Secure Internet access with Squid, Openldap, Dansguardian and Clamav

Posted on November 24, 2010

2



Step 1. General informations

Objectives

  • Authenticate users in LAN for Internet access
  • Content filtering for Internet traffic:
    • URL filtering
    • Virus scanning
    • Advert blocking
    • Customized information of block reasons for users
  • Content Caching

Not detailed

  • Installations of programs
  • QoS with Squid proxy server
  • Controlling users max IP address with Squid proxy server
  • Encrypted authentication with LDAP
  • Customized information of block reasons for users with Dansguardian
  • Graphical interfaces for programs
  • Logging analysations (logging analysation Tools)
  • General management tasks (Examples: Squid cache clear, backup, log archiving, virus database update with freshclam)
  • Firewall setup on Squid server and on the Firewall itself.

Used components

The following table contains informations about the used applications and its main informations:

Application name Version
Ubuntu – Hardy Heron 2.6.24-19-server
Squid Version 2.6.STABLE18
Dansguardian DansGuardian 2.8.0.6
ClamAV ClamAV 0.92.1
Openldap OpenLDAP: slapd 2.4.9

Process flow

The following picture shows the process of operation:

Work order of the Internet access

  1. The client cannot reach Internet directly. Clients should communicate with proxy.
  2. Client sends requests to Squid proxy server (to tcp port 3128) that at first request requests for authentication (username and password) from clients.
  3. If client gives authentication data, Squid tries to authenticate with Ldap.
  4. Ldap server checks user credentials and replies to Squid (if user is identified or not).
  5. If authentication passed Squid forwards request to Dansguardian Content Filter.
  6. Dansguardian Content Filter processes the request.
  7. If Content is not blocked by the Dansguardian Content Filter (For example it is denied by URL or a Virus identified by ClamAV) than it forwards back to Squid.
  8. Squid forwards Content back to client and caches it as well.*

* After the AV database update of ClamAV Antivirus system it is better to clear squid cache.

Step 2. Configuring Squid for LDAP Authentication and for Dansguardian Content Filter

There are 3 Schemes (In our example we use ‘basic’):
negotiate: The client negotiate with squid what to use for authentication.
basic: In this scheme the credentials are within a Base64 encoded string, but unencrypted. More info about base64 encoding: http://www.ietf.org/rfc/rfc2617.txt
diggest: It is secured with using a ‘nonce’ generated by squid proxy server. More info about diggest: http://www.ietf.org/rfc/rfc2617.txt
ntlm: Windows like authentication scheme. The original protocol was reverse-engineered. More info about NTLM: http://en.wikipedia.org/wiki/NTLM
There is a lot of authenticator helper programs that can we use, example RADIUS, LDAP, EDirectory, POP3, SMB, etc…

Here configure the LDAP authentication with ‘ldap_auth‘ authenticator helper program.
More information about this: http://www.digipedia.pl/man/squid_ldap_auth.8.html

We use the following parameters for ‘ldap_auth‘ program:
-b this means Basename as we specified in slapd.conf with ‘suffix’ attribute.
-f LDAP search filter to locate the user DN. *
-v Version. Her ewe use ldap version 3.

* Required if the users are in a hierarchy below the base DN, or if the login name is not what builds the user specific part of the users DN.
The search filter can contain up to 15 occurrences of %s which will be replaced by the username, as in “uid=%s” for RFC2037 directories. For a detailed description of LDAP search filter syntax see RFC2254.

These 4 lines required as a minimal authentication configuration:

auth_param basic program /usr/lib/squid/ldap_auth -v 3 -b “dc=mydomain,dc=dyndns,dc=org” -f “uid=%s”
auth_param basic children 5
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute

We need a new acl definition for authentication, that is in this example ‘ldap-auth‘:

(More info: http://www.visolve.com/squid/squid26/accesscontrols.php#proxy_auth)

acl ldap-auth proxy_auth REQUIRED

The default acl commands are the following:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

Here we should refer to the ‘ldap-auth‘ acl to permit access for successful authentications:

http_access allow ldap-auth

The default http_access commands are the following:

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all

Here can we specify what port should squid proxy use:

http_port 3128

Here we lead requests to a cache peer, that is the dansguardian in our example (in the requests we forward the usernames as well):

cache_peer 127.0.0.1 parent 8080 0 no-query login=*:nopassword

Here we specify whit regex what objects should not query from neighbour caches:

hierarchy_stoplist cgi-bin ?

The timestamp in the default log format is not exactly human readable, here we specify a readable date and time format for log entries:

logformat squid  %tl %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt

Here we specify where to write log entries:

access_log /var/log/squid/access.log squid

Other default configurations (For more information see original squid.conf):

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid

Step 3. Configuring Openldap server

Before we configure ldap, we need to find out a DN for our Ldap server. We use in this example  dc=mydomain,dc=dyndns,dc=org
Here I describe only required and/or important directives. A detailed information of all directives can be found here: http://www.openldap.org/doc/admin24/slapdconfig.html
We allow LDAP Version 2 connections:

allow bind_v2

We specify with ‘include’ directive the schema specifications, we use in our example ‘inetorgperson.schema’ and ‘?’.

