Scribd Logo
Upload

Welcome to Scribd!

  • SQUID On CentOS 6.7

    Uploaded by

    jpgonzalezj
    89 views6 pages

    Original Title

    SQUID on CentOS 6.7

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    89 views6 pages

    SQUID On CentOS 6.7

    Uploaded by

    jpgonzalezj

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Instalacin y configuracin del Squid Proxy-Cache en CentOS

    Paso 1: Limpiar las IPTables


    iptables -F
    iptables -t nat -F
    iptables --delete-chain
    iptables -t nat --delete-chain
    Paso 2: Modificar IPTables, Squid se har cargo del FORWARD
    # iptables -A INPUT -i eth1 -j ACCEPT
    # iptables -A INPUT -i eth2 -j ACCEPT
    # iptables -A OUTPUT o eth1 -j ACCEPT
    # iptables -A OUTPUT o eth2 -j ACCEPT
    # iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
    # service iptables save
    Paso 3: Instalar repositorios adicionales
    # yum -y install epel-release
    # yum -y install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.31.el6.rf.x86_64.rpm
    Paso 4: Instalar el Squid Proxy-Cache
    # yum -y install squid
    Configuracin del Squid
    # nano -c /etc/squid/squid.conf
    lnea 29: agregar
    acl LAN src 192.168.10.0/24
    acl DMZ src 192.168.32.0/24
    lnea 58: agregar
    http_access allow LAN
    http_access allow DMZ
    lnea 64: Debe de quedar as
    http_port 192.168.10.1:3128
    http_port 192.168.32.1:3128
    http_port 127.0.0.1:3128
    final del archivo: agregar
    request_header_access Referer deny all
    request_header_access X-Forwarded-For deny all
    request_header_access Via deny all
    request_header_access Cache-Control deny all
    visible_hostname proxy.nombre.local
    forwarded_for off
    # service squid start
    # chkconfig squid on

    Paso 5: Pruebas
    Asigne el proxy a el servidor y al cliente de Ubuntu
    LAN
    IP: 192.168.10.1
    Puerto: 3128
    DMZ
    IP: 192.168.32.1
    Puerto: 3128
    Navegue por internet
    Paso 6: Integrar el Clamd AntiVirus al Squid Proxy-Cache
    # yum -y install clamav wget curl
    # freshclam
    # yum -y groupinstall Development Tools
    # curl -L -O http://ufpr.dl.sourceforge.net/project/c-icap/c-icap/0.4.x/c_icap-0.4.3.tar.gz
    # tar zxvf c_icap-0.4.3.tar.gz
    # cd c_icap-0.4.3
    # ./configure && make && make install && cd
    # cp /usr/local/etc/c-icap.conf /etc
    Configuracin del AntiVirus
    # nano -c /etc/c-icap.conf
    Lnea 161: defina el correo del administrador
    ServerAdmin root@nombre.local
    Lnea 170: ponga el nombre que se asign el Squid
    ServerName proxy.nombre.local
    Lnea 568: agregar
    Service squidclamav squidclamav.so
    Cree el siguiente Script de arranque del servicio:
    #nano /etc/rc.d/init.d/c-icap
    #!/bin/bash
    # c-icap: Start/Stop c-icap
    # chkconfig: - 70 30
    # description: c-icap is an implementation of an ICAP server.
    # processname: c-icap
    # pidfile: /var/run/c-icap/c-icap.pid
    . /etc/rc.d/init.d/functions
    . /etc/sysconfig/network
    CONFIG_FILE=/etc/c-icap.conf
    PID_DIR=/var/run/c-icap

    RETVAL=0
    start() {
    echo -n $"Starting c-icap: "
    daemon /usr/local/bin/c-icap -f $CONFIG_FILE
    RETVAL=$?
    echo
    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/c-icap
    return $RETVAL
    }
    stop() {
    echo -n $"Stopping c-icap: "
    killproc c-icap
    rm -f /var/run/c-icap/c-icap.ctl
    RETVAL=$?
    echo
    [ $RETVAL -eq 0 ] && rm -f $PID_DIR/c-icap.pid /var/lock/subsys/c-icap
    return $RETVAL
    }
    case "$1" in
    start)
    start
    ;;
    stop)
    stop
    ;;
    status)
    status c-icap
    ;;
    restart)
    stop
    start
    ;;
    *)
    echo $"Usage: $0 {start|stop|status|restart}"
    exit 1
    esac
    exit $?

