Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
IMPLEMENT HTTP/HTTPS TRANSPARENT PROXY WITH SAFE CONTENT SOLUTION
Document Number: 002-001 Author: Javier Lagos Version: 0.6 Category: Linux Administration
NOTES TO THE READERS
All the experiences performed in this lab, has been done using the following software:
O.S.: Ubuntu Server 16.04 LTS x64. Products: squid 3.5.28 (Proxy Cache), squidguard-1.5 (Safe Content Tool).
This Paper has been created by Javier Lagos under Creative Commons License from https://jl-lib.seti-chile.cl. To contact the author, please send an email to: [email protected].
CONTENTS
1) Introduction 1.1 Concepts. 1.2 Goals. 2) Planing and Design. 2.1) Architecture. 2.2) Implementation Plan. 2.3) Testing Plan. 3) Implementation and Testing. 3.1) Pre-Implementation Tasks. 3.2) Implementation Tasks. 3.3) Post-Implementation Tasks. 3.4) Testing. 4) Conclusion. 5) References. 5.1) Sources.
Document Number: 002-001 1 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
1 INTRODUCTION
One, 1
1.1 LOGICAL VOLUME MANAGER CONCEPTS
LVM
1.2 LOGICAL VOLUME MANAGER CONCEPTS
Document Number: 002-001 2 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
2 PLANING AND DESIGN
2.1 ARCHITECTURE
The Architecture Design for this Lab consist in one Server acting as a Router and Proxy/Content Safe Server that communicate The Internal Lab Network to Servers Farm/Internet.
The Complete Flow for a device inside Lab Network to communicate to a web site in internet works as below:
1. Every Device inside “Lab Network”, send a http/https request from browser or any other application to "Proxy & Safe Content Server" through Router/Nat (Gateway) configured inside it.
2. The firewall rules configured on “Proxy & Safe Content Server” intercept any traffic through on port 80 (http) and 443 (https) and redirect them to Proxy Service on Ports 3128 (http) and 3129 (https).
3. Proxy Service (Squid) check incoming domain information sending nslookup request to “DNS Server”. If domain exist, Proxy Service send a request to Content Safe Service (squidGuard) to validate if domain is in
Document Number: 002-001 3 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution the white (allowed) or black (denied) list. If domain doesn't exist, Proxy Service send an error page to browser.
4. Content Safe Service (squidGuard) validate domain in it internal database. If domain is allowed, will contact the target website, save related content of this in the Squid Cache and then send the content to the browser. If domain is not allowed, will return a denied error to browser.
Document Number: 002-001 4 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
2.2 IMPLEMENTATION PLAN
Below is an Action Plan on what you need and what to do, to accomplish this project:
1. Network Definition
1.1 Two Network Cards. One will be exposed to “Servers Farms” and the second one will be exposed to “Lab Network”. (Check Diagram on Infrastructure Design).
1.2 IP and DNS definition on both Network Cards. On this Lab, I will use below details:
NIC 1 (Exposed to Servers Farm):
IP: 192.168.2.120/24 → leda.lab.seti-chile.org Gateway: 192.168.2.200 DNS1: 192.168.2.223 DNS2: 192.168.2.222
NIC 2 (Exposed to Lab Network):
IP: 192.168.4.203/24 → leda-internal.lab.seti-chile.org DNS1: 192.168.2.223 DNS2: 192.168.2.222
2. Software and Dependencies
2.1 Download Squid Cache and SquidGuard Packages. 2.2 Solve Software Dependencies. 2.3 Create Dedicated Filesystem for SquidCache and SquidGuard. 2.4 Compile and install Squid Cache and SquidGuard.
3. Firewall and Routing Configuration
3.1 Set Forwarding and Redirection Rules.
4. Squid Cache Configuration
4.1 Set Port, Interception and SSL configuration. 4.2 Create Secure Certificate between Squid Cache and Browsers/End- Point Tools. 4.3 Create Swap/Cache Directories.
Document Number: 002-001 5 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
5. SquidGuard Configuration
5.1 Set Logging Configuration and ACL Groups using ShallaList Database. 5.2 Integrate SquidGuard into Squid Cache Configuration. 5.3 Build Safe Content Database.
6. Browser Configuration/Certificates
6.1 Import Certificates to Client Browsers and at OS Wallet on Windows and Linux Based Clients.
2.3 TESTING PLAN
Below is an Action Plan in order to test and certify the implementation:
1. Test Internet Navigation through browser on http, https sites. Some examples:
- https://www.google.com - https://www.yahoo.com - https://www.youtube.com
- http://www.openbsd.org - http://www.mit.edu - http://www.apache.org
Document Number: 002-001 6 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
3 IMPLEMENTATION AND TESTING
3.1 PRE-IMPLEMENTATION TASKS
NETWORK CONFIGURATION
As mentioned in Planing chapter, in this lab we will use 2 Network Cards, one connected to Servers Farm and the other to Lab Network. Perform below changes on Ubuntu’s Network Configuration:
1. Into the server (leda.lab.seti-chile.org), edit file /etc/network/interfaces using to preferable editor. In our case vi:
$ sudo vi /etc/network/interfaces
# LOOPBACK auto lo iface lo inet loopback
# PRIMARY ETHERNET auto eth0 iface eth0 inet static address 192.168.2.120 gateway 192.168.2.200 netmask 255.255.255.0 dns-nameservers 192.168.2.223 192.168.2.222 208.67.222.222 208.67.220.220 dns-search lab.seti-chile.org
# SECONDARY ETHERNET auto eth1 iface eth1 inet static address 192.168.4.203 #gateway 192.168.4.200 netmask 255.255.255.0
pre-up iptables-restore < /etc/iptables/rules.v4
Note: “iptables-restore” belongs to iptables-persistent packages and is needed to store firewall rules. Will be used by Firewall to redirect http/https traffic to SquidCache service.