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

Other default directives:

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        none
modulepath      /usr/lib/ldap
moduleload      back_bdb
sizelimit 500
tool-threads 1

We use bdb (Berkeley DB transactional backend) as the database and backend db:

backend         bdb
database        bdb

Here we specify what is our DN suffix belonging to this database:

suffix          “dc=mydomain,dc=dyndns,dc=org”

Here we specifies the DN that is not subject to access control or administrative limit restrictions for operations on this database:

rootdn          “cn=admin,dc=mydomain,dc=dyndns,dc=org”

Here we specify the password for the DN for the rootdn:

rootpw secret

Other default directives:

directory       /var/lib/ldap
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
checkpoint      512 30

Here we specify access rights:

access to attrs=userPassword,shadowLastChange
by dn=”cn=admin,dc=mydomain,dc=dyndns,dc=org” write
by anonymous auth
by self write
by * auth
access to dn.base=”” by * read
access to *
by dn=”cn=admin,dc=mydomain,dc=dyndns,dc=org” write
by * read

Step 4. Creating users in Openldap server

We create an ldif file with the following content (in this example it is myldap_data4.ldif):

# Firstname1 Entry
dn: cn=Firstname1 Familyname1,dc=mydomain,dc=dyndns,dc=org
cn: Firstname1 Familyname1
objectClass: person
objectClass: inetOrgPerson
sn: Firstname1
uid: Firstname1
userPassword:1234

Then add the following command:

ldapadd -x -D “cn=admin,dc=mydomain,dc=dyndns,dc=org” -W -f myldap_data4.ldif

Step 5. Configuring Dansguardian Content Filter for Multiple groups

A good example for multigroup is a VIP access for management or their relatives J. For example they should reach more kind of content as general users.

Here we discuss the parameters used in dansguardian.conf file and the filtergroupslist file and dansguardianf1.conf and dansguardianf2.conf file.

Step 5.1. Configuring dansguardian.conf file

For detailed information see original dansguardian.conf or the website http://contentfilter.futuragts.com/wiki/doku.php

reportinglevel = 3
languagedir = ‘/etc/dansguardian/languages’
language = ‘ukenglish’
loglevel = 3
logexceptionhits = on
logfileformat = 1
filterip =

Here we can specify what ports should be used by Dansguardian. This will be used in squid.conf for cache_peer:

filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
accessdeniedaddress = ‘http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl&#8217;
nonstandarddelimiter = on
usecustombannedimage = 1
custombannedimagefile = ‘/etc/dansguardian/transparent1x1.gif’

We can different rules for different groups. Here we use 2 groups in this example:

filtergroups = 2

Here we specify the file that contains which user belongs to which group.

filtergroupslist = ‘/etc/dansguardian/filtergroupslist’

Here we specify the list that will be used for filtering and exeptions:

bannediplist = ‘/etc/dansguardian/bannediplist’
exceptioniplist = ‘/etc/dansguardian/exceptioniplist’
banneduserlist = ‘/etc/dansguardian/banneduserlist’
exceptionuserlist = ‘/etc/dansguardian/exceptionuserlist’

Other default configurations:

showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 3000
urlcacheage = 900
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = 0
forcequicksearch = 0
reverseaddresslookups = off
reverseclientiplookups = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256

Here we specify that proxy authentication will beused for getting userids.


usernameidmethodproxyauth = on
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off
preemptivebanning = on
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
ipcfilename = ‘/tmp/.dguardianipc’
urlipcfilename = ‘/tmp/.dguardianurlipc’
nodaemon = off
nologger = off
softrestart = off

Dansguardian uses ClamAV as antivirus engine in this example.

virusscan = on
virusengine = ‘clamav’
tricklelength = 32768
forkscanlength = 32768
firsttrickledelay = 10
followingtrickledelay = 10
maxcontentscansize = 41904304
virusscanexceptions = on
urlcachecleanonly = on
virusscannertimeout = 60
notify = 0
emaildomain = ‘your.domain.com’
postmaster = ‘postmaster@your.domain.com’
emailserver = ‘127.0.0.1:25’
downloaddir = ‘/tmp/dgvirus’
clmaxfiles = 1500
clmaxreclevel = 3
clmaxfilesize = 10485760
clblockencryptedarchives = off
cldetectbroken = off
clamdsocket = ‘/tmp/clamd’
avesocket = ‘/var/run/aveserver’
trophiesocket = ‘/var/run/trophie’
sophiesocket = ‘/var/run/sophie’
icapsocket = ‘localhost:1344’
icapservice = ‘icap://localhost/avscan’

