SARG

22 01 2010

When you have Squid, it is unavoidable to view squid’s access.log.
It is not comfortable to use tail command and view realtime accesses which is hard to analyse. SARG(Squid Analysis Report Generator) is a good choice to tagle this. Before installing sarg, we need squid and apache running on the target system.

I used CentOS5.2, Squid 2.6 stable21 with this version of sarg

1. Install sarg


> wget http://dag.wieers.com/rpm/packages/sarg/sarg-2.2.3.1-1.el5.rf.i386.rpm
> rpm -ivh sarg-2.2.3.1-1.el5.rf.i386.rpm

2. Enable apache by

> /sbin/chkconfig --add httpd

> /sbin/chkconfig –level 2345 httpd on

** Start httpd manually by

> /usr/sbin/apachectl start

3. Edit sarg.conf

> nano /etc/sarg/sarg.conf

4. Remove comment in front of access_log and output_dir. Remind that we need to change its target directory related to the real location in our target system.

5. Our sarg will be ready to run, just type

> sarg -l /var/log/squid/access.log

You will see a html result inside output_dir and now our access log is a lot easier to be analysed.

6. To run sarg periodically, you need to make sure there is a sarg task in /etc/crontab.

Oh, I got this interesting linux certification link during my experiment.





NTLM Authentication in Squid

21 01 2010

I spent so much time configuring squid on Debian, but finally I changed to CentOS. It turned out well. OK, don’t waste more lines explain my feeling.

1.Make sure our CentOS is synchonised with DC.

2.These packages must be installed:

> rpm -qa [package-name]

> yum install krb5-workstation samba authconfig

3. Install Squid

>yum install squid

4. Edit /etc/squid/smb.conf with authconfig command

# authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=sun.ambient.local \
--krb5realm=AMBIENT.LOCAL --smbservers=sun.ambient.local --smbworkgroup=AMBIENT \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=AMBIENT.LOCAL \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize --updateall

**My Domain: AMBIENT.LOCAL

**DC computername: SUN.AMBIENT.LOCAL

**CentOS Web proxy Server’s name: centos

5. Change security line in /etc/samba/smb.conf at global config

> security = ads

Moreover, refer to the right domain name inside /etc/krb5.conf.

*** You can test the configuration of smb.conf by

> testparm

6. Join centos to DC

>/usr/bin/net join -w AMBIENT -S sun.ambient.local -U Administrator

Then enter the password.

7. restart winbind service

> /etc/init.d/winbind restart

8. If it is successful, you will be able to traverse AD

> wbinfo -{u|g}

9. Set up and configure Squid. Please see the old post.

10. Edit NTLM authentication

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=SUN+internetuser
auth_param ntlm children 5
auth_param ntlm keep_alive on

acl myNetwork 192.168.51.0/24 192.168.52.0/24

acl ntlm proxy_auth REQUIRED
http_access allow myNetwork ntlm

**internetuser is in a lowercase format.

11. restart squid

> /etc/init.d/squid restart

12. Now, all clients setting up proxy connection need to be logged in to DC before going online.

Quite long and a little bit complicated, but it is as clear as I can.

For more details, please see this





Web Proxy with Squid

17 01 2010

As we already know that web caching servers play a key role inside an organisation. Not only users can surf faster, but also provide a way to trace back surfing traffic logs for future reference. Yeah, it makes administrator tasks easier, too.

My implementation

Squid 2.7 on Debian is my selection.

1. install squid
> apt-get install squid
2.edit squid.conf in /etc/squid
>vi /etc/squid/squid.conf
3. Follow this basic configuration
– change port:
http_port 3128
– remove comment icp_port
icp_port 3130
– Increase cache memory by dividing RAM capacity by 2
cache_mem 256
– Increase cache directory
cache_dir ufs /var/spool/squid 5000 16 256
– remove comment on squid log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/squid.log
pid_filename pid_filename /var/run/squid.pid

4. edit client netmask
client_netmask 255.255.255.0
5. add ACL list
acl myNetwork 192.168.1.0/24
http_access allow myNetwork

6. create swap directory
> squid -z
7. Enable squid configuration
> squid -k reconfigure /etc/squid/squid.conf
#OR
> /etc/init.d/squid restart

After setting squid proxy server, set web browser proxy connection to the one we have implemented. To watch incoming connection just view access.log
> tail -f /var/log/squid/access.log

Block black list

To block some black list, just add more ACL

#Block website by Domain name & IP address
>acl blockList dstdomain -r src "/etc/squid/blocklist1.txt"

#Block keywords

>acl blockRegex url_regex -r src "/etc/squid/blocklist2.txt"
>http_access deny blockList
>http_access deny blockRegex

Read the rest of this entry »