    Asigne los permisos necesarios al Script


    # chmod 755 /etc/rc.d/init.d/c-icap
    Instale el SquidClamAV
    # curl -L -O http://heanet.dl.sourceforge.net/project/squidclamav/squidclamav/6.15/squidclamav-6.15.tar.gz

    # tar zxvf squidclamav-6.15.tar.gz


    # cd squidclamav-6.15
    # ./configure --with-c-icap && make && make install && cd
    # ln -s /usr/local/etc/squidclamav.conf /etc/squidclamav.conf
    Configuracin del SquidClamAV
    # nano -c /etc/squidclamav.conf
    Lnea 18: Defina la URL donde se reenviaran las pginas infectadas
    redirect http://www.ina.ac.cr/

    Lnea 27: Defina el socket de escucha (mismo que el clamd)


    clamd_local /var/run/clamav/clamd.sock
    # service c-icap start
    # chkconfig --add c-icap
    # chkconfig c-icap on
    Integrar el AntiVirus con el Squid
    # nano /etc/squid/squid.conf
    Final del fichero: agregar
    icap_enable on
    icap_send_client_ip on
    icap_send_client_username on
    icap_client_username_header X-Authenticated-User
    icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav

    adaptation_access service_req allow all


    icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav

    adaptation_access service_resp allow all


    # squid -k reconfigure
    # service squid restart
    Paso 7: Instalar el Web Filter DansGuardian
    # yum -y install dansguardian
    Configuracin del DansGuardian
    # nano -c /etc/dansguardian/dansguardian.conf
    Lnea 26: Cambiar idioma
    languaje = spanish
    Lnea 88: Definir el puerto de escucha del DandsGuardian
    filterport = 8080
    Lnea 94: Definir el puerto de escucha del Squid
    proxyport = 3128
    Iniciar el servicio
    # service dansguardian start
    # chkconfig dansguardian on
    Paso 8: Crear listas negras para el Web Filter
    # nano /etc/dansguardian/lists/bannedsitelist
    Agregar al fichero:
    yahoo.com

    google.com
    opendns.com
    cisco.com
    babosas.com
    Reiniciar el servicio
    # service dansguardian restart
    Pruebas: Cambie en los clientes el puerto proxy por el 8080 y navegue por los sitios agregados al
    fichero.
    Paso 9: Instalar el reporteador LightSquid
    # yum -y groupinstall Web Server
    # yum -y install lightsquid lightsquid-apache perl perl-CGI
    Habilitar soporte para CGI Scripting en el servidor web
    # nano /etc/httpd/conf/httpd.conf
    Lnea 576: Defina la ubicacin del CGI Scripting
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
    Lnea 331: La lnea debe quedar as
    Options FollowSymLinks ExecCGI
    Lnea 769: descomente la lnea y agregue el soporte de perl
    AddHandler cgi-script .cgi .pl
    Iniciar el servicio
    # service httpd start
    # chkconfig httpd on
    Configuracin del LightSquid
    # nano /etc/httpd/conf.d/lightsquid.conf
    Modifique el fichero para que se vea as: SOLO desde DMZ se tendr Acceso.
    <Directory /usr/share/lightsquid/cgi>
    DirectoryIndex index.cgi
    Options ExecCGI
    AddHandler cgi-script .cgi
    AllowOverride None
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1 192.168.32.0/24
    </Directory>
    Reinicie el Servicio Web

    # service httpd restart


    Generar el reporte (se ejecuta cada que quiera un nuevo reporte)
    # /usr/sbin/lightparser.pl
    Pruebas: Desde el servidor ingrese a
    http://192.168.32.1/lightsquid/

    You might also like