Home
Thursday, November 23, 2017
3:48:45 AM
Users online: 0   You are here >> Home > Open Source OS

Forums | Open Source OS Forums search
Forum FAQ
   
  1  
Building a simple proxy server.
Jarr0d 
29/8/08 1:15:03 PM
Champion

I was writing up a guide on building a simple proxy server. I do a few of these a year for friends. So I finally decided to put it down on paper so I can remember all the config changes.

Now, this might be bland and simple for some of the more skilled lix people out there.
But what I was hoping for was to help those who want a proxy server, but don't know how to go about it.

Any mistakes, please feel free to point them out. Happy Reading.




Building and configuring a proxy

Introduction

This is a guide to help you set up a proxy sever. This server will be built using freeware programs.
This server is designed for small networks or the home user. This should not be incorporated into a large network environment.

This server can be virtually built on any computer or server machine. It is so light weight that a small and cheap computer should do the job efficiently.

The operating system we will be using is Ubuntu Desktop 8.04, which is the current release at the time of writing.
The programs which will be doing all of the dirt for us will be:-

Dansguardian – A free content filter.
Squid – A free caching proxy.
Apache2 – A free web server.
Sarg (Squid Analysis Report Generator) – Produces reports from Squid.
Webmin – A web-based interface for system administration.

A little about what each of these do. Each of these descriptions are very brief, the basics. If you want more in depth descriptions, go to the websites provided.

Dansguardian (www.dansguardian.org)
Danguardian is your content filter. This is the main player in your system. This will scan the web pages for black listed items. It also carries a black list which when used, can outright block a whole webpage.

Squid (www.squid-cache.org)
Squid is basically the firewall of the system. This controls who can use the proxy server, and which ports they can be get at.

Apache2 (www.apache.org)
Apache is a web server. This will host the webpages which will allow you to view the proxy logs.

Sarg (sarg.sourceforge.net)
Sarg produces the reports from squid in a nice and easy readable format. Without this, we would be pouring over reports produced by squid. This could be quite daunting to a home user.

Webmin (www.webmin.com)
Webmin is a web-based interface which allows us to change the settings of our server from Internet Explorer. This can be done from any computer on the network. This saves us from constantly logging onto the server through SSH or from physically being at the server.



Getting Ubuntu

First things first, we need to obtain a copy of Ubuntu Desktop. We can freely download this from their website http://www.ubuntu.com/. Be warned, this is an ISO file, which means it can be quite big in size.

The images can be around 500-700 mb in size so depending on your connection speed, it could take a while.

Once you have this iso, you need to burn it to a CD. If you don’t know how to do this, have a Google around, there are heaps of guides and free apps on how to do this.

Installing Ubuntu

Now install it. Once again this process is very simple. Follow the bouncing ball.
There is a guide here ( http://linuxhelp.blogspot.com/2006/06/six-steps-to-installing-ubuntu-dapper.html). This was written for Dapper but the install screens have not changed much.
Please remember, when you are choosing a username and password, choose wisely. Make sure you will remember these details and use a strong password that you can also easily remember.
Let it do its thing. Once this is installed, let’s get down to the grit of it.

Getting Started

We will be doing a lot of work through Terminal, this can be found in, Applications >> Accessories >> Terminal.
It will be a wise idea to drag and drop a copy of this onto the desktop, as it will be easier to find.

Explanation of Sudo

With Ubuntu, you don’t work as the root account. Instead you use the command sudo. (Sudo stands for Super User DO). So you cannot just start changing system settings left right and centre, you have to sudo them first.
Example, if you wanted to restart the network in Ubuntu, if you typed:
/etc/init.d/networking restart , you will get a permission denied error. So we have to use sudo /etc/init.d/networking restart.


Getting Ubuntu Server Online

Make sure that this server has access to the internet.
To test if the server has internet access, you can do a ping or you can try and browse to a webpage. Open up terminal and type firefox www.google.com. If you see google, we are online.
If you can’t get any internet, try to make sure your router allows DHCP.



Update Ubuntu

Before we go any further, we need to update Ubuntu. This will iron out all the creases and apply security patches.

Navigate to System >> Administration >> Update Manager. You will have to enter your password. Click on install updates.
This process can take a few minutes up to a few hours. So get comfy.
Reboot when asked, and run the update manager again just to make sure your Ubuntu is fully updated.

Installed the programs (packages)

We will be using apt-get to install all of our packages for us. This is a quick and easy tool incorporated into Ubuntu.

To get the tools of the trade, in a terminal window type the following.

sudo apt-get install squid sarg dansguardian apache2

This will ask you to confirm the download by hitting y. Press why and wait for it to download.

