Instructions on how to get DansGuardian and Squid to do auth against an Windows Server 2008 R2 Active Directory, to allow multi-group filtering options. To help with managing the server webmin is set up along side. This assumes you’re going to run this with one ethernet port to the local network, and that you have DNS servers that are stable on the network.
Install Debian
Install Debian from CD1, normal istall mode is fine. Mostly just answer the questions as normal except when you get to “tasksel”, unmark “Grahical Desktop environment” and mark “SSH server”. If it’s just a proxy, you don’t need anything else!
Once you’ve rebooted after installing Debian, log in and use “ifconfig” to find you IP address (unless you entered a static one during install), then you can complete the rest of these instructions via SSH (and copy/paste the commands in!). I also personally prefer to edit the config files via SCP so I get to use a pretty GUI text editor.
Configure network and DNS
Navigate to /etc/network/interfaces and edit the primary network interface settings to match below. Use your own IP address. The DNS nameserver should be your internal AD DNS server, probably your domain controller. It must be as an IP address.
allow-hotplug eth0
auto eth0
iface eth0 inet static
address 192.168.0.7
netmask 255.255.255.0
gateway 192.168.0.254
dns-nameservers 192.168.0.2
dns-search exampledomain.local
Then issue /etc/init.d/networking restart
to change to the new IP settings. Remeber if you do this via SSH you will have to connection dropped and you’ll need to log in again.
Add Webmin repository
Webmin isn’t included in the standard Debian repository, but never fear, it’s got it own so we’ll get regular updates.
Add the following to the end of /etc/apt/sources.list
:
# webmin repository
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
Now run the follwing three commands to download and install the GPG signing key used:
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
Update repositories and upgrade packages
Next we’ll update the repository list and then apply any updates so we’re kept secure.
apt-get update
apt-get upgrade
Install our packages!
Now onto the install itself! The following command will install everything we need: Samba, Squid, DansGuardian, Webmin and a few dependencies on the side. It asks for the debian install CD to be inserted part way in, and depending on the speed of your internet connection could take several minutes.
apt-get install dnsmasq webmin squid dansguardian samba winbind krb5-user libcompress-zlib-perl resolvconf ntp ntpdate
It will ask to specify your workgroup/domain you want the server to be in, enter your domain in caps like this: EXAMPLE
and not like this EXAMPLE.LOCAL
Configure Kerberos
Next a small bit of configration to take care of:
dpkg-reconfigure krb5-config
It will ask for:
- Default Kerberos version 5 realm: EXAMPLEDOMAIN.LOCAL
- Add locations of default Kerberos servers to /etc/krb5.conf? No
Configure NTP with your domain
Networks run better when all the machines have the same time, so we’ll change us from getting Network Time Protcotol updates from Debians servers to just using our domain controller.
Add server domaincontroller.exampledomain.local iburst
to /etc/ntp.conf
below
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool:
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst
and comment out the four Debian time server entries.
Configure Samba
Make a backup copy of /etc/samba/smb.conf
before we start to edit it.
Under the section labeled “Authentication” add security = ads
below the line which reads # security = user
Under the section labeled “Domains” add domain logons = no
immediatly below the line ; domain logons = yes
Under the “Misc” section, find the following two lines:
; idmap uid = 10000-20000
; idmap gid = 10000-20000
and uncomment them (remove the ‘;’ from the begining of each line.)
At this point add the following three lines, just above the next section marked “Share Definitions”
winbind trusted domains only = yes
realm = EXAMPLEDOMAIN.LOCAL
winbind cache time = 3600
All done for smb.conf, so save and exit.
Prepare to join the domain
Restart samba, winbind and synchronize the time with the domain controller.
net time set -S domaincontroller
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start
Join the domain
First reboot: this may not be needed but it seems to help. Join the machine to the domain:
kinit Administrator
net ads join -U Administrator
You’ll be asked for the password of the domain user you specify at the end of the command, once for each command. You should get:
root@proxy:~# kinit Administrator
Password for Administrator@EXAMPLEDOMAIN.LOCAL:
root@sbproxy:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- EXAMPLEDOMAIN
Joined 'PROXY' to realm 'exampledomain.local'
As this sometimes gives a positive result without actually doing what’s required, the following is an essential check:
wbinfo -t
This should give: checking the trust secret for domain EXAMPLEDOMAIN via RPC calls succeeded
. If this step fails, you can’t procede. Rebooting a few times and starting from the begining of ‘Join the domain’ should fix it.
Final checks on having the domain auth working, try these to commands, the first of which should all the users in the domain (which does mean it can take some time!) and the second of which should list all the groups on the domain.
wbinfo -u
wbinfo -g
Configure Squid
Make a backup copy of /etc/squid/squid.conf
before we start to edit it.
