Jump to content
mashti

Installing Squid proxy server running on Windows

Recommended Posts

Part-1

 

 

There are various software that implement a proxy server, some commercial and some free stuff. In this guide we will see how to implement a proxy server in a Windows environment is fully integrated into Active Directory at no cost.

 

The product concerned is Squid

Hidden Content

    Give reaction to this post to see the hidden content.

, originally developed for the Linux porting is also available on the Windows platform.

 

Integration with Active Directory, you can if we install on a machine both Linux and Windows, on Linux configuration for authentication in AD is slightly more complex than in the Windows environment.

 

Squid can be installed on any machine of our network not necessarily with two network adapters, in which case must do also from gateway.

 

First we must download Squid from

Hidden Content

    Give reaction to this post to see the hidden content.

site, follow the signs for Squid 2.7 for Windows-> Squid Download Page-> mirror mirror 1/ 2-> and here and get the latest version Stable, at the moment is the 2.7. STABLE8.

 

Once the download unpack the .zip file in the path c:\squid. Copy these three files in the path c:\squid\etc:

 

Hidden Content

    Give reaction to this post to see the hidden content.

Open the squid.conf and making some changes required for the first time:

 

* Section OPTIONS FOR AUTHENTICATION

o Remove the comment on these three rows and we complete the first so that you have:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

These parameters indicate to squid to use authentication NTLM, to use the program and mswin_ntlm_auth. xe to authenticate and use 5 concurrent processes for authentication.

* ACCESS CONTROLS Section

o Default Squid grants access from local networks that have private ip addresses of 3 standard classes, if our network does not fall into these we must add it to these 3 lines:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

o In the basic configuration Squid grants access only to the following ports:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Also here if we have other needs we must add the ports you want to be reached.

o Immediately after the last we must insert an ACL to verify authentication in Active Directory:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

and set an access rule that denies all unauthenticated sessions:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

be inserted immediately after the line:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

* Section DISK CACHE OPTIONS

o In this section we have to set the configuration parameters of the disk cache, to do this, remove the comment line:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

and edit the parameters according to our needs.

Taking into account that the three parameters have this meaning:

100 = maximum size in MB of disk cache

16 = number of subdirectories (1st level)

256 = number of subdirectory of 2nd level

Initially we can leave the default these 3 parameters.

 

* LOGFILE OPTIONS Section

 

o In this section we define the location and the type of access log file that is generated by Squid.

The path is defined by the following directive:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

While the type is defined by the line:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

in this case we define a log format called squid and use it in the command access_log.

 

* ADMINISTRATIVE PARAMETERS Section

 

o In case of failure or to access an unauthorized site Squid displays a page with details including an e-mal address of the system administrator. In this regard we can change this address by using the following directive:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

* ERROR PAGE OPTIONS Section

 

o The last parameter to change the language in which you want to display the error pages, to achieve this, we use this directive:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

where instead of English we insert the name of the directory that reflects the language that we use inside the folder c:/squid/share/and rrors, in the case of English we:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

At this point, the basic configuration Squid is finished and we can send him running for the first time. Open a dos directory, find the white flashing c:\squid\sbin and launch the command:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

in order to create the cache directory. If we have not made mistakes in the configuration file you should see something like:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

We suggest that the creation of the directory is successful, otherwise we will see something like:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

in which case we have committed some syntax error. (In this case was wanted!!).

 

 

NOTE: If we install squid in the default directory c:\squid we should never specify the location of the configuration file, if instead we use a different path is necessaroio change all references in the squid.conf file and use the parameter -f configfile every time I launch the command squid.exe.

 

Now we can install Squid as a service and start to test it. To do this, launch the command:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

If all is successful you will create the service Squid. If we want to call it differently, we need to add the parameter -n servicename. Once you have created the service we need to start it with the command:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

and we will get output like:

Hidden Content

    Give reaction to this post to see the hidden content.

 

We verify that Squid is actually listening via the command:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

As you can see clearly squid is listening on the default port 3128.

 

Open Internet Explorer on a client and to configure the proxy settings using the menu Tools > Internet Options-> Connections-> LAN Settings and set the proxy server as shown in Figure:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

For simplicity we can change the Default Domain Policy so you want to configure all machines in the domain. The setting is located in the key:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Once change expect the policy is applied or forziamola with the command GPUDATE/force, then try again and if everything went well this time the request for username and password should appear.

 

With the procedures specified so far according to Squid configuration has finished, access is granted to all for any site and a log is generated for each login.

 

In next part we will see some parameters for optimization of Squid and how to configure the proxy settings in the browser automatically

  • Like 4

Share this post


Link to post
Share on other sites

Part-2

 

 

In the first part of the guide we saw how to configure the service squid, we will see now how to configure automatic clients to use it and some optimizations to the service itself.

 

Client configuration

 

The easiest way, but more laborious, to configure clients to modify by hand your Internet Explorer settings to use the proxy server that we configured. The same operation can be automated using the GPO (Group Policy Object).

 

Edit the Default Domain Policy or any policy to configure the proxy settings in this way:

 

Hidden Content

    Give reaction to this post to see the hidden content.
gpupdate/force, in LAN settings of the tab Connections of Internet Options should see the flags automatically detect settings flagged.

 

So far we have configured Internet Explorer to use the automatic settings, now we must create the file with the settings and ensure that it can be found. Create a text file with:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

where .local domain and 192.168.1.0/255.255.255.0 put your data that can contain multiple lines added with the operator || (or). Save the file with the name WPAD.dat any location that is accessible via the web, for example, we can put in the root of a server with IIS so that you can achieve with http://192.168.1.10/wpad.dat or

Hidden Content

    Give reaction to this post to see the hidden content.
.