Installing Webmin

Next we need to get out paws on webmin.
In terminal type the following

sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl

Now we have installed the prerequisites, we need to download and install the webmin package.

In the terminal type

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.420_all.deb

You will see a download progress bar. When the download has finished, type in the terminal window:

sudo dpkg -i webmin_1.420_all.deb

This will install webmin for you.

To test if it is working fine, navigate to https://YourIpAddressHere:10000
You should see the login page for webmin. If you don’t know the IP address of your server, in a terminal window type ifconfig. This will show your connector options.


That should do it for the packages.

Right, so now we should have a basic server updated and running the required packages. Now let’s get configuring.

Configuration

(Note: All these configurations are explained as if you are sitting at the server. Webmin and SSH will be introduced later on. For the time being, I would prefer it if you sat infront of the server. The # Symbol means that it is a comment or ignored. Leave these as is, unless the guide instructs you to change it.)

First of all, we need to configure Dansguardian. Open Terminal, and type the following

sudo gedit /etc/dansguardian/dansgurdian.conf

This is the main configuration file for Dansguardian.
We need to change a few things in here.

Change 1

Dansguardian will not run, until we tell it is has been configured. Find the following paragraph

# DansGuardian config file for version 2.8.0 with Anti-Virus plug-in 6.4.3
# **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf
UNCONFIGURED - Please remove this line after configuration

Comment out the “UNCONFIGURED” like this.

# DansGuardian config file for version 2.8.0 with Anti-Virus plug-in 6.4.3
# **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf
#UNCONFIGURED - Please remove this line after configuration



Change 2

Find the line that reads

# Log File Format
# 1 = DansGuardian format 2 = CSV-style format
# 3 = Squid Log File Format 4 = Tab delimited
logfileformat = 1

and change it to

# Log File Format
# 1 = DansGuardian format 2 = CSV-style format
# 3 = Squid Log File Format 4 = Tab delimited
logfileformat = 3

As you can see, we have just changed it so the logs will go through squid formatting.

Change 3

Find the line that reads

# Log file location
#
# Defines the log directory and filename.
#loglocation = '/var/log/dansguardian/access.log'

And uncomment it, like this

# Log file location
#
# Defines the log directory and filename.
loglocation = '/var/log/dansguardian/access.log'

This is setting the location of the logs.

Change 4

Now, I won’t be using the virus scan setting in this guide. As most computers have their own.

Find the line

# ANTIVIRUS SETTINGS
# --------------------

# OPTION: virusscan
# If on, we scan all downloaded content using embedded virus engine.
# Supported engines of this version are ClamAV, ClamDScan, KAV, KAV5, Trophie, Sophie.
# If off, we don't scan any downloaded content.
# See http://sourceforge.net/projects/dgav/ for more details.
virusscan = on

and change it to

# ANTIVIRUS SETTINGS
# --------------------

# OPTION: virusscan
# If on, we scan all downloaded content using embedded virus engine.
# Supported engines of this version are ClamAV, ClamDScan, KAV, KAV5, Trophie, Sophie.
# If off, we don't scan any downloaded content.
# See http://sourceforge.net/projects/dgav/ for more details.
virusscan = off

Now save that file and close it. If you get a “Permission Denied” message, you didn’t sudo the file. Go back and to the top of this section and start again. Remember to use Sudo.


Configuring Squid

For the time being, we only want to change two settings in the squid.conf file. This file is huge, so be careful when playing around with it.

Change 1

Find the line that reads

# TAG: visible_hostname
# If you want to present a special hostname in error messages, etc,
# define this. Otherwise, the return value of gethostname()
# will be used. If you have multiple caches in a cluster and
# get errors about IP-forwarding you must set them to have individual
# names with this setting.
#
#Default:
# none

Change it to

# TAG: visible_hostname
# If you want to present a special hostname in error messages, etc,
# define this. Otherwise, the return value of gethostname()
# will be used. If you have multiple caches in a cluster and
# get errors about IP-forwarding you must set them to have individual
# names with this setting.
#
#Default:
visible_hostname localhost



Change 2

Find the line that reads

#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

You need to change this entry to your ip address range, and uncomment it. I have made the changes so it suits my network.

acl our_networks src 192.168.10.0/24
http_access allow our_networks

You can see here I have taken out the second network and changed the first entry so it allows my network (192.168.10.0/24)

Now save and close this file.

Configuring Sarg

We need to edit 1 entry in the Sarg.conf file.