2. Edit /etc/hosts file as bellow:
$ sudo vi /etc/hosts
127.0.0.1 localhost.localdomain localhost 192.168.2.120 leda.lab.seti-chile.org leda 192.168.2.120 proxy.lab.seti-chile.org proxy
Document Number: 002-001 7 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
SOFTWARE AND DEPENDENCIES
In order to build SquidCache and SquidGuard we need to satisfy some software dependencies (packages). Below is the list of dependencies and their installation:
- build-essential, bison, flex, automake, autoconf, openssl, openssl- devel, iptables-persistent.
1. Into the server (leda.lab.seti-chile.org), run below commands to update the apt sources:
$ sudo apt-get update
2. To update current software (system), run below command:
$ sudo apt-get upgrade -y
3. To install dependencies, run below command:
$ sudo apt-get install -y build-essential bison flex automake autoconf openssl libssl-dev iptables-persistent libdb-dev:i386
Note: If for some reason above installation fails due broken packages or incomplete old installation, fix it as following:
$ sudo apt-get -f install
4. To Download SquidCache and SquidGuard from Ubuntu Sources, run below commands:
$ cd /usr/local/src $ sudo apt-get source squid $ sudo apt-get source squidguard
Note: We strongly recommend to use Ubuntu Source for Squid and SquidGuard due the compatibility with dependencies. Anyway you can use sources from it makers without issues, just downloading them from their homepages. Below an example how to download them directly to the server:
$ cd /usr/local/src $ sudo wget http://www.squid-cache.org/Versions/v3/3.5/squid- 3.5.28.tar.gz $ sudo wget http://www.squidguard.org/Downloads/squidGuard-current.tar.gz
Document Number: 002-001 8 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
5. Create SquidCache/SquidGuard Group and User at OS Level. This will be the owner account for Proxy and Safe Content Services:
$ sudo groupadd -g 13 proxy $ sudo useradd -u 13 -g 13 -c “Proxy Service Owner” -d /u01/squid -m -s / usr/sbin/nologin proxy $
6. Create Dedicated Filesystem and directories for SquidCache and SquidGuard. Will be used LVM + ext4 for this filesystem:
$ fdisk /dev/sdb
Note: Create Primary LVM Partition (Code: 8e)
$ sudo pvcreate /dev/sdb1 $ sudo vgcreate VolGroup01 /dev/sdb1 $ sudo lvcreate -L 6g -n LVu01 VolGroup01 $ sudo mkfs -t ext4 /dev/VolGroup01/LVu01 $ sudo mkdir /u01 $ sudo mount -t ext4 /dev/VolGroup01/LVu01 /u01 $ sudo mkdir -p /u01/squid/log /u01/squid/guard /u01/squid/run /u01/squid/cache /u01/squid/guard/log /u01/squid/guard/db $ sudo chown -R proxy:proxy /u01/squid
Note: Is recommended to register new filesystem in /etc/fstab in order to automatically mount at boot.
FIREWALL AND ROUTING CONFIGURATION
As explained in Architecture/Design Chapter, Our Proxy Server will act as a router and firewall for “Labs Network” in order to redirect traffic to interceptor ports of SquidCache and to communicate with Internet.
1. To enable IP Forwarding, edit /etc/sysctl.conf and add below definitions on it:
$ sudo vi /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.forwarding=1
Note: Depending on the OS distribution and version, you can create a file into /etc/sysctl.d/ and add the definitions on it. The Kernel will automatically check inside that directory and include all files on it. Check below example:
$ sudo vi /etc/sysctl.d/99_squid_ipfw.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.forwarding=1
Document Number: 002-001 9 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
2. To enable Firewall Rules to intercept all http and https traffic and redirect to SquidCache Daemon, we need to define below rules:
$ sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT $ sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT $ sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 3128 $ sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-ports 3129 $ sudo iptables-save > /etc/iptables/rules.v4
3.2 IMPLEMENTATION TASKS
BUILD SQUIDCACHE SOURCES
As exposed on Pre-Implementation Tasks, Source Code for SquidCache has been downloaded under /usr/local/src directory like below:
$ cd /usr/local/src/ $ ls -ltr total 8 drwxr-xr-x 17 root root 4096 dic 3 18:01 squid-3.5.28 drwxr-xr-x 9 root root 4096 dic 5 19:59 squidguard-1.5 $
Below are the steps to Compile the Sources:
1. Go to SquidCache Source and Configure Compilation:
$ cd /usr/local/src/squid-3.5.28 $ sudo ./configure --with-default-user=proxy --enable-ssl-crtd --with- openssl
Parameters: * --with-default-user=proxy → This is the owner user for SquidCache Service (Previously created). * --enable-ssl-crtd → Enable External SSL Certification Wallet. * –-with-openssl → Compile SquidCache with OpenSSL capabilities.
Note: Ensure no errors appears after the configure process. If so, check the error and try to resolve the missing dependency or configuration.
2. Compile/Build the SquidCache binaries and install them in the OS. Note that SquidCache binaries will be installed by defaults under /usr/local/ squid/ directory:
Document Number: 002-001 10 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
$ sudo make $ sudo make install $ sudo chown -R proxy:proxy /usr/local/squid
Note: If some errors appears in the compile process, please check the configure process executed before in order to find any missing dependency and/or configuration.
