20 March 2017

Configure Squid Proxy with LDAP Auth | Active Directory

Recently a client of mine asked if we could implement a proxy server which forced each user to authenticate with their AD credentials.  They currently had a rather cut-down Squid server running in their environment and it was logging traffic, but there was no way to work out which users were browsing the most.  There was IP tracking, but when using a hot-desk situation, no user had a specific machine.

The following steps are what I've done to get this up and running where it forces each user to authenticate against AD, and denies all access if they don't authenticate correctly.

Assumptions: there is the assumption that you've already got a working copy of Linux up and running in your virtual environment.  In this case, I was using Ubunut 16.04.
The other assumption is that you have installed the LDAP role within Server Manager within your AD environment.

1. Download/Install Squid
sudo apt-get install squid
This will install Squid onto the Linux machine.  

2. Open ldap.conf which can be found at /etc/ldap/ldap.conf
3. Set BASE to your domain (in my case its test.internal as I've blogged this within a test environment).  I've updated the URI section too, however it's hashed out and not needed.
4. Edit squid.conf which can be found here: /etc/squid/squid.conf
5. Search for the follow section auth_param basic program, then enter the following details:
Note: most of this will already be there, you will just need to un-hash it.  The IP address used is the DC.  The blurred out section is the password I have used for the Administrator account which is mentioned within this section.
Also note that the credentialsttl will be how long a user can be logged in for before they're prompted again.  For testing purposes I set it to 15 minutes, you could set this to 2 hours.
6. Within the same document, search for acl safe_ports and then add the highlighted section below:
7. In the same document, search for http_access allow localhost, then add the highlighted section underneath it
8. Search for cache_dir ufs and then un-hash that section
9. Update the proxy settings within your environment to point to the Squid server on port 3128.  When you try to access a website, you should be greeted with the following message:



Install reporting tool for tracking user's browsing
In order to track the user's browsing, you will need to get Webmin, and also SARG.  These work together to allow you to make nice little reports which will show where users have been going and how much data they're using etc.

The following tasks will be completed within the Terminal
1. sudo nano /etc/apt/sources.list
2. Add the following two lines to the document you've just opened up
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
3. Save the document and close out of it
4. sudo wget http://www.webmin.com/jcameron-key.asc
5. sudo apt-key add jcameron-key.asc
6. sudo apt-get update
7. sudo apt-get install webmin -y
8. sudo ufw allow 10000

This will then allow you to access the Webmin web portal on https://localhost:10000
Log in with your administrator (local admin) credentials

Click on un-used modules then find Squid Proxy
You will most likely see a message saying it wasn't able to find squid.  This will be because it's looking for /squid3/ rather than just /squid/.  You will need to edit the config and change squid3 to just squid everywhere you see it.



In order to use the Squid Report Generator, you will need to install SARG.  To do this, open Terminal and type the following:

sudo apt-get install sarg

Then you can click on Squid Report Generator within Webmin and be able to run reports on usage etc.

17 comments:

  1. Great post! Thank you for sharing valuable information. Keep up the good work.

    ReplyDelete
  2. Many thanks for making the sincere effort to explain this. I feel fairly strong about it and would like to read more. If it’s OK, as you find out more you can track you Delhi very tracking here and speed post tracking here, would you mind visiting more posts similar to this one with more information? you can check pan card status, train running status, tracking, and USPS tracking.lisa

    ReplyDelete
  3. Wow, cool post. I’d like to write like this too – taking time and real hard work to make a great article… but I put things off too much and never seem to get started. Thanks though. 1337x

    ReplyDelete
  4. Thanks for the blog filled with so many information. Stopping by your blog helped me to get what I was looking for. Now my task has become as easy as ABC. 1337x

    ReplyDelete
  5. A proxy is any software that supports the http proxy protocols. In it's simplest form a proxy is a relay for data between two computers. A proxy is a intermediate server that forwards information between to points. torrentz2

    ReplyDelete
  6. The applications that are available in the market today have enhanced the user experience greatly and also become more reliable and secure. To get more detailed info about active directory reporting, check this site .

    ReplyDelete
  7. This is a very interesting web page and I have enjoyed reading many of the articles and posts contained on the website, keep up the good work and hope to read some more interesting content in the future.torrentz2 proxy

    ReplyDelete
  8. Basic intermediary contents utilized by intermediaries are PHP intermediary and CGI intermediary. Since these contents are accessible for nothing, numerous intermediaries are flooding the market. piratebay

    ReplyDelete
  9. Wireless Internet refers to a network that enables you to access the internet without necessarily using any cables. The medium used in wireless internet is airwaves or radio waves, through which data is transmitted from one device to another. Kickass Proxy

    ReplyDelete
  10. Intrigued Internet guests will have the option to peruse the different classes in the catalog and find sites like yours that they might be keen on visiting. Basically, those spots make it simpler for any guest to discover your business' site.
    free classified ads sites

    ReplyDelete
  11. This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free. 熊猫VPN 安全

    ReplyDelete
  12. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work! Us

    ReplyDelete
  13. Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here. fanqiang-vpn

    ReplyDelete
  14. Glype Proxy is a free web-based proxy script written in PHP. It allows webmasters to quickly and easily set up their own proxy site.why you should use vpn to test your websites

    ReplyDelete