1/Install and configure squid
[root@lan ~]#yum -y install squid
[root@lan ~]#vi /etc/squid/squid.conf
http_port 8080 acl CONNECT method CONNECT
acl lan src 192.168.0.0/255.255.255.0
// (permit only LAN)
http_access allow lan
// add (permit only LAN)
visible_hostname test.vn
// add (specify hostname)
forwarded_for off
// add (hide IP address)
header_access Referer deny all
header_access X-Forwarded-For deny all
header_access Via deny all
header_access Cache-Control deny all
// add
header_access X-Forwarded-For deny all
header_access Via deny all
header_access Cache-Control deny all
[root@lan ~]#/etc/rc.d/init.d/squid start
init_cache_dir /var/spool/squid... Starting squid:[ OK ]
[root@lan ~]#chkconfig squid on
II/PROXY WITH ANTI VIRUS
Configure Proxy in order to scan download files to protect from virus. Install clamav first
1/Install clamd
[root@lan ~]#yum -y install clamd ( Or download from http://rpm.pbone.net/)
[root@lan ~]#vim /etc/clamd.conf
LocalSocket /var/run/clamav/clamd.sock //change
[2] Install squidclamav
[root@lan ~]# wget http://www.darold.net/projects/squidclamav/squidclamav-4.0.tar.gz
root@lan ~]#tar zxvf squidclamav-4.0.tar.gz
[root@lan ~]#cd squidclamav-4.0
[root@lan squidclamav-4.0]#./configure
[root@lan squidclamav-4.0]#make
[root@lan squidclamav-4.0]#make install
[root@lan squidclamav-4.0]#cp squidclamav.conf.dist /etc/squidclamav.conf
[root@lan squidclamav-4.0]#cd
[root@lan ~]#vim /etc/squidclamav.conf
proxy http://127.0.0.1:8080/// change ( proxy address )
logfile /var/log/squid/squidclamav.log// change ( log file )
redirect http://www.yahoo.com/// change ( redirect URL )
# squidguard /usr/local/squidGuard/bin/squidGuard
debug 0
force 1
stat 1
clamd_local /var/run/clamav/clamd.sock// change
clamd_ip 127.0.0.1
clamd_port 3310
timeout 60
abort ^.*\.gz$
abort ^.*\.bz2$
abort ^.*\.pdf$
abort ^.*\.js$
abort ^.*\.html$
abort ^.*\.css$
abort ^.*\.xml$
abort ^.*\.xsl$
abort ^.*\.js$
abort ^.*\.ico$
aborti ^.*\.gif$
aborti ^.*\.png$
aborti ^.*\.jpg$
aborti ^.*\.swf$
content ^.*application\/.*$
whitelist .*yahoo\.com
[root@lan ~]#vim /etc/clamd.conf
LocalSocket /var/run/clamav/clamd.sock //change
[2] Install squidclamav
[root@lan ~]# wget http://www.darold.net/projects/squidclamav/squidclamav-4.0.tar.gz
root@lan ~]#tar zxvf squidclamav-4.0.tar.gz
[root@lan ~]#cd squidclamav-4.0
[root@lan squidclamav-4.0]#./configure
[root@lan squidclamav-4.0]#make
[root@lan squidclamav-4.0]#make install
[root@lan squidclamav-4.0]#cp squidclamav.conf.dist /etc/squidclamav.conf
[root@lan squidclamav-4.0]#cd
[root@lan ~]#vim /etc/squidclamav.conf
proxy http://127.0.0.1:8080/// change ( proxy address )
logfile /var/log/squid/squidclamav.log// change ( log file )
redirect http://www.yahoo.com/// change ( redirect URL )
# squidguard /usr/local/squidGuard/bin/squidGuard
debug 0
force 1
stat 1
clamd_local /var/run/clamav/clamd.sock// change
clamd_ip 127.0.0.1
clamd_port 3310
timeout 60
abort ^.*\.gz$
abort ^.*\.bz2$
abort ^.*\.pdf$
abort ^.*\.js$
abort ^.*\.html$
abort ^.*\.css$
abort ^.*\.xml$
abort ^.*\.xsl$
abort ^.*\.js$
abort ^.*\.ico$
aborti ^.*\.gif$
aborti ^.*\.png$
aborti ^.*\.jpg$
aborti ^.*\.swf$
content ^.*application\/.*$
whitelist .*yahoo\.com
[3] Configurarion of squid
[root@lan ~]#vim /etc/squid/squid.conf
add these 3 lines at the bottom
url_rewrite_access deny localhost
redirect_program /usr/local/bin/squidclamav
redirect_children 15