BUILD SQUIDGUARD SOURCES
As exposed on Pre-Implementation Tasks, Source Code for SquidGuard has been downloaded under /usr/local/src directory like below:
$ cd /usr/local/src/ $ ls -ltr total 8 drwxr-xr-x 17 root root 4096 dic 3 18:01 squid-3.5.28 drwxr-xr-x 9 root root 4096 dic 5 19:59 squidguard-1.5 $
Below are the steps to Compile the Sources:
1. Go to SquidGuard Source and Configure Compilation:
$ cd /usr/local/src/squidguard-1.5 $ sudo ./configure --with-squiduser=proxy
Parameters: * --with-squiduser=proxy → This is the owner user for SquidCache Service.
Note: Ensure no errors appears after the configure process. If so, check the error and try to resolve the missing dependency or configuration.
2. Compile/Build the SquidGuard binaries and install them in the OS. Note that SquidGuard binaries will be installed by defaults under /usr/local directory:
$ sudo make $ sudo make install $ sudo chown -R proxy:proxy /usr/local/squidGuard
Note: If some errors appears in the compile process, please check the configure process executed before in order to find any missing dependency and/or configuration.
Document Number: 002-001 11 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
SQUID CACHE CONFIGURATION
Below are the steps to configure SquidCache with SSL Integration in order to enable Transparent HTTPS Proxy:
1. Edit /usr/local/squid/etc/squid.conf file and put below configuration:
$ sudo vi /usr/local/squid/etc/squid.conf http_port 3127 http_port 3128 intercept https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/proxyCA.pem key=/usr/local/squid/ssl_cert/ proxyCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB ssl_bump server-first all sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 acl lab src 192.168.2.0/255.255.255.0 acl lab_internal src 192.168.4.0/255.255.255.0 acl localhost src 127.0.0.1/255.255.255.0 acl localnet dst 127.0.0.0/255.255.255.0 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl blockedsites url_regex -i "/usr/local/squid/etc/blocked.txt" acl CONNECT method CONNECT acl SSL method CONNECT http_access deny blockedsites http_access allow localhost http_access allow localnet http_access allow lab http_access allow lab_internal http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all cache_mem 512 MB cache_dir ufs /u01/squid/cache 6144 16 256 access_log /u01/squid/log/access.log squid pid_filename /u01/squid/run/squid.pid cache_log /u01/squid/log/cache.log
Document Number: 002-001 12 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution coredump_dir /u01/squid/log ftp_user proxy@ refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern (\.deb|\.udeb)$ 259200 100% 259200 refresh_pattern (\.rpm|\.srpm)$ 259200 100% 259200 refresh_pattern (\.xml|xml\.gz)$ 0 20% 2880 refresh_pattern . 0 20% 4320 cache_mgr proxy visible_hostname leda $
Options:
* http_port 3127 → Reserve Port 3127 for HTTP/HTTPS Connections.
* http_port 3128 intercept → Reserve Port 3128 for HTTP Connections to be intercepted by SquidCache.
* https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/proxyCA.pem key=/usr/local/squid/ssl_cert/proxyCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB → Reserve Port 3129 for HTTPS Connections to be intercepted by SquidCache using local certificate at server, not Global Trust Entity.
* ssl_bump server-first all → Bump the connection. Establish a secure connection with the server first, then establish a secure connection with the client, using a mimicked server certificate. (Ref,http://www.squid- cache.org/Versions/v3/3.5/cfgman/ssl_bump.html).
* sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB → Specify the Path and Options for SSL Certificate Generator.
* sslcrtd_children 8 startup=1 idle=1 → Specify maximum of 8 certificate generation processes that squid can create.
* acl → Access List Definition: - acl lab src 192.168.2.0/255.255.255.0 → Define ACL for Lab Network. - acl lab_internal src 192.168.4.0/255.255.255.0 → Define ACL for Lab Internal Network (Area Between Proxy Server and Lab Network Access Point). - acl localhost src 127.0.0.1/255.255.255.0 → Define ACL for Localhost (Loopback). - acl localnet dst 127.0.0.0/255.255.255.0 → Define ACL for
Document Number: 002-001 13 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
Localhost subnet (For Internal Loopback Services). - acl SSL_ports port 443 → Define ACL for SSL Ports (443) - acl Safe_ports port [XX] → Define ACL for Safe Ports (Allowed). - acl blockedsites url_regex -i "/usr/local/squid/etc/blocked.txt" → Define ACL for Custom URL to be denied. - acl CONNECT method CONNECT → Define ACL for CONNECT method in order to tunnel any kind of connection through HTTP Proxy. - acl SSL method CONNECT → Define ACL for CONNECT method in order to tunnel any secure connection through HTTPS Proxy.
* http_access → Allowing or Denying access based on defined access lists: - http_access deny blockedsites → Deny Access to every URL or word defined under blockedsites ACL. - http_access allow localhost → Allow Access to localhost ACL. - http_access allow localnet → Allow Access to localnet ACL. - http_access allow lab → Allow Access to lab ACL. - http_access allow lab_internal → Allow Access to lab_internal ACL. - http_access deny !Safe_ports → Deny Access to every port different than Safe_ports, excluding previous ACLs. - http_access deny CONNECT !SSL_ports → Deny Access to every port different than SSL_ports, excluding previous ACLs. - http_access deny all → Deny Access to all connections, excluding previous ACLs.
