Skip to content

Instantly share code, notes, and snippets.

@lemassykoi

lemassykoi/how_to_squid_krb_AD.sh

Last active January 11, 2024 10:55
Show Gist options
  • Save lemassykoi/a1d438f31a573ff6766a3e185574eeb3 to your computer and use it in GitHub Desktop.
Save lemassykoi/a1d438f31a573ff6766a3e185574eeb3 to your computer and use it in GitHub Desktop.
Download ZIP
Squid with Kerberos Active Directory and SquidGuard (with Active Directory too, and Groups)
Raw
how_to_squid_krb_AD.sh
## Debian 12 US - 01/01/2024
##
## assuming your default user is "debian"
## assuming your Windows Server 2016 minimum is the CA for the domain
## you have to issue a certificate from your CA to proxy.yourdomain.local (for CN and DNS alt name. You can add IP alt name)
## (build a CSR with an online tool and KEEP the private key
## !! you also need to enable the option which says this certificate will be used to issue other certificate) !!
##
## COMPUTER NAME of the proxy is different of the value used for proxy settings :
## computer name : LINUX01(.yourdomain.local)
## proxy settings : proxy.yourdomain.local:3128
##
## you have to create DNS records with PTR for those 2 above values
## you have to create a domain user "squid" with complex password (keep it)
## you have to create some dedicated groups in AD and populate them with some users :
## GL_WEB_UNRESTRICTED
## GL_WEB_FILTERED
## GL_WEB_DENIED
## GL_WEB_LEVEL1
##
## setup Debian with only "SSH Server" and "Minimal Tools" (last option which sould already be ticked)
##
## after install, connect with ssh and USER username with the password you entered during Debian installation
## Command to be able to multiline paste
bind 'set enable-bracketed-paste off'
## creating folder and paste ssh public key
mkdir .ssh
echo "ssh-rsa YOUR-PUBLIC-KEY" > .ssh/authorized_keys
## customize USER prompt
echo "export PS1='${debian_chroot:+($debian_chroot)}[ \[\e[1;32m\]\u\[\e[m\] @ \[\e[1;32m\]\h\[\e[m\] : \[\e[1;36m\]\w\[\e[m\] ] \[\e[1;34m\]\A\[\e[m\] \\$ '" >> .bashrc
## more customizations
echo 'set completion-ignore-case on' >> .inputrc
echo 'set enable-bracketed-paste off' >> .inputrc
## getting root access
su - ## enter root password as configured during install
bind 'set enable-bracketed-paste off'
mkdir .ssh
echo "ssh-rsa YOUR-PUBLIC-KEY" > .ssh/authorized_keys
## customize ROOT prompt
echo "export PS1='${debian_chroot:+($debian_chroot)}[ \[\e[1;31m\]\u\[\e[m\] @ \[\e[1;32m\]\h\[\e[m\] : \[\e[1;36m\]\w\[\e[m\] ] \[\e[1;34m\]\A\[\e[m\] \\$ '" >> .bashrc
echo 'set completion-ignore-case on' >> .inputrc
echo 'set enable-bracketed-paste off' >> .inputrc
## editing sudoers file for no password asked for user
visudo ## choose nano
## add this at the end of the file
debian ALL=(ALL) NOPASSWD:ALL
## save and exit
## if your debian is not sending its real mac address :
echo "send dhcp-client-identifier = hardware;" >> /etc/dhcp/dhclient.conf
systemctl restart networking
## if you're using an old bad rsa key like I am : (copy paste the 4 lines)
cat > /etc/ssh/sshd_config.d/enable_rsa_keys.conf << EOF
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
EOF
systemctl restart ssh
## close and restart current ssh session to apply new settings
## connect as root with the private key associated to public key (rsa or not)
## install the Windows CA certificate :
cd /usr/local/share/ca-certificates/
nano my_CA.crt
## paste the content of your CA file in base64 format (cer, crt)
## save and exit
nano /etc/ssl/certs/proxy.yourdomain.local.pem
## paste the content of your proxy server certificate file in base64 format (cer, crt)
## save and exit
nano /etc/ssl/private/proxy.yourdomain.local.key
## paste the content of your proxy server private key in base64 format (key, txt)
## save and exit
## this command create a symbolic link in /etc/ssl/certs
update-ca-certificates
apt update
## install required packages
apt install -y wget krb5-user dnsutils ntp adcli msktutil squid-openssl ldap-utils squidguard