redirect_program /usr/local/bin/squidclamav
redirect_children 15
[root@lan ~]#touch /var/log/squid/squidclamav.log
[root@lan ~]#chown squid. /var/log/squid/squidclamav.log
[root@lan ~]#vim /etc/logrotate.d/squid
add at the bottom
/var/log/squid/squidclamav.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
[root@lan ~]#/etc/rc.d/init.d/squid restart
Stopping squid: .............[ OK ]
Starting squid: .[ OK ]
[1] Install squidguard
[root@lan ~]#yum -y install squidguard [root@lan ~]#mv /etc/squid/squidguard.conf /etc/squid/squidguard.conf.bk
[root@lan ~]#vi /etc/squid/squidguard.conf
// configure like following example
#
# CONFIG FILE FOR SQUIDGUARD
#
dbhome /var/lib/squidguard
logdir /var/log/squidguard
dest dame {# CONFIG FILE FOR SQUIDGUARD
#
dbhome /var/lib/squidguard
logdir /var/log/squidguard
domainlist dame/domains
urllist dame/urls }
acl {
}
[root@lan ~]#mkdir /var/lib/squidguard/dame
[root@lan ~]#vi /var/lib/squidguard/dame/domains
[root@lan ~]#vi /var/lib/squidguard/dame/urls
[root@lan ~]#squidGuard -C all// create DB
[root@lan ~]#chown -R squid. /var/lib/squidguard/dame
[root@lan ~]#vim /etc/squidclamav.conf
squidguard /usr/bin/squidguard
[root@lan ~]#/etc/rc.d/init.d/squid restart
Stopping squid: .............[ OK ]
Starting squid: .[ OK ]
2/Try to access to Yahoo set as prohibited domain in . Anyway, this redirect setting is an example to show action of this squidGuard, but please make your own original redirect page because it's meaningless to redirect to google like this example.
acl {
default {
pass !dame all
redirect http://www.yahoo.com/
}
}
[root@lan ~]#mkdir /var/lib/squidguard/dame
[root@lan ~]#vi /var/lib/squidguard/dame/domains
// write domains you'd like to prohibit to access
yahoo.com
conheotiensinh.blogspot.com
conheotiensinh.blogspot.com
[root@lan ~]#vi /var/lib/squidguard/dame/urls
// writeURLs you'd like to prohibit to access
www.yahoo.com/deny/
conheotiensinh.blogspot.com /
conheotiensinh.blogspot.com /
[root@lan ~]#squidGuard -C all// create DB
[root@lan ~]#chown -R squid. /var/lib/squidguard/dame
[root@lan ~]#vim /etc/squidclamav.conf
squidguard /usr/bin/squidguard
// line 42: make valid and change PASS
[root@lan ~]#/etc/rc.d/init.d/squid restart
Stopping squid: .............[ OK ]
Starting squid: .[ OK ]
Nice writeup! I will be checking out the status page accessible from a web browser. getting it through Scp everytime gets old :)
ReplyDeleteI have a question, and I'm hoping you would have the answer, since it's nowhere to be found on the web.
Do you happen to know if I have SSL certs on my load balanced webservers, whether I would also need to install that cert on my pen load balancer as well? it has some flags to include a cert, but there is no documentation on how to use it, and I can't seem to get it to work.
Windows workstations accessing the load balancer are not getting a certificate error, but Mac clients are, and are request to accept the certificate into the keychain. Any ideas?
Hi Babaylon
ReplyDeleteThanks for your COMMENT
For load balanced in Use Pen(i think you need comment in http://conheotiensinh.blogspot.com/2009/09/load-balance-web-server-use-pen.html).Pen simple load balance it not support Layer 7.So You need use load balance(support layer 7 as Pound LVS,HAPROXY..)But with me HAPROXY is best solution.
Please let me know if you have any question
Thanks and Best Regards