Prečo proxy server
Kľúčove súbory
Naša sieť
Úprava repozitárov /etc/apt/sources.list
$ sudo cp -p /etc/apt/sources.list /etc/apt/sources.list.origin $ gksu gedit /etc/apt/sources.list
Aktualizácia repozitárov
$ sudo apt-get update
Zdroje
Inštalácia príslušných paklíkov proxy servera Squid
$ sudo apt-get install apache2 squid squidguard
Úprava konfiguračného súboru /etc/squid/squid.conf
$ sudo cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d' $ sudo cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d' > squid.conf.nocomment $ sudo cp -p /etc/squid/squid.conf /etc/squid/squid.conf.origin $ gksu gedit /etc/squid/squid.conf ------------------------------------------------------------------------------- najdeme (1393) "hosts_file" a pridame riadky hosts_file /etc/hosts redirect_program /usr/bin/squidGuard > /etc/squid/squidGuard.conf redirect_children 5 najdeme (2538) "acl our_networks src" a upravime #acl our_networks src 192.168.1.0/24 192.168.2.0/24 acl our_networks src 192.168.1.0/24 192.168.0.0/24 http_access allow our_networks najdeme (2839) "visible_hostname" a upravime visible_hostname localhost najdeme (3357) "always_direct" a upravime always_direct allow all najdeme (73) "http_port" a upravime http_port 3128 transparent -------------------------------------------------------------------------------
Reštartujeme Squida a skontrolujeme či beži
$ sudo /etc/init.d/squid restart $ ps -aux | grep squid
Nastavíme Firefoxa (pre každeho useríka) cez proxy
Vytvoríme súbor /etc/squid/myblacklist s nevhodnými reťazcami v URL
$ gksu gedit /etc/squid/myblacklist ------------------------------------------------------------------------------- microsoft pokec chat -------------------------------------------------------------------------------
Ak sa nám neskôr znepáčia aj iné reťazce v URL, jednoducho ich pripíšeme do súboru /etc/squid/myblacklist a reštartujeme Squida
Vytvoríme html stránku /var/www/myblacklist.html
$ gksu gedit /var/www/myblacklist.html ------------------------------------------------------------------------------- <h1>Retazec v URL je na mojom myblackliste!</h1> -------------------------------------------------------------------------------Úprava konfiguračného súboru /etc/squid/squid.conf
$ gksu gedit /etc/squid/squid.conf --------------------------------------------------------------------- najdeme (2408) acl CONNECT method CONNECT a pridame riadok acl CONNECT method CONNECT acl myblacklist url_regex -i "/etc/squid/myblacklist" najdeme (2517) http_access allow manager localhost a vlozime riadok pred http_access deny myblacklist http_access allow manager localhost najdeme (3050) TAG: deny_info a pridame riadok deny_info http://127.0.0.1/myblacklist.html myblacklist # inak presmerovat mozeme priamo na nejaku stranku na internete # nemusi to byt iba na http://127.0.0.1/myblacklist.html ---------------------------------------------------------------------
Reloadneme Squida a overíme filter vo Firefoxe
$ sudo /etc/init.d/squid reload
$ gksu gedit /var/www/squidguard.html ------------------------------------------------------------------------------- <h1>SquidGuardu sa tato stranka nepaci!</h1> -------------------------------------------------------------------------------
Ak použijeme paklík bigblacklist.tar.gz (nájdeme ho pomocou googla)
$ sudo cp /media/usbdisk/bigblacklist.tar.gz /var/lib/squidguard/db/ $ sudo -s # cd /var/lib/squidguard/db # tar -xzf bigblacklist.tar.gz # rm -f bigblacklist.tar.gz # mv # chown -R proxy:proxy /var/lib/squidguard/db/ # exit $ sudo find /var/lib/squidguard/db/blacklists -type d -exec chmod 755 \{\} \;
Ak nepoužijeme paklík bigblacklist.tar.gz ale chceme vlastné filtre
$ sudo mkdir /var/lib/squidguard/db/mssr/ $ gksu gedit /var/lib/squidguard/db/mssr/domains ------------------------------------------------------------------------------- www.minedu.sk ------------------------------------------------------------------------------- $ sudo chown -R proxy:proxy /var/lib/squidguard/db/ $ sudo find /var/lib/squidguard/db -type d -exec chmod 755 \{\} \; -print
V tomto prípade by súbor /etc/squidGuard.conf vyzeral takto
------------------------------------------------------------------------------- dbhome /var/lib/squidguard/db logdir /var/log/squid dest mssr { domainlist mssr/domains redirect http://127.0.0.1/squidguard.html } acl { default { pass !mssr redirect http://127.0.0.1/squidguard.html } } -------------------------------------------------------------------------------