## generate SSL DataBase for squid
/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
## give proxy user authorization to access the DB folder
chown -R proxy:proxy /var/spool/squid
## MANDATORY !!
## NTP Configuration for time to be synced with Domain Controller
nano /etc/ntpsec/ntp.conf
## comment the 4 lines starting with "pool ..." and add this one at the end of the file :
server myDC.yourdomain.local
## restart NTP service
service ntp restart
## wait 5 seconds
## check NTP sync :
ntpq -p
## kerberos config file modification
## backup original file
mv /etc/krb5.conf /etc/krb5.conf.bak
nano /etc/krb5.conf
## copy paste all text below those comments
## keep default_keytab_name commented at this step
##
[logging]
default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
[libdefaults]
default_realm = YOURDOMAIN.LOCAL
dns_lookup_kdc = no
dns_lookup_realm = no
default_tgs_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96
# default_keytab_name = /etc/squid/squid.keytab
[realms]
YOURDOMAIN.LOCAL = {
kdc = myDC.yourdomain.local
admin_server = myDC.yourdomain.local
default_domain = yourdomain.local
}
[domain_realm]
.yourdomain.local = YOURDOMAIN.LOCAL
yourdomain.local = YOURDOMAIN.LOCAL
##
## check if domain is accessible :
adcli info YOURDOMAIN.LOCAL --verbose
## if YES, then join the domain :
## enter administrator password when asked
adcli join --domain-realm=YOURDOMAIN.LOCAL --domain-ou="CN=Computers,DC=yourdomain,DC=local" --computer-name LINUX01 --service-name=HTTP [email protected] --show-details --os-name="Debian" --os-version="12" --verbose
## 1. When successuflly done, you HAVE TO ADD a new SPN value to your new computer object in AD :
##
## HTTP/proxy.yourdomain.local
##
## 2. !!! YOU NEED TO ACTIVATE KERBEROS DELEGATION ON THE COMPUTER OBJECT
##
## THESE 2 STEPS ARE MANDATORY
## to check current SPN in the generated keytab :
klist -ket /etc/squid/squid.keytab
## to check if domain join is successfull
adcli testjoin --verbose
## then, after you added the new SPN value, we need to update the keytab
## initiate a kerberos connection, type your windows administrator password when asked :
kinit [email protected]
## to check if you have a valid kerberos ticket
klist
## update the keytab with current kerberos ticket
msktutil -c -b "CN=Computers,DC=yourdomain,DC=local" -s HTTP/LINUX01.YOURDOMAIN.LOCAL -k /etc/squid/squid.keytab --computer-name LINUX01 --upn HTTP/[email protected] --server myDC.yourdomain.local --user-creds-only --verbose --enctypes 0x10
## DESTROY current kerberos ticket
kdestroy
## to check current SPN in the generated keytab :
klist -ket /etc/squid/squid.keytab
## check values. you need to see the new SPN you've added
kinit -k -t /etc/squid/squid.keytab HTTP/proxy.yourdomain.local
## give proxy user authorization to access the keytab file
chown proxy:proxy /etc/squid/squid.keytab
## remove the hastag for the squid keytab in this file :
nano /etc/krb5.conf
## write over the CA file by YOUR real CA file :
echo > /etc/ssl/certs/my_CA.pem
cat <<'EOF' > /etc/ssl/certs/my_CA.pem
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: my_CA
Microsoft CSP Name: Microsoft Software Key Storage Provider
Key Attributes
X509v3 Key Usage: 80
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCbyBiSMxP5AffZ
6dUDW5+roGJ273DynmztPQUrP78q0CI6CJFBhLzciWRJhqivAVu398uuKFx7IT3R
[...]