In a terminal window type in

sudo gedit /etc/squid/sarg.conf

find the line that reads

# TAG: access_log file
# Where is the access.log file
# sarg -l file
#
access_log /var/log/squid/access.log

and change it to

# TAG: access_log file
# Where is the access.log file
# sarg -l file
#
access_log /var/log/dansguardian/access.log

Applying the Changes

Now that we have changed some settings in our programs, we should give them a reboot.

In a terminal window type the following

sudo /etc/init.d/squid restart

then type

sudo /etc/init.d/dansguardian restart

Hopefully they should restart ok, if they didn’t go back through this guide and see where you went wrong. Please don’t skip steps unless you know what you are doing.

Creating the link Between Squid and Dansguardian

Now we have created a basic proxy server we need to link Dansguardian to Squid. This means that all traffic coming in will be passed to Dansguardian before it hits the end user.

In a terminal window, type the following.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080

You have just created an IPTable rule. Think of a iptable as a firewall rule. This rule will pass the information on from Squid to Dansguardian.

Now, if we were to reboot we would lose that iptable we just entered. We want to save it, and have it auto execute everytime the computer starts.

To save it and auto execute it, type the following.

sudo sh -c "iptables-save > /etc/iptables.rules"

We have just saved all running IPtable rules into a file called iptables.rules and it is located in the /etc/ directory.

Now we need to get it to execute on boot. In a terminal window type

sudo gedit /etc/network/interfaces

Seeing as this is a base install so far, we will see the following


auto lo
iface lo inet loopback


We want to add a line to this file which will execute our iptables.

Change the file so it looks like this

auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.rules

Save that file and close it.

Restart your network with the following command

sudo /etc/init.d/networking restart

Testing Time

Right, so we have slugged away at this, now we want to see how she runs.

We will add a page to the banned site lists to test it.

In a terminal window type

sudo /etc/Dansguardian/bannedsiteslist

This is the black list, we want to add the site www.facebook.com to this list. So right under the first entry (badboys.com) add facebook.com.

Don’t bother with the http:// or the www.

Save and exit the file.

Restart Dansguardian

/etc/init.d/Dansguardian restart


Now open up your browser of choice (Internet Explorer, Firefox etc etc) and pipe it through the proxy.

To do this in Internet Explorer, Click on Tools >> Internet Options >> Connections and than click the ‘Lan Settings’ Button.

In the proxy server text box, add the ip address of your proxy and use the port 3128.

Hit OK than OK again.

Navigate to www.facebook.com. You should be greeted with an Access Is Denied page from DansGuaridian.

Good work, you have a basic proxy server in play.


Webmin
Now, we want to set up webmin so we can control your new server from any computer in your house.

Go to a machine, which is not the server (i.e. your normal work machine) open up a browser of your choice, and navigate to https://YourProxyIP:10000.
You should be now see a login screen for webmin. Enter in the same username and password that you use to log into your sever.

Your browser may complain about Security Cert. bypass this as we know it is safe.

We need to add, Dansguardian to Webmin. This process is simple. From the left hand navigation tree, select Webmin >> Webmin Configuration. From there click on Webmin modules.

Select the 5th radio button down “Third party module from” and select browse.
You should see a list, look down it until you come across “Dansguardian” Click the link. Then press the button “Install Module”.

Now Dansguardian is a part of webmin.

Sarg
Now we are on the home straight, in webmin select from the navigation tree Servers >> Squid Analysis Report Generator.

This will open up the options page, select the option Scheduled Report Generation.

We are now setting up your sarg to pump out daily reports. I normally set mine for midnight. This guide will show you how to do this.

Change these options

Scheduled report enabled? To Yes
Clear report directory each time? To No

Than select Simple Schedule and from the drop down box select Daily (at midnight)


Click Save.

Righto, we have set up the proxy, the reporting and our firewall.

Now all that is left is to put it onto the computers that we want to monitor. Following the same steps I mentioned about IE internet settings.

Logs will generate daily at mid night.

Try enabling the proxy in your browser and start surfing. After a few pages, log back into Webmin Go to Servers >> Squid Report Generator.

Click on the button that say “Generate Report Now”. It will show you that is has generated a report. Click on view generated report.
As you can see from the report, it is showing you where you have visited and sorted by IP.

If you look back at this page after midnight, you can click on the button that says “View Generated Report” It will list all reports by date.

That is about it. Well done on setting up the proxy.

Edit: Added italics to show what is code and what isn't.


Edited by Jarr0d: 29/8/2008 1:24:40 PM

-----
Quote by SexKitten
Drop something pretty, something you think she'll like on the ground and ask her to pick it up. When she goes down, slip her the finger. If she leans into it - love. If not - night in the slammer.

Jarr0d 
29/8/08 2:03:28 PM
Champion

I can add a better explantation and uses of the Dansguardians config files if requested.