* cache_mem 512 MB → Specifies the ideal amount of memory to be used for: In-Transit objects, Hot Objects, Negative-Cached objects. (Ref,http://www.squid-cache.org/Versions/v3/3.5/cfgman/cache_mem.html).
* cache_dir ufs /u01/squid/cache 6144 16 256 → Store Cache Objects in disk as well. 6GB assigned to Disk Cache of 8Gb. You need to reserve 20% aprox. of your entire Disk. (Ref,http://www.squid-cache.org/Versions/v3/3.5/cfgman/ cache_dir.html).
* access_log /u01/squid/log/access.log squid → Logging HTTP and ICP transactions.
* pid_filename /u01/squid/run/squid.pid → Path for OS Squid PID File.
* cache_log /u01/squid/log/cache.log → Logging Squid Services.
* coredump_dir /u01/squid/log → Path to store Squid CoreDumps.
* ftp_user proxy@ → Define Virtual User to connect to anonymous FTP.
* refresh_pattern → Define Custom Rules for object expiration in cache. Please refer to http://www.squid-cache.org/Versions/v3/3.5/cfgman/refresh_pattern.html for more details: - refresh_pattern ^ftp: 1440 20% 10080 - refresh_pattern ^gopher: 1440 0% 1440 - refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
Document Number: 002-001 14 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
- refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 - refresh_pattern (\.deb|\.udeb)$ 259200 100% 259200 - refresh_pattern (\.rpm|\.srpm)$ 259200 100% 259200 - refresh_pattern (\.xml|xml\.gz)$ 0 20% 2880 - refresh_pattern . 0 20% 4320
* cache_mgr proxy → Email-address of local cache manager who will receive mail if the cache dies. We are using “proxy” as a value. (Ref,http://www.squid-cache.org/Versions/v3/3.5/cfgman/cache_mgr.html).
* visible_hostname leda → This Hostname will show when an error or information arrived from SquidCache on Browser.
2. Prepare Store Area where the certificates will be dynamically created.
$ sudo mkdir -p /usr/local/squid/var/lib $ sudo /usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db $ sudo chown -R proxy:proxy /usr/local/squid
3. Create Internal Trusted Certificate to be used by Proxy and End Point Machines:
$ sudo mkdir /usr/local/squid/ssl_cert $ cd /usr/local/squid/ssl_cert $ sudo openssl req -new -newkey rsa:1024 -days 5365 -nodes -x509 -keyout proxyCA.pem -out proxyCA.pem
Note: Enter parameters accordingly. Country Name (2 letter code) [AU]:CL State or Province Name (full name) [Some-State]:Valparaiso Locality Name (eg, city) []:Villa Alemana Organization Name (eg, company) [Internet Widgits Pty Ltd]:SETI-CHILE Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:Proxy Email Address []:[email protected]
$ sudo openssl x509 -in proxyCA.pem -outform DER -out proxyCA.der $ sudo openssl x509 -in proxyCA.pem -inform PEM -out proxyCA.crt $ sudo chown -R proxy:proxy /usr/local/squid/ssl_cert
Note: proxyCA.crt Certificate will be installed at Linux and Windows OS Level including Browsers. proxyCA.der was created for compatibility for older Windows Versions and some Internet Browsers.
4. Create Squid Swap/Cache Directories:
$ sudo /usr/local/squid/sbin/squid -f /usr/local/squid/etc/squid.conf -z
Document Number: 002-001 15 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
5. Create Runlevel Service for SquidCache in order to autostart it at boot time. Create file /etc/init.d/squid and put below code on it:
$ sudo vi /etc/init.d/squid #! /bin/sh # # squid Startup script for the SQUID HTTP proxy-cache. # # Version: @(#)squid.rc 1.0 07-Jul-2006 luigi@debian.org # ### BEGIN INIT INFO # Provides: squid # Required-Start: $network $remote_fs $syslog # Required-Stop: $network $remote_fs $syslog # Should-Start: $named # Should-Stop: $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Squid HTTP Proxy version 3.x ### END INIT INFO
NAME=squid DESC="Squid HTTP Proxy" DAEMON=/usr/local/squid/sbin/squid #PIDFILE=/usr/local/squid/var/run/$NAME.pid PIDFILE=/u01/squid/run/$NAME.pid CONFIG=/usr/local/squid/etc/squid.conf SQUID_ARGS="-YC -f $CONFIG"
[ ! -f /etc/default/squid ] || . /etc/default/squid
. /lib/lsb/init-functions
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/ local/squid/bin:/usr/local/squid/sbin:
[ -x $DAEMON ] || exit 0 ulimit -n 65535 find_cache_dir () { w=" " # space tab res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep "Processing:" | sed s/.*Processing:\ // | sed -ne ' s/^['"$w"']*'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\ ([^'"$w"']\+\).*$/\1/p; t end; d; :end q'` [ -n "$res" ] || res=$2
Document Number: 002-001 16 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
echo "$res" } grepconf () { w=" " # space tab res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep "Processing:" | sed s/.*Processing:\ // | sed -ne ' s/^['"$w"']*'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
t end; d; :end q'` [ -n "$res" ] || res=$2 echo "$res" } create_run_dir () { run_dir=/usr/local/squid/var/run/squid usr=`grepconf cache_effective_user proxy` grp=`grepconf cache_effective_group proxy`
if [ "$(dpkg-statoverride --list $run_dir)" = "" ] && [ ! -e $run_dir ] ; then mkdir -p $run_dir chown $usr:$grp $run_dir [ -x /sbin/restorecon ] && restorecon $run_dir fi } start () { cache_dir=`find_cache_dir cache_dir` cache_type=`grepconf cache_dir` run_dir=/usr/local/squid/var/run/squid