6wKluMjQArdlmX9pZDCzAnoVeXEjt6+RqLAieNSSSflb+0bpYfYMoccp0QX9FZWa
N6keY3CsQrQM8z/gcGHpk2z250rKfUq580wJWA2omnS9wn/H22iutUAhWPb+B3N6
uyJmGeqcBVsH9nvJlMcWCBsu
-----END PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
subject=/DC=local/DC=yourdomain/CN=my_CA
issuer=/DC=local/DC=yourdomain/CN=my_CA
-----BEGIN CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIQXNX8B3stv5NMNeFLiRP0fjANBgkqhkiG9w0BAQsFADBD
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZjb3JlbWUx
EjAQBgNVBAMTCWNvcmVtZS1DQTAeFw0yMzEwMjcyMDU2MzRaFw0zMDEwMjcyMTA2
[...]
0Ti0wkIzRG7prFft7j4QVgdZBUJ2l0pd5moXTqJ8DNnh3FVm7zAXD+RicMYWG2KQ
OAQzsEBlhxKjiBuoa/vleqXq33pKaM3fIL1qHEUYoGv4Bzw6/ddkSLeqESVvqYXG
zc6++l8=
-----END CERTIFICATE-----
EOF
## give proxy user authorization to access the certificate file
chown proxy:proxy /etc/ssl/certs/my_CA.pem
## backup squid default config file
mv /etc/squid/squid.conf /etc/squid/squid.conf.bak
## remove comments line into new file
grep -vE "^#|^$" /etc/squid/squid.conf.bak > /etc/squid/squid.conf
## edit Squid conf file to add some options :
nano /etc/squid/squid.conf
##
## ...
acl Safe_ports port 777 ## existing, add those 2 lines below :
acl CONNECT method CONNECT
acl step1 at_step SslBump1
## ...
http_access deny manager ## existing, add those 3 lines below :
#ssl_bump peek step1
ssl_bump bump all
#ssl_bump splice all
## ...
http_access deny all ## existing, edit and add below :
http_port 3128 ssl-bump generate-host-certificates=on tls-default-ca=on connection-auth=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/my_CA.pem options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE
cache_mgr [email protected]
visible_hostname proxy.yourdomain.local
cache_mem 2048 MB
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
## [...] existing lines
## END
nano /etc/squid/conf.d/yourdomain.conf
## copy paste all below :
##
error_directory /usr/share/squid/errors/fr
auth_param basic realm YOURDOMAIN - Squid Proxy-Caching Web Server
auth_param basic credentialsttl 1 hours
## -d for debug / -i for info
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r -s HTTP/[email protected] -s GSS_C_NO_NAME -k /etc/squid/squid.keytab
auth_param negotiate children 16
auth_param negotiate keep_alive on
## queries to AD groups
## -d for debug / -i for info
external_acl_type kerberos_ldap_group1 ttl=3600 negative_ttl=3600 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -l ldap://myDC.yourdomain.local:389 -S [email protected] -D YOURDOMAIN.LOCAL -P HTTP/[email protected] -u [email protected] -p 71f4e3af1cb217c554D3a7e!!bc947e181650bb6aca5c802a3d514ac2775cf -g [email protected]
external_acl_type kerberos_ldap_group2 ttl=3600 negative_ttl=3600 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -l ldap://myDC.yourdomain.local:389 -S [email protected] -D YOURDOMAIN.LOCAL -P HTTP/[email protected] -u [email protected] -p 71f4e3af1cb217c554D3a7e!!bc947e181650bb6aca5c802a3d514ac2775cf -g [email protected]
external_acl_type kerberos_ldap_group3 ttl=3600 negative_ttl=3600 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -l ldap://myDC.yourdomain.local:389 -S [email protected] -D YOURDOMAIN.LOCAL -P HTTP/[email protected] -u [email protected] -p 71f4e3af1cb217c554D3a7e!!bc947e181650bb6aca5c802a3d514ac2775cf -g [email protected]