Add the following three lines below the block of #auth_param
that are there, leave them incase you want to change something in the future.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic realm exampledomain
Add:
acl ntlm_auth proxy_auth REQUIRED
http_access allow ntlm_auth
above:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
Comment out this line (shortly after the above code):
http_access allow localhost
Squid needs access to /var/run/samba/winbindd_privileged
We can easily fix this but the permissions will reset when we reboot. So Jesse Waters on ubuntuforums.org posted a script that will set the permissions on every system boot. Create /etc/init.d/winbind-ch.sh
and paste the following into it. You need to set it’s permissions to 755 to allow excution. You can download a copy of this in a file from www.petespcs.co.uk/dangerous/windbind-cd.sh
#!/bin/sh
#set -x
WINBINDD_PRIVILEGED=/var/run/samba/winbindd_privileged
chmodgrp() {
chgrp proxy $WINBINDD_PRIVILEGED || return 1
chmod g+w $WINBINDD_PRIVILEGED || return 1
}
case "$1" in
start)
chmodgrp
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
#EOF
Following this run update-rc.d winbind-ch.sh start 21 2 3 4 5 .
to finish that off.
Configure Dans Guardian
Make a backup copy of /etc/dansguardian/dansguardian.conf
before we start to edit it.
First, a simple edit: comment out the line UNCONFIGURED - Please remove this line after configuration
Find the line filtergroups = 1
and change it to however many filter groups you feel you need, but be warned that the webmin interface can only handle so many.
Uncomment the following two lines:
authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf'
That’s all in that file, so close and save.
/etc/dansguardian/dansguardianf1.conf as a backup, and then make copies for each of your filter groups, so if you have 3 filter groups, you’ll need 3 files called:
/etc/dansguardian/dansguardianf1.conf
/etc/dansguardian/dansguardianf2.conf
/etc/dansguardian/dansguardianf3.conf
No edits needed on them, it can all be easily done from Webmin later
Setup Webmin
Open a web browser to https://yourproxyip:10000/ and log in with root. Go to Webmin > Webmin Configuration > Webmin Modules
Select “From ftp or http URL” and paste the link below into the dialog box and click Install Module.
http://downloads.sourceforge.net/project/dgwebminmodule/dgwebmin-stable/0.7/dgwebmin-0.7.1.wbm
You might want to check the SourceForge site for a newer version, see http://sourceforge.net/projects/dgwebminmodule/. You can get the address for the link above by going to download the lastest version, but when offered the download, cancel it and right click on the direct download link and select “Copy link location”.
Due to Debian choosing to install programs to slightly different location to others, you need to change a few of the settings in the Dans Guardian webmin module configration. Go to Servers > DansGuardian Web Content Filter > Module config
and change Full path to DG binary
to /usr/sbin/dansguardian
We also need to remove rc.d/
from “Command to restart DG”, “Command to start DG” and “Command to stop DG”.
Setup regular blocklist updates
Shallalist provides freee for non-commerical use (including education) url and domain blocklists. They update these upto every 24 hours. A simple cron job can be setup to download these, all thats needed is a simple shell script. You can download a copy from www.petespcs.co.uk/dangerous/updatebl.sh
To create a cron job in Webmin, go to System > Scheduled Cron Jobs
then click on “Create a new scheduled cron job.”. The answers I recommend you enter are:
- Execute cron job as root
- Command /path/to/updatebl.sh
- When to execute Times and dates selected below ..
- Mintues Selected .. 1
- Hours Selected .. 0
- Days All
- Months All
- Weekdays Selected .. Monday, Tuesday, Wednesday, Thursday, Friday
Click create and then you’ll be back at the list of cron jobs. Click on the one at the bottom of the list which will be the one you’ve just created, click on it to open it and click on “Run now” to make sure it works correctly and doesn’t give any errors, and also to put the blacklists in place to start with.
I recommend these settings as the blacklists are updated a maximium of once over 24 hours. The script will run while no-one is likely to be around, so won’t be interputed by DansGuardian restarting, but will only run on weekdays, so if it goes wrong for whatever reason – they don’t include one of the catagories for example – you’ll be there before anyone notices…just incase someone comes in on Saturday and finds that it’s not working!
To work with these blacklists, you’ll need to modify your /etc/dansguardian/lists/bannedurllist
and /etc/dansguardian/lists/bannedsitelist
files, otherwise DansGuardain won’t start as it won’t be able to find the files that are referenced. Example files are attahced, which matched the lists provided by Shalla in October 2011. For your ease they contain descriptive comments on each list, and all lists are commented out so they as they stand block nothing. Just uncomment the .Include
lines that fit with what you want to block. You can find the same files at www.petespcs.co.uk/dangerous/bannedurllist and www.petespcs.co.uk/dangerous/bannedsitelist
This guide is based around advice from HowtoForge: How To Install And Configure Dansguardian With Multi-Group Filtering And Squid With NTLM Auth On Debian Etch