Step 5.2. Configuring filtergroupslist file

Here is our example filtergroupslist file output (all users default to filter group 1):

# Filter Groups List file for DansGuardian
#
# Format is <user>=filter<1-99> where 1-99 are the groups
#
# Eg:
# daniel=filter2
#
# This file is only of use if you have more than 1 filter group
#
Firstname1=filter1
Firstname2=filter2

Step 5.3. Configuring dansguardianf1.conf file

Here we can see dansguardianf1.conf file output

bannedphraselist = ‘/etc/dansguardian/bannedphraselist’
weightedphraselist = ‘/etc/dansguardian/weightedphraselist’
exceptionphraselist = ‘/etc/dansguardian/exceptionphraselist’
bannedsitelist = ‘/etc/dansguardian/bannedsitelist’
greysitelist = ‘/etc/dansguardian/greysitelist’
exceptionsitelist = ‘/etc/dansguardian/exceptionsitelist’
bannedurllist = ‘/etc/dansguardian/bannedurllist’
greyurllist = ‘/etc/dansguardian/greyurllist’
exceptionurllist = ‘/etc/dansguardian/exceptionurllist’
bannedregexpurllist = ‘/etc/dansguardian/bannedregexpurllist’
bannedextensionlist = ‘/etc/dansguardian/bannedextensionlist’
bannedmimetypelist = ‘/etc/dansguardian/bannedmimetypelist’
picsfile = ‘/etc/dansguardian/pics’
contentregexplist = ‘/etc/dansguardian/contentregexplist’
naughtynesslimit = 50
bypass = 0
bypasskey = ”
virusscan = on
exceptionvirusextensionlist = ‘/etc/dansguardian/exceptionvirusextensionlist’
exceptionvirusmimetypelist = ‘/etc/dansguardian/exceptionvirusmimetypelist’
exceptionvirussitelist = ‘/etc/dansguardian/exceptionvirussitelist’
exceptionvirusurllist = ‘/etc/dansguardian/exceptionvirusurllist’
dlmgrextensionlist = ‘/etc/dansguardian/dlmgrextensionlist’

Step 5.4. Configuring dansguardianf2.conf file

Here we can see dansguardianf2.conf file output. In this example we specified as exceptionsitelist the exceptionsitelist2 file, this way we have a unique list for group 2 and for group 1.

bannedphraselist = ‘/etc/dansguardian/bannedphraselist’
weightedphraselist = ‘/etc/dansguardian/weightedphraselist’
exceptionphraselist = ‘/etc/dansguardian/exceptionphraselist’
bannedsitelist = ‘/etc/dansguardian/bannedsitelist’
greysitelist = ‘/etc/dansguardian/greysitelist’
exceptionsitelist = ‘/etc/dansguardian/exceptionsitelist2’
bannedurllist = ‘/etc/dansguardian/bannedurllist’
greyurllist = ‘/etc/dansguardian/greyurllist’
exceptionurllist = ‘/etc/dansguardian/exceptionurllist’
bannedregexpurllist = ‘/etc/dansguardian/bannedregexpurllist’
bannedextensionlist = ‘/etc/dansguardian/bannedextensionlist’
bannedmimetypelist = ‘/etc/dansguardian/bannedmimetypelist’
picsfile = ‘/etc/dansguardian/pics’
contentregexplist = ‘/etc/dansguardian/contentregexplist’
naughtynesslimit = 50
bypass = 0
bypasskey = ”
virusscan = on
exceptionvirusextensionlist = ‘/etc/dansguardian/exceptionvirusextensionlist’
exceptionvirusmimetypelist = ‘/etc/dansguardian/exceptionvirusmimetypelist’
exceptionvirussitelist = ‘/etc/dansguardian/exceptionvirussitelist’
exceptionvirusurllist = ‘/etc/dansguardian/exceptionvirusurllist’
dlmgrextensionlist = ‘/etc/dansguardian/dlmgrextensionlist’

Step 5.5. Configuring exceptionsitelist2 file

This file is referred in dansguardianf2.conf file with exceptionsitelist parameter.

In this example we configure that group 2, who uses exceptionsitelist2 file can reach playboy.com, but group 1 cannot (We not specify ‘playboy.com’ in exceptionsitelist file that is referred in dansguardianf1.conf with exceptionsitelist parameter).

#Sites in exception list
#Don’t bother with the www. or
#the http://
#
#These are specifically domains and are not URLs.
#For example ‘foo.bar/porn/’ is no good, you need
#to just have ‘foo.bar’.
#
#You can also match IPs here too.
#
#As of DansGuardian 2.7.3 you can now include
#.tld so for example you can match .gov for example


dansguardian.org
windowsupdate.microsoft.com
playboy.com
windowsupdate.com

That’s it! Just a short test and ready.

Advertisements
Posted in: Linux, proxy, Security