Úprava konfiguračného súboru /etc/squidGuard.conf
$ sudo grep -v "^#" /etc/squid/squidGuard.conf | sed -e '/^$/d' $ sudo cp -p /etc/squid/squidGuard.conf /etc/squid/squidGuard.conf.origin $ gksu gedit /etc/squid/squidGuard.conf ------------------------------------------------------------------------------- dbhome /var/lib/squidguard/db logdir /var/log/squid dest ads { domainlist blacklists/ads/domains urllist blacklists/ads/urls redirect http://127.0.0.1/squidguard.html } dest porn { domainlist blacklists/porn/domains urllist blacklists/porn/urls expressionlist blacklists/porn/expressions redirect http://127.0.0.1/squidguard.html } # a samozrejme dalsie dest sekcie {} acl { default { pass !ads !porn # a samozrejme dalsie !sekcie redirect http://127.0.0.1/squidguard.html # inak presmerovat mozeme priamo na nejaku stranku na internete # nemusi to byt iba na http://127.0.0.1/squidguard.html } } -------------------------------------------------------------------------------Ešte pre istotu nastavíme práva a vlastníka príslušným súborom
$ sudo chown proxy:proxy /etc/squid/squid.conf $ sudo chown proxy:proxy /etc/squid/squidGuard.conf $ sudo chown -R proxy:proxy /var/lib/squidguard/db/ $ sudo chown -R proxy:proxy /var/log/squid/ $ sudo chown -R proxy:proxy /var/spool/squid/ $ sudo chmod 644 /etc/squid/squidGuard.conf $ sudo chmod -R 640 /var/lib/squidguard/db/ $ sudo chmod -R 644 /var/log/squid/ $ sudo chmod 755 /var/log/squidSkompilujeme databázu (trvá to dosť dlho) a reštartujeme squida
$ sudo squidGuard all $ sudo squid -k reconfigureAk sú problémy tak sledujeme logy
$ sudo tail -f /var/log/squid/squidGuard.log & $ sudo tail -f /var/log/squid/cache.log & $ sudo tail -f /var/log/squid/access.log &
Aby som nemusel ručne nastavovať proxy (aj tak by si mohol userík vytvoriť nový profil :-))
#!/bin/sh iptables -t nat -F # normal transparent proxy iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT \ \ --to-port 3128 # handle connections on the same box gid=`id -g proxy` iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner $gid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination \ \ 127.0.0.1:3128
Ako uložiť nastavenia iptables
$ sudo iptables-save > /etc/squid/iptables.rules $ sudo iptables-restore < /etc/squid/iptables.rules
http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on redirect_rewrites_host_header off acl lan src 192.168.0.0/24 192.168.1.0/24 ( pod acl to_localhost dst 127.0.0.0/8) http_access allow localhost http_access allow lan (pod http_access allow localhost) visible_hostname localhost always_direct allow all # http_access deny all acl zakaz url_regex -i "/etc/squid/zakaz" (pod acl CONNECT method CONNECT) http_access deny zakaz (nad http_access allow manager localhost) deny_info http://zschlebnice.sk zakaz
Skript iptables_transparent_proxy.sh
------------------------------------------------------------------------------- #!/bin/sh /sbin/iptables -t nat -F /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT \ \ --to-port 3128 gid=`id -g squid` /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner \ \ $gid -j ACCEPT /sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination \ \ 127.0.0.1:3128 ------------------------------------------------------------------------------- # chmod +x iptables_transparent_proxy.sh # /etc/init.d/transparent-proxying start # ./iptables_transparent_proxy.sh # /etc/init.d/iptables save
squid.conf
------------------------------------------------------------------------------- http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY redirect_rewrites_host_header off auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl lan src 192.168.0.0/24 192.168.1.0/24 acl SSL_ports port 443 563 acl CONNECT method CONNECT acl zakaz url_regex -i "/etc/squid/zakaz" http_access deny zakaz http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow lan http_reply_access allow all icp_access allow all visible_hostname localhost httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on deny_info http://zschlebnice.sk zakaz always_direct allow all coredump_dir /var/spool/squid -------------------------------------------------------------------------------