external_acl_type kerberos_ldap_group4 ttl=3600 negative_ttl=3600 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -l ldap://myDC.yourdomain.local:389 -S [email protected] -D YOURDOMAIN.LOCAL -P HTTP/[email protected] -u [email protected] -p 71f4e3af1cb217c554D3a7e!!bc947e181650bb6aca5c802a3d514ac2775cf -g [email protected]
acl GL_WEB_UNRESTRICTED external kerberos_ldap_group1
acl GL_WEB_FILTERED external kerberos_ldap_group2
acl GL_WEB_DENIED external kerberos_ldap_group3
acl GL_WEB_LEVEL1 external kerberos_ldap_group4
deny_info ERR_ACCESS_DENIED GL_WEB_DENIED
deny_info ERR_ACCESS_DENIED !authenticated_users
acl MY_LAN src 192.168.10.0/24 ## ADAPT THIS TO YOUR LAN
acl authenticated_users proxy_auth REQUIRED
http_access deny !authenticated_users
http_access deny GL_WEB_DENIED
http_access allow MY_LAN authenticated_users GL_WEB_UNRESTRICTED
http_access allow MY_LAN authenticated_users GL_WEB_FILTERED
http_access allow MY_LAN authenticated_users GL_WEB_LEVEL1
#http_access allow MY_LAN authenticated_users ## TO BY PASS GROUP SELECTION, REMOVE 3 LINES ABOVE AND KEEP THIS ONE
## END
## check if this command is ok before adding it to crontab
msktutil --auto-update -k /etc/squid/squid.keytab --server myDC.yourdomain.local --no-reverse-lookups --enctypes 0x10 --verbose
## every 15 days :
crontab -e
## paste next line at the end :
0 5 15 * * msktutil --auto-update -k /etc/squid/squid.keytab --server myDC.yourdomain.local --no-reverse-lookups --enctypes 0x10 --verbose | logger -t msktutil
## SETUP SQUIDGUARD
##
## getting blacklist files
mkdir /opt/3rdparty
cd /opt/3rdparty
wget --timestamping https://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz
tar xzf blacklists.tar.gz
cp -R blacklists/* /var/lib/squidguard/db/
## backup original squidguard config file
mv /etc/squidguard/squidGuard.conf /etc/squidguard/squidGuard.conf.bak
## give proxy user authorization to access logs and DB folders
chown -R proxy:proxy /var/log/squid /var/lib/squidguard
## edit squidguard conf file to paste your config :
nano /etc/squidguard/squidGuard.conf
## copy paste all below
##
dbhome /var/lib/squidguard/db
logdir /var/log/squid
ldapbinddn [email protected]
ldapbindpass "71f4e3af1cb217c554D3a7e!!bc947e181650bb6aca5c802a3d514ac2775cf"
ldapprotover 3
ldapcachetime 300
src GL_WEB_UNRESTRICTED {
ldapusersearch ldap://myDC.yourdomain.local:389/CN=Users,DC=yourdomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=GL_WEB_UNRESTRICTED,CN=Users,DC=yourdomain,DC=local))
}
src GL_WEB_FILTERED {
ldapusersearch ldap://myDC.yourdomain.local:389/CN=Users,DC=yourdomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=GL_WEB_FILTERED,CN=Users,DC=yourdomain,DC=local))
}
src GL_WEB_DENIED {
ldapusersearch ldap://myDC.yourdomain.local:389/CN=Users,DC=yourdomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=GL_WEB_DENIED,CN=Users,DC=yourdomain,DC=local))
}
src GL_WEB_LEVEL1 {
ldapusersearch ldap://myDC.yourdomain.local:389/CN=Users,DC=yourdomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=GL_WEB_LEVEL1,CN=Users,DC=yourdomain,DC=local))
}
##
## DESTINATIONS
##
dest gmail {
domainlist custom/gmail
}
dest adult {
domainlist adult/domains
expressionlist adult/expressions
urllist adult/urls
}
dest agressif {
domainlist agressif/domains
expressionlist agressif/expressions
urllist agressif/urls
}
dest arjel {
domainlist arjel/domains
}
dest associations_religieuses {
domainlist associations_religieuses/domains
}