# # Create run dir (needed for several workers on SMP) # create_run_dir
# # Create spool dirs if they don't exist. # if test -d "$cache_dir" -a ! -d "$cache_dir/00" then log_warning_msg "Creating $DESC cache structure" $DAEMON -z -f $CONFIG [ -x /sbin/restorecon ] && restorecon -R $cache_dir fi
umask 027
Document Number: 002-001 17 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
ulimit -n 65535 cd $run_dir start-stop-daemon --quiet --start \ --pidfile $PIDFILE \ --exec $DAEMON -- $SQUID_ARGS < /dev/null return $? } stop () { PID=`cat $PIDFILE 2>/dev/null` start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
# # Now we have to wait until squid has _really_ stopped. # sleep 2 if test -n "$PID" && kill -0 $PID 2>/dev/null then log_action_begin_msg " Waiting" cnt=0 while kill -0 $PID 2>/dev/null do cnt=`expr $cnt + 1` if [ $cnt -gt 24 ] then log_action_end_msg 1 return 1 fi sleep 5 log_action_cont_msg "" done log_action_end_msg 0 return 0 else return 0 fi } cfg_pidfile=`grepconf pid_filename` if test "${cfg_pidfile:-none}" != "none" -a "$cfg_pidfile" != "$PIDFILE" then log_warning_msg "squid.conf pid_filename overrides init script" PIDFILE="$cfg_pidfile" fi case "$1" in start) res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"` if test -n "$res"; then log_failure_msg "$res" exit 3
Document Number: 002-001 18 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
else log_daemon_msg "Starting $DESC" "$NAME" if start ; then log_end_msg $? else log_end_msg $? fi fi ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" if stop ; then log_end_msg $? else log_end_msg $? fi ;; reload|force-reload) res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"` if test -n "$res"; then log_failure_msg "$res" exit 3 else log_action_msg "Reloading $DESC configuration files" start-stop-daemon --stop --signal 1 \ --pidfile $PIDFILE --quiet --exec $DAEMON log_action_end_msg 0 fi ;; restart) res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"` if test -n "$res"; then log_failure_msg "$res" exit 3 else log_daemon_msg "Restarting $DESC" "$NAME" stop if start ; then log_end_msg $? else log_end_msg $? fi fi ;; status) status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit 3 ;; *) echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload| restart|status}"
Document Number: 002-001 19 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
exit 3 ;; esac exit 0 $
6. Enable Squid Service using systemctl as following:
$ sudo systemctl enable squid.service $ sudo systemctl daemon-reload
Note: To Start/Stop or to know the Squid Service Status, run systemctl as following:
$ sudo systemctl start squid.service → Start Squid Services $ sudo systemctl stop squid.service → Stop Squid Services $ sudo systemctl status squid.service → Squid Services Status
7. Start Squid Service and Check Log for any errors:
$ sudo systemctl start squid.service $ sudo systemctl status squid.service $ sudo less /u01/squid/log/cache.log → (cache.log example) 2018/12/17 22:43:33 kid1| Set Current Directory to /u01/squid/log 2018/12/17 22:43:33 kid1| Starting Squid Cache version 3.5.28 for i686- pc-linux-gnu... 2018/12/17 22:43:33 kid1| Service Name: squid 2018/12/17 22:43:33 kid1| Process ID 737 2018/12/17 22:43:33 kid1| Process Roles: worker 2018/12/17 22:43:33 kid1| With 65535 file descriptors available 2018/12/17 22:43:33 kid1| Initializing IP Cache... 2018/12/17 22:43:34 kid1| DNS Socket created at [::], FD 6 2018/12/17 22:43:34 kid1| DNS Socket created at 0.0.0.0, FD 7 2018/12/17 22:43:34 kid1| Adding nameserver 192.168.2.223 from /etc/resolv.conf 2018/12/17 22:43:34 kid1| Adding nameserver 192.168.2.222 from /etc/resolv.conf 2018/12/17 22:43:34 kid1| Adding nameserver 208.67.222.222 from /etc/resolv.conf 2018/12/17 22:43:34 kid1| Adding domain lab.seti-chile.org from /etc/resolv.conf 2018/12/17 22:43:34 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes 2018/12/17 22:43:36 kid1| Logfile: opening log /u01/squid/log/access.log 2018/12/17 22:43:36 kid1| WARNING: log name now starts with a module name. Use 'stdio:/u01/squid/log/access.log' 2018/12/17 22:43:36 kid1| Unlinkd pipe opened on FD 16 2018/12/17 22:43:36 kid1| Store logging disabled 2018/12/17 22:43:36 kid1| Swap maxSize 524288 + 32768 KB, estimated 42850
Document Number: 002-001 20 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution objects 2018/12/17 22:43:36 kid1| Target number of buckets: 2142 2018/12/17 22:43:36 kid1| Using 8192 Store buckets 2018/12/17 22:43:36 kid1| Max Mem size: 32768 KB 2018/12/17 22:43:36 kid1| Max Swap size: 524288 KB 2018/12/17 22:43:36 kid1| Rebuilding storage in /u01/squid/cache (dirty log) 2018/12/17 22:43:36 kid1| Using Least Load store dir selection 2018/12/17 22:43:36 kid1| Set Current Directory to /u01/squid/log 2018/12/17 22:43:38 kid1| Finished loading MIME types and icons. 2018/12/17 22:43:38 kid1| HTCP Disabled. 2018/12/17 22:43:38 kid1| Squid plugin modules loaded: 0 2018/12/17 22:43:38 kid1| Adaptation support is off. 2018/12/17 22:43:38 kid1| Accepting HTTP Socket connections at local=[::]:3127 remote=[::] FD 19 flags=9 2018/12/17 22:43:38 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 20 flags=41 2018/12/17 22:43:38 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 21 flags=41 2018/12/17 22:43:38 kid1| Done reading /u01/squid/cache swaplog (1419 entries) 2018/12/17 22:43:38 kid1| Finished rebuilding storage from disk. 2018/12/17 22:43:38 kid1| 1419 Entries scanned 2018/12/17 22:43:38 kid1| 0 Invalid entries. 2018/12/17 22:43:38 kid1| 0 With invalid flags. 2018/12/17 22:43:38 kid1| 1419 Objects loaded. 2018/12/17 22:43:38 kid1| 0 Objects expired. 2018/12/17 22:43:38 kid1| 0 Objects cancelled. 2018/12/17 22:43:38 kid1| 0 Duplicate URLs purged. 2018/12/17 22:43:38 kid1| 0 Swapfile clashes avoided. 2018/12/17 22:43:38 kid1| Took 1.76 seconds (804.93 objects/sec). 2018/12/17 22:43:38 kid1| Beginning Validation Procedure 2018/12/17 22:43:38 kid1| Completed Validation Procedure 2018/12/17 22:43:38 kid1| Validated 1419 Entries 2018/12/17 22:43:38 kid1| store_swap_size = 72292.00 KB 2018/12/17 22:43:38 kid1| storeLateRelease: released 0 objects $
