_server = mc1.windows.server.int
}

[domain_realm]
.windows.server.int = WINDOWS.SERVER.INT

18. Edit Samba files to have the right configuration

/etc/samba/smb.conf

smb.conf:workgroup = server
security = ads
realm = WINDOWS.SERVER.INT
encrypt passwords = yes

username map = /etc/samba/smbusers

winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

19. Now it's time to join the domain

net ads join -U administrator -S mc1

20. Now it's time to start both winbind and samba services

/etc/init.d/smb start
/etc/init.d/winbind start

21. Now hopefully all that went well, to test it out lets try this comand

/usr/bin/wbinfo -g

this should display all the groups in your active directory structure.

22. Now to set squid to be able to access the winbind information

chown root:squid /var/cache/samba/winbindd_privileged
chmod 750 /var/cache/samba/winbindd_privileged

23. Next step is to disable the caching in squid, edit the '/etc/squid/squid.conf'

24. Now set Dansguardian to be a second cache and to get squid to pass on the username to Dansguardian, edit the

/etc/squid/squid.conf

squid.conf:cache_peer 127.0.0.1 parent 8080 0 no-query login=*:nopassword

25. Now to set the second instance of squid to run as a different proccess, edit the squid-ntlm.conf

/etc/squid/squid-ntlm.conf

squid-ntlm.conf:pid_filename /var/run/squid-ntlm.pid

26. Set the logs to log in a different location.

/etc/squid/squid-ntlm.conf

squid-ntlm.conf:cache_access_log /var/log/squid-ntlm/access.log
cache_log /var/log/squid-ntlm/cache.log
cache_store_log /var/log/squid-ntlm/store.log

27. Now were going to set squid1 to operate without a cache

/etc/squid/squid-ntlm.conf

squid-ntlm.conf:cache_dir null /dev/null

28. Now lets start all the servers

/etc/init.d/dansGuardian start
/usr/sbin/squid -f /etc/squid/squid.conf -z
/usr/sbin/squid-cache -f /etc/squid/squid-cache.conf -z

29. You can download a init.d script i have writtern for the ntlm version of squid

http://www.opensourcehowto.org/uploads/ntlm.txt

30. Once both the servers are initialized then you can use the init.d scripts to star them

/etc/init.d/squid-ntlm start/stop/status

/etc/init.d/squid start/stop/restart/status

Acknowledgement: Paul Matthews