dest astrology {
domainlist astrology/domains
urllist astrology/urls
}
dest audio-video {
domainlist audio-video/domains
urllist audio-video/urls
}
dest bank {
domainlist bank/domains
}
dest bitcoin {
domainlist bitcoin/domains
urllist bitcoin/urls
}
dest blog {
domainlist blog/domains
urllist blog/urls
}
dest celebrity {
domainlist celebrity/domains
urllist celebrity/urls
}
dest chat {
domainlist chat/domains
urllist chat/urls
}
dest child {
domainlist child/domains
urllist child/urls
}
dest cleaning {
domainlist cleaning/domains
urllist cleaning/urls
}
dest cooking {
domainlist cooking/domains
}
dest cryptojacking {
domainlist cryptojacking/domains
urllist cryptojacking/urls
}
dest dangerous_material {
domainlist dangerous_material/domains
urllist dangerous_material/urls
}
dest dating {
domainlist dating/domains
urllist dating/urls
}
dest ddos {
domainlist ddos/domains
}
dest dialer {
domainlist dialer/domains
}
dest doh {
domainlist doh/domains
urllist doh/urls
}
dest download {
domainlist download/domains
urllist download/urls
}
dest drogue {
domainlist drogue/domains
urllist drogue/urls
}
dest educational_games {
domainlist educational_games/domains
urllist educational_games/urls
}
dest filehosting {
domainlist filehosting/domains
urllist filehosting/urls
}
dest financial {
domainlist financial/domains
urllist financial/urls
}
dest forums {
domainlist forums/domains
expressionlist forums/expressions
urllist forums/urls
}
dest gambling {
domainlist gambling/domains
urllist gambling/urls
}
dest games {
domainlist games/domains
urllist games/urls
}
dest hacking {
domainlist hacking/domains
urllist hacking/urls
}
dest jobsearch {
domainlist jobsearch/domains
urllist jobsearch/urls
}
dest lingerie {
domainlist lingerie/domains
urllist lingerie/urls
}
dest malware {
domainlist malware/domains
expressionlist malware/expressions
urllist malware/urls
}
dest manga {
domainlist manga/domains
urllist manga/urls
}
dest marketingware {
domainlist marketingware/domains
urllist marketingware/urls
}
dest mixed_adult {
domainlist mixed_adult/domains
urllist mixed_adult/urls
}
dest mobile-phone {
domainlist mobile-phone/domains
urllist mobile-phone/urls
}
dest phishing {
domainlist phishing/domains
urllist phishing/urls
}
dest press {
domainlist press/domains
urllist press/urls
}
dest publicite {
domainlist publicite/domains
expressionlist publicite/expressions
urllist publicite/urls
}
dest radio {
domainlist radio/domains
urllist radio/urls
}
dest reaffected {
domainlist reaffected/domains
urllist reaffected/urls
}
dest redirector {
domainlist redirector/domains
expressionlist redirector/expressions
urllist redirector/urls
}
dest remote-control {
domainlist remote-control/domains
urllist remote-control/urls
}
dest sect {
domainlist sect/domains
urllist sect/urls
}
dest sexual_education {
domainlist sexual_education/domains
urllist sexual_education/urls
}
dest shopping {
domainlist shopping/domains
urllist shopping/urls
}
dest shortener {
domainlist shortener/domains
urllist shortener/urls
}
dest social_networks {
domainlist social_networks/domains
urllist social_networks/urls
}
dest sports {
domainlist sports/domains
urllist sports/urls
}
dest stalkerware {
domainlist stalkerware/domains
}
dest strict_redirector {
domainlist strict_redirector/domains
expressionlist strict_redirector/expressions
urllist strict_redirector/urls