SQUID GUARD CONFIGURATION
Below are the steps to configure SquidGuard and it integration with SquidCache in order to enable a robust Safe Content Filter.
1. Download Database Content Filter to be used by SquidGuard. As mentioned in the introduction we will use Shallalist database created by Shalla Secure Services:
$ cd /u01/squid/guard/db $ sudo wget http://www.shallalist.de/Downloads/shallalist.tar.gz $ sudo tar -xvzf shallalist.tar.gz $ sudo mv BL/* .
Document Number: 002-001 21 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
$ sudo rmdir BL $ sudo chown -R proxy:proxy *
2. Edit /usr/local/squidGuard/squidGuard.conf and place below Logging and ACL configuration:
$ vi /usr/local/squidGuard/squidGuard.conf dbhome /u01/squid/guard/db logdir /u01/squid/guard/log dest porn { domainlist porn/domains urllist porn/urls } dest socialnet { domainlist socialnet/domains urllist socialnet/urls } dest anonvpn { domainlist anonvpn/domains urllist anonvpn/urls } dest drugs { domainlist drugs/domains urllist drugs/urls } dest sex { domainlist sex/lingerie/domains urllist sex/lingerie/urls } dest dating { domainlist dating/domains urllist dating/urls } dest spyware { domainlist spyware/domains urllist spyware/urls } dest alcohol { domainlist alcohol/domains urllist alcohol/urls } dest aggressive {
Document Number: 002-001 22 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
domainlist aggressive/domains urllist aggressive/urls } dest violence { domainlist violence/domains urllist violence/urls } dest chat { domainlist chat/domains urllist chat/urls } acl { default { pass !porn !socialnet !anonvpn !drugs !sex !dating !spyware !alcohol !aggressive !violence !chat all redirect http://leda.lab.seti-chile.org:8080/block.html } } $
3. Integrate SquidGuard into Squid Cache Configuration. Edit /usr/local/squid/etc/squid.conf and add below instructions:
$ sudo vi /usr/local/squid/etc/squid.conf url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf url_rewrite_children 20 $
Options:
* url_rewrite_program → Including SquidGuard process through Squid rewrite program: - url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/ squidGuard/squidGuard.conf - url_rewrite_children 20
4. Build Safe Content Database. Run below commands to build Domains and Urls Databases:
$ cd /u01/squid/guard/db $ sudo squidGuard -c /usr/local/squidGuard/squidGuard.conf -b -C urls $ sudo squidGuard -c /usr/local/squidGuard/squidGuard.conf -b -C domains $ sudo chown -R proxy:proxy *
Document Number: 002-001 23 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
5. Restart SquidCache Service in order to activate SquidGuard and check SquidCache log for errors:
$ sudo systemctl stop squid.service $ sudo systemctl start squid.service $ sudo systemctl status squid.service $ sudo less /u01/squid/log/cache.log → (cache.log example) 2019/01/25 21:24:23 kid1| Set Current Directory to /u01/squid/log 2019/01/25 21:24:23 kid1| Starting Squid Cache version 3.5.28 for i686- pc-linux-gnu... 2019/01/25 21:24:23 kid1| Service Name: squid 2019/01/25 21:24:23 kid1| Process ID 24753 2019/01/25 21:24:23 kid1| Process Roles: worker 2019/01/25 21:24:23 kid1| With 65535 file descriptors available 2019/01/25 21:24:23 kid1| Initializing IP Cache... 2019/01/25 21:24:23 kid1| DNS Socket created at [::], FD 6 2019/01/25 21:24:23 kid1| DNS Socket created at 0.0.0.0, FD 7 2019/01/25 21:24:23 kid1| Adding nameserver 192.168.2.223 from /etc/resolv.conf 2019/01/25 21:24:23 kid1| Adding nameserver 192.168.2.222 from /etc/resolv.conf 2019/01/25 21:24:23 kid1| Adding nameserver 208.67.222.222 from /etc/resolv.conf 2019/01/25 21:24:23 kid1| Adding domain lab.seti-chile.org from /etc/resolv.conf 2019/01/25 21:24:23 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes 2019/01/25 21:24:23 kid1| helperOpenServers: Starting 0/20 'squidGuard' processes 2019/01/25 21:24:23 kid1| helperOpenServers: No 'squidGuard' processes needed. 2019/01/25 21:24:24 kid1| Logfile: opening log /u01/squid/log/access.log 2019/01/25 21:24:24 kid1| WARNING: log name now starts with a module name. Use 'stdio:/u01/squid/log/access.log' 2019/01/25 21:24:24 kid1| Unlinkd pipe opened on FD 16 2019/01/25 21:24:24 kid1| Store logging disabled 2019/01/25 21:24:24 kid1| Swap maxSize 524288 + 32768 KB, estimated 42850 objects 2019/01/25 21:24:24 kid1| Target number of buckets: 2142 2019/01/25 21:24:24 kid1| Using 8192 Store buckets 2019/01/25 21:24:24 kid1| Max Mem size: 32768 KB 2019/01/25 21:24:24 kid1| Max Swap size: 524288 KB 2019/01/25 21:24:24 kid1| Rebuilding storage in /u01/squid/cache (clean log) 2019/01/25 21:24:24 kid1| Using Least Load store dir selection 2019/01/25 21:24:24 kid1| Set Current Directory to /u01/squid/log 2019/01/25 21:24:24 kid1| Finished loading MIME types and icons. 2019/01/25 21:24:24 kid1| HTCP Disabled. 2019/01/25 21:24:24 kid1| Squid plugin modules loaded: 0 2019/01/25 21:24:24 kid1| Adaptation support is off. 2019/01/25 21:24:24 kid1| Accepting HTTP Socket connections at
Document Number: 002-001 24 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution local=[::]:3127 remote=[::] FD 19 flags=9 2019/01/25 21:24:24 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 20 flags=41 2019/01/25 21:24:24 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 21 flags=41 2019/01/25 21:24:24 kid1| Done reading /u01/squid/cache swaplog (1500 entries) 2019/01/25 21:24:24 kid1| Finished rebuilding storage from disk. 2019/01/25 21:24:24 kid1| 1500 Entries scanned 2019/01/25 21:24:24 kid1| 0 Invalid entries. 2019/01/25 21:24:24 kid1| 0 With invalid flags. 2019/01/25 21:24:24 kid1| 1500 Objects loaded. 2019/01/25 21:24:24 kid1| 0 Objects expired. 2019/01/25 21:24:24 kid1| 0 Objects cancelled. 2019/01/25 21:24:24 kid1| 0 Duplicate URLs purged. 2019/01/25 21:24:24 kid1| 0 Swapfile clashes avoided. 2019/01/25 21:24:24 kid1| Took 0.16 seconds (9484.37 objects/sec). 2019/01/25 21:24:24 kid1| Beginning Validation Procedure 2019/01/25 21:24:24 kid1| Completed Validation Procedure 2019/01/25 21:24:24 kid1| Validated 1500 Entries 2019/01/25 21:24:24 kid1| store_swap_size = 86348.00 KB 2019/01/25 21:24:25 kid1| storeLateRelease: released 0 objects 2019/01/25 21:25:18 kid1| Starting new redirector helpers... 2019/01/25 21:25:18 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes 2019-01-25 21:25:18 [24768] INFO: New setting: dbhome: /u01/squid/guard/db 2019-01-25 21:25:18 [24768] INFO: New setting: logdir: /u01/squid/guard/log 2019-01-25 21:25:18 [24768] init domainlist /u01/squid/guard/db/porn/domains 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/porn/domains.db 2019-01-25 21:25:18 [24768] init urllist /u01/squid/guard/db/porn/urls 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/porn/urls.db 2019-01-25 21:25:18 [24768] init domainlist /u01/squid/guard/db/socialnet/domains 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/socialnet/domains.db 2019-01-25 21:25:18 [24768] init urllist /u01/squid/guard/db/socialnet/urls 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/socialnet/urls.db 2019-01-25 21:25:18 [24768] init domainlist /u01/squid/guard/db/anonvpn/domains 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/anonvpn/domains.db 2019-01-25 21:25:18 [24768] init urllist /u01/squid/guard/db/anonvpn/urls
2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/anonvpn/urls.db
Document Number: 002-001 25 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
2019-01-25 21:25:18 [24768] init domainlist /u01/squid/guard/db/drugs/domains 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/drugs/domains.db 2019-01-25 21:25:18 [24768] init urllist /u01/squid/guard/db/drugs/urls 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/drugs/urls.db 2019-01-25 21:25:18 [24768] init domainlist /u01/squid/guard/db/sex/lingerie/domains 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/sex/ lingerie/domains.db 2019-01-25 21:25:18 [24768] init urllist /u01/squid/guard/db/sex/lingerie/urls 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/sex/ lingerie/urls.db 2019-01-25 21:25:18 [24768] init domainlist /u01/squid/guard/db/dating/domains 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/dating/domains.db 2019-01-25 21:25:18 [24768] init urllist /u01/squid/guard/db/dating/urls 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/dating/urls.db 2019-01-25 21:25:18 [24768] init domainlist /u01/squid/guard/db/spyware/domains 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/spyware/domains.db 2019-01-25 21:25:18 [24768] init urllist /u01/squid/guard/db/spyware/urls
2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/spyware/urls.db 2019-01-25 21:25:18 [24768] init domainlist /u01/squid/guard/db/alcohol/domains 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/alcohol/domains.db 2019-01-25 21:25:18 [24768] init urllist /u01/squid/guard/db/alcohol/urls
2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/alcohol/urls.db 2019-01-25 21:25:18 [24768] init domainlist /u01/squid/guard/db/aggressive/domains 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/aggressive/domains.db 2019-01-25 21:25:18 [24768] init urllist /u01/squid/guard/db/aggressive/urls 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/aggressive/urls.db 2019-01-25 21:25:18 [24768] init domainlist /u01/squid/guard/db/violence/ domains 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/violence/domains.db 2019-01-25 21:25:18 [24768] init urllist /u01/squid/guard/db/violence/urls
Document Number: 002-001 26 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/violence/urls.db 2019-01-25 21:25:18 [24768] init domainlist /u01/squid/guard/db/chat/domains 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/chat/domains.db 2019-01-25 21:25:18 [24768] init urllist /u01/squid/guard/db/chat/urls 2019-01-25 21:25:18 [24768] INFO: loading dbfile /u01/squid/guard/db/chat/urls.db $
Note: Database List for domains (domains.db) and urls (urls) will appears in log when you try to access any webpage through SquidCache. When we perform testing in next chapter, this log will be populated with above information.
3.3 POST-IMPLEMENTATION TASKS
BROWSER CONFIGURATION AND CERTIFICATES
As mentioned in Planing phase, next instructions cover the Certificate Import Process to Windows and Linux Clients and to Internet Browser that uses independent Certificate Wallet, like Mozilla Firefox.
IMPORT CERTIFICATES AT OS WALLET ON WINDOWS CLIENTS
1. Start Microsoft Management Console Tool:
Click Start → Run → Enter “mmc” without quotes with Administration Privileges and click “OK”
Notes: If Run Option Not appear in the Start Menu, Just Press “Windows Key” + “r”.
Document Number: 002-001 27 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
2. Click on “File” and then on “Add/Remove Snap-in...”:
3. Select Certificates then Click on “Add” Button:
Document Number: 002-001 28 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
4. Mark “Computer Account” and then Click on “Next” Button:
Document Number: 002-001 29 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
5. Mark “Local Computer” Option and the Click on “Finish”:
Document Number: 002-001 30 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
6. Click on “OK” Button to Return to Console:
Document Number: 002-001 31 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
7. Expand Certificates (Local Computer) then Click with 2nd Mouse Button on “Trusted Root Certification Authorities”. Go to “All Tasks” Option and Click on “Import”. A “Certificate Import Wizard” Window will be opened with “Local Machine” Option Marked as Default. Then Click on “Next” Button.
Document Number: 002-001 32 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
8. Click on “Browse...” Button and find proxyCA.crt certificate previously created in the SquidCache Implementation. Then Click on “Next” Button:
Document Number: 002-001 33 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
9. Mark “Place All Certificates in the Following Store” Option and Ensure “Certificate Store” is “Trusted Root Certification Authorities”. Then Click on “Next” Button.
Document Number: 002-001 34 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
10. Certificate is now imported. Click on “Finish” Button to close “Certificate Import Wizard”:
Document Number: 002-001 35 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
2. IMPORT CERTIFICATES AT OS WALLET ON LINUX BASED CLIENTS.
UBUNTU/DEBIAN BASED SERVERS
1. Create a directory for CA Certificates under /usr/share/ca- certificates as following:
$ sudo mkdir /usr/share/ca-certificates/proxy
2. Copy the Certificate File “proxyCA.crt” to previous created directory:
$ sudo cp proxyCA.crt /usr/share/ca-certificates/proxy/
3. Configure Ubuntu Certificates Wallet in order to add new Certificate:
$ sudo dpkg-reconfigure ca-certificates
REDHAT/CENTOS/OEL BASED SERVERS
1. Copy the Certificate File “proxyCA.crt” to /usr/pki/ca-trust/source/anchors/ directory:
$ sudo cp proxyCA.crt /usr/pki/ca-trust/source/anchors/
2. Configure Redhat CA Certificates Wallet in order to add new Certificate:
$ sudo update-ca-trust
Notes: If you are not using sudo, perform above steps as root.
Document Number: 002-001 36 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
3. IMPORT CERTIFICATES TO CLIENT BROWSERS
There are some Internet Browsers like Mozilla Firefox and others Mozilla based clones that uses an independent Wallet to store Certificates. In below steps, we will explain how to add CA Certificate to Mozilla Firefox browser.
1. Open Mozilla Firefox and Go to Options under Main Menu. Follow below Picture:
Document Number: 002-001 37 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
2. Go to “Privacy & Security” Option and then go to “Certificate” Area. Click on “View Certificates...” Button:
Document Number: 002-001 38 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
3. Inside “Certificate Manager”, Go to “Authorities” and then Click on “Import” Button:
Document Number: 002-001 39 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
4. Find and Select “proxyCA.crt” Certificate and then Click on “Open” Button:
Document Number: 002-001 40 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
5. Mark Options “Trust this CA to identify websites.” and “Trust this CA to identify email users.” and then Click “OK” Button:
Document Number: 002-001 41 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
3.4 TESTING
Document Number: 002-001 42 Technical Paper: Linux Administration – Implement HTTP/HTTPS Transparent Proxy with Safe Content Solution
Document Number: 002-001 43