 

If you try one of the addresses above and get an error like:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Now that we have created the file we need to configure the system so it is read automatically from Internet Explorer. To do this we can exploit the DNS and/or DHCP.

 

Let's see now how to configure DNS for DHCP service, please refer to this article on TechNet:

Hidden Content

    Give reaction to this post to see the hidden content.

 

Open the DNS management console and in the forward lookup zone for your domain, create a CNAME record called wpad that points to the server where you saved the WPAD.dat file. Then make sure that everything works by opening an Internet Explorer window and typing:

Hidden Content

    Give reaction to this post to see the hidden content.

 

If everything is configured correctly you should see the contents of the WPAD.dat file.

 

If you cannot resolve the name wpad.dominio.local make sure that the name wpad is not included in the the Global Query Block List:

Hidden Content

    Give reaction to this post to see the hidden content.

 

Now we just have to open Internet Explorer and verify the actual use of the proxy server.

 

Using automatic configuration with the WPAD.dat file turns out to be very handy if you often need to access the internet through the proxy, portable external to your network.

 

Log configuration

 

The default format of proxy access log, as well as others, are useful in the case are to be interpreted by external software. If you want to a format that is more understandable for us humans and easily importable in Excel you can create a new type with these specs:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

and then set up squid for use with the line:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

With time you will notice that the log files, especially the access.log file will tend to grow significantly, we can then use the works logrotate of squid to create several files at certain times.

 

The easiest way is to schedule the command:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Maybe once a month so you can store the log file.

 

Whenever we execute the command files will be renamed according the following scheme:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

The number of file versions that are maintained by squid depends on the value set for the parameter:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

In this case will be preserved 60 copies of logs, which rotated each month if correspond to 5 years.

 

Various Configurations

 

Default squid sends to the real site visited the address of your machine then we will see private:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

If you want to hide your private IP you have to edit this parameter in the following way:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Configuring permissions

 

If you've come this far you will have a fully functioning system where all users in Active Directory can access any site, and all those who are not authenticated do not have access to the outside.

 

Often arises the need to allow access to some web sites without having to authenticate and to block more or less selective access sites, for example we may want to allow downloading Windows updates or virus definitions on all PCs.

 

To do this we must first create a text file with the list of free sites:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

and salviamolo as C:\squid\etc\URL_consentiti.txt, then edit the squid configuration file to use this newly created list.

 

At the end of the ACL directives we add this line:

 

Hidden Content

    Give reaction to this post to see the hidden content.

in order to create an Access Control List URL_consentiti call that contains all URLs in the file, then add the line:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

just before the one that denies access to unauthenticated users (http_access deny!Authenticated).

 

Once restarted Squid verified that links present in the file are also made available without authentication.

 

The same way we can define a list of users who have unlimited access to the web. Create a file containing users with the domain:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

and salviamolo as C:\squid\etc\Utenti_illimitati.txt and edit the squid configuration file for loading this ACL using the line:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Finally, we allow access to this ACL:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

immediately after the previously inserted directive http_access.

 

Now we can create a list of sites that will be blocked for all users except for those listed Utenti_illimitati. Let's create a new text file called C:\squid\etc\URL_bloccati.txt that will contain the list of sites like:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

We create the usual ACL with the line:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

and finally we deny access to this ACL with the line:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

be inserted immediately after the previously inserted directive http_access.

 

For each file change squid.conf goes restart Squid service.

 

If you want to create lists of addresses allowed per user, you must create a file containing one or more users and a file containing links allowed for that user (s).

Then create two ACLS, one for users and one for the link:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

and placed within the same directive in order to be satisfied both:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

Notes

 

Whether to install Squid on a machine where you installed the DNS most likely after a reboot you will find yourself in the situation that Squid fails to start because some ports are down state used by the DNS service.

 

The default ports of Squid, not all are enabled:

 

Hidden Content

    Give reaction to this post to see the hidden content.

 

We must therefore provide to set a parameter in the Windows Registry for Reserved configure them as so that DNS does not use them.

 

the procedure is very simple and is reflected in the article:

 

How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server

Hidden Content

    Give reaction to this post to see the hidden content.

 

1. Start Registry editor (Regedit.exe).

 

1. Locate and select the following registry subkey KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\Tcpip\Parameters:

2. Choose new Edit menu, and then multi-string value.

3. , Right-click the new value, click Rename to, type ReservedPorts and then press ENTER.

4. Double-click the ReservedPorts value, type the range of ports that you want to reserve, and then click OK on.

Note You must type the range of ports in the following format:

xxxx-yyyy

To specify a single port, use the same value x and of y. For example, to specify port 4000, type 4000-4000.

Warning If you specify ports continue separately and if a port is reserved and is not used properly the next door is not confidential and is used.

5. Click OK on.

  • Like 2

Share this post


Link to post
Share on other sites

Do you have a video on youtube on how to do this tutorial I am a visual learner. I tryed to compleat all the configurations but for some reson the squid service stoped suddenly. I backed up the squid.conf file before I started, so I just replaced the file and restarted the server and now the service is back up and working fine. Do you have any similaire tutorials on the same subject. Please help I need this for my new private proxy service.

Share this post


Link to post
Share on other sites

Hi,

 

I have done all configurations and all are working fine but i am facing problem in Eclipse. I am not able to commit and update Project through Proxy server. Can anybody help. so do the needful As soon as possible.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...