}
dest strong_redirector {
domainlist strong_redirector/domains
expressionlist strong_redirector/expressions
urllist strong_redirector/urls
}
dest translation {
domainlist translation/domains
urllist translation/urls
}
dest tricheur {
domainlist tricheur/domains
urllist tricheur/urls
}
dest update {
domainlist update/domains
urllist update/urls
}
dest vpn {
domainlist vpn/domains
}
dest warez {
domainlist warez/domains
expressionlist warez/expressions
urllist warez/urls
}
dest webmail {
domainlist webmail/domains
urllist webmail/urls
}
## DESTINATIONS END
##
## ACL
##
acl {
GL_WEB_UNRESTRICTED {
pass !publicite !in-addr all
}
GL_WEB_LEVEL1 {
pass gmail social_networks
pass !adult !agressif !arjel !associations_religieuses !astrology !audio-video !bank !bitcoin !blog !celebrity !chat !child !cleaning !cooking
pass !cryptojacking !dangerous_material !dating !ddos !dialer !doh !download !drogue !educational_games !filehosting !financial !forums !gambling
pass !games !hacking !jobsearch !lingerie !malware !manga !marketingware !mixed_adult !mobile-phone !phishing !press !publicite !radio !reaffected
pass !redirector !remote-control !sect !sexual_education !shopping !shortener !sports !stalkerware !strict_redirector !strong_redirector
pass !translation !tricheur !vpn !warez !webmail
pass !in-addr all
redirect https://proxy.yourdomain.local/squidGuard-simple.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u&targetgroup=%t
}
GL_WEB_FILTERED {
pass !adult !agressif !arjel !associations_religieuses !astrology !audio-video !bank !bitcoin !blog !celebrity !chat !child !cleaning !cooking
pass !cryptojacking !dangerous_material !dating !ddos !dialer !doh !download !drogue !educational_games !filehosting !financial !forums !gambling
pass !games !hacking !jobsearch !lingerie !malware !manga !marketingware !mixed_adult !mobile-phone !phishing !press !publicite !radio !reaffected
pass !redirector !remote-control !sect !sexual_education !shopping !shortener !social_networks !sports !stalkerware !strict_redirector !strong_redirector
pass !translation !tricheur !vpn !warez !webmail
pass !in-addr all
redirect https://proxy.yourdomain.local/squidGuard-simple.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u&targetgroup=%t
#redirect https://proxy.yourdomain.local/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u&targetgroup=%t
}
GL_WEB_DENIED {
pass !in-addr none
redirect https://proxy.yourdomain.local/squidGuard-denied.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u&targetgroup=%t
}
default {
pass update !in-addr none
redirect https://proxy.yourdomain.local/loggedoff.html
}
}
##
## END
## DEFAULT section is for non authenticated users - create the HTML page in consequence
## folder to be created next : /var/www/proxy.yourdomain.local_https/loggedoff.html
## THIS COMMAND will update squidguard db and restart squid
update-squidguard -v
## edit squid.conf file
nano /etc/squid/squid.conf
## add those 2 lines at the end of the file
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 10
## save and exit
## Apache CGI for SquidGuard error pages :
apt install -y apache2
## creating folders for HTTP and HTTPS internal websites
cp -R /var/www/html /var/www/proxy.yourdomain.local_http
cp -R /var/www/html /var/www/proxy.yourdomain.local_https
mkdir /var/www/proxy.yourdomain.local_https/images