-----
Quote by SexKitten
Drop something pretty, something you think she'll like on the ground and ask her to pick it up. When she goes down, slip her the finger. If she leans into it - love. If not - night in the slammer.

eckythump 
29/8/08 2:40:15 PM
Champion

What's the deal with using Ubuntu desktop?

It's supposed to be a server. This is the kind of thing that's meant to run headless.

I'd be using Unbuntu server, debian, net/open/freebsd before using a GUI-oriented distribution.

-----
"Grandfather had an accident, he got burnt." "Oh no, how bad?" "Well, they don't fuck around at the crematorium."

robzy 
29/8/08 2:52:50 PM
Hero
Immortal


What's the actual difference between Ubuntu Desktop and Server? I wouldn't have assumed it would be all that much - especially in a roll like this.

Rob.

-----
&#1506;&#1501; &#1497;&#1513;&#1512;&#1488;&#1500; &#1495;&#1497;

tmccoy 
29/8/08 5:53:05 PM
Champion

I like you're article - nice to get an overview of a total install. Mind you, my version of a simple proxy is

1. install debian-based linux
2. sudo apt-get install tinyproxy

EDIT: I guess my point is that you're guide isn't really a simple proxy, but rather a nicely rounded webmin accessible machine!

Robzy , Ubuntu Server and Desktop differ by the default packages. The Server defaults to only console access, and doesn't install the bloat of X and Gnome.


Edited by tmccoy: 29/8/2008 05:53:55 PM

-----
http://penguinpusher.cjb.net

Jarr0d 
30/8/08 8:28:50 AM
Champion

Much like tmccoy said, there is a GUI on the desktop edition.
I used desktop version for 2 reasons.

Having a GUI provideds the person with something to look at, and shows that they don't need to do everything via terminal.

I have built a one for a mate before using server, he used it as a proxy server and that is it.
I later built him a new one using desktop, and having the GUI has encouraged him to go out and learn about this distro. He is now running it as his main OS and is learning more about it.

With the server edition all he seen was a prompt and he was to scared he would break it if he did anything. GUI gave him confidence to have a poke around.

Edit: And thanks for the support tmccoy. I was hesitant about posting this in the forums, as normally everyone will just point out the faults and why you are wrong and they are right. Without even considering the big picture.


Edited by Jarr0d: 30/8/2008 08:30:56 AM

-----
Quote by SexKitten
Drop something pretty, something you think she'll like on the ground and ask her to pick it up. When she goes down, slip her the finger. If she leans into it - love. If not - night in the slammer.

iamthemaxx 
30/8/08 10:20:06 AM
Mod
SuperHero

Immortal


Nice work dude.
Not really simple as you point out compared to some other options, but for someone that wants to start out it's a ripper.

-----

GlennsPref 
30/8/08 6:47:25 PM
Champion

Hi, the squid proxy server is not a firewall, it just serves pages from cache and updates any changes from the web, for each page.

So,as you suggest, the install of your distro includes iptables fw, without any outside connections (un-solicited).

I know that a default iptables fw is stealthy, because I have been using the Uber Linux Gateway Firewall for years.


Edited by GlennsPref: 30/8/2008 6:50:07 PM

-----
Regards, Glenn

Linux user #406321 (Mandriva)
register @ http://counter.li.org/
GlennsPref@gmail.com

robzy 
30/8/08 8:02:57 PM
Hero
Immortal


Quote by GlennsPref
I know that a default iptables fw is stealthy, because I have been using the Uber Linux Gateway Firewall for years.


I assume you mean Atomic's Uber Linux Gateway Firewall? If so, me too :P
cookiemonster ~ # head /root/atomic.firewall 
#!/bin/sh
#
# Atomic IPTables firewall script v1.2
#
# Simple but effective firewall written for
# the Atomic Uber Linux box guide,
# Issue 21, Oct 2002
#
# Updated May 2003 for bandwidth shaping
#
cookiemonster ~ #

Rob.

-----
&#1506;&#1501; &#1497;&#1513;&#1512;&#1488;&#1500; &#1495;&#1497;

Jarr0d 
30/8/08 8:56:42 PM
Champion

Quote by iamthemaxx
Nice work dude.
Not really simple as you point out compared to some other options, but for someone that wants to start out it's a ripper.



Thanks for the support dude. I appreciate it.

I classed it as simple because I can do it :)
I am quite new to the linux side of life.

-----
Quote by SexKitten
Drop something pretty, something you think she'll like on the ground and ask her to pick it up. When she goes down, slip her the finger. If she leans into it - love. If not - night in the slammer.

  1  
Forums | Open Source OS