## copy/download a gif and a jpeg into the newly created "images" directory
## one with the logo of your company
## one with a blocked symbol to be shown to blocked users
## enable apache CGI module
a2enmod cgi ssl
## add conf files for your internal sites
cat <<'EOF' > /etc/apache2/sites-available/proxy.yourdomain.local_https.conf
<VirtualHost proxy.yourdomain.local:443>
ServerName proxy.yourdomain.local
ServerAdmin [email protected]
DocumentRoot /var/www/proxy.yourdomain.local_https
<Directory "/var/www/proxy.yourdomain.local_https">
Options +ExecCGI
AddHandler cgi-script .cgi .pl
</Directory>
ErrorLog ${APACHE_LOG_DIR}/proxy.yourdomain.local_https_error.log
CustomLog ${APACHE_LOG_DIR}/proxy.yourdomain.local_https_access.log combined
SSLCertificateFile /etc/ssl/certs/proxy.yourdomain.local.pem
SSLCertificateKeyFile /etc/ssl/private/proxy.yourdomain.local.key
SSLEngine on
<FilesMatch "\.(?:cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
EOF
cat <<'EOF' > /etc/apache2/sites-available/proxy.yourdomain.local_http.conf
<VirtualHost proxy.yourdomain.local:80>
ServerName proxy.yourdomain.local
ServerAdmin [email protected]
DocumentRoot /var/www/proxy.yourdomain.local_http
ErrorLog ${APACHE_LOG_DIR}/proxy.yourdomain.local_http_error.log
CustomLog ${APACHE_LOG_DIR}/proxy.yourdomain.local_http_access.log combined
</VirtualHost>
EOF
## copy squidguard CGI file into apache https folder
## I use the HTTP site for SARG logs and the HTTPS site for squidguard error pages
cp /usr/share/doc/squidguard/examples/squidGuard-simple.cgi /var/www/proxy.yourdomain.local_https/squidGuard-simple.cgi
## give proxy user authorization to access CGI page
chmod +x /var/www/proxy.yourdomain.local_https/squidGuard-simple.cgi
## enable your 2 new internal websites
a2ensite proxy.yourdomain.local_https
a2ensite proxy.yourdomain.local_http
## restart Apache and Squid
systemctl restart apache2
systemctl restart squid
## or reboot proxy server, to be sure
## At this point, all should be ok
## on windows computer, internet options, connexions tab, network settings
## third tickbox : "use a proxy server..."
## Address : proxy.yourdomain.local YOU HAVE TO USE A FQDN NAME FOR KERBEROS - NO IP ADDRESS ALLOWED
## Port : 3128
##
## the "!in-addr" setting in squidguard config file prevent users to connect directly with IP address to websites, even internals
## create script to Update blacklists
cat <<'EOF' > /etc/squid/update_blacklists.sh
#!/bin/sh
cd /tmp
wget -N ftp://ftp.univ-tlse1.fr/blacklist/blacklists.tar.gz
rm -rf blacklists
mkdir -p /tmp/custom_lists
cp -R /var/lib/squidguard/db/custom /tmp/custom_lists
rm -rf /var/lib/squidguard/db/*
tar -xzvf blacklists.tar.gz
chown -R proxy:proxy blacklists
mv blacklists/* /var/lib/squidguard/db/
cp -R /tmp/custom_lists /var/lib/squidguard/db/custom
/usr/sbin/update-squidguard
EOF
## make it executable
chmod +x /etc/squid/update_blacklists.sh
## add a crontab job for update :
crontab -e
## paste this line at the end
0 3 * * 1-5 /etc/squid/update_blacklists.sh
## if needed, to block all webmails but not gmail
## content of /var/lib/squidguard/db/custom/gmail
client-channel.google.com
accounts.google.com
apis.google.com
contacts.google.com
googleusercontent.com
mail.google.com
ssl.gstatic.com
www.google.com
www.gstatic.com
ogs.google.com
play.google.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment