Squid Proxy Server

 Squid Proxy server on centOS 7

Project report submitted in partial fulfillment of the requirement for the  award of the Degree of

 BACHELOR OF COMPUTER APPLICATIONS 

Submitted By

Sanjay Meena (Roll no. 677998)

Enrollment no. : 20/108177

Session : 2022-23

&

Piyush Sharma (roll no.677988)

Enrollment no. : 20/108165

Session : 2022-23

 

 

PARISHKAR COLLEGE OF GLOBAL EXCELLENCE JAIPUR, RAJASTHAN

CERTIFICATE

Certified that this project report titled Squid Server(Proxy Server) on centOS 7 is the work of Mr. Sanjay Meena and Mr. Piyush Sharma who carried out the research under my supervision. Certified further, that to the best of my knowledge the work reported herein does not form part of any other project report or dissertation on the basis of which a degree or award was conferred on an earlier occasion on this or any other candidate.

(Name of the project guide- Institutional)                     Parishkar College of Global Excellence(Rajasthan University) 

(Certificate to be countersigned by the HOD.)

-MR. MITESH

ACKNOWLEDGEMENT

I am thankful Parishkar College of Global Excellence for providing me a platform for the project. This project was a quite a learning experience for me at each & every step. At the same time, it has given me confidence to work in professional setup. I express my sincere thanks to MR. MITESH, for his active support & continuous guidance without which.

It would have been difficult for me to complete this project. I will also like to the other working staff & interns at for taking keen interest in my project & giving valuable suggestions & helping me directly or indirectly to complete this project.

Sanjay Meena (Roll no. 677998)

Piyush Sharma (Roll no. 677988)

DECLARATION

This is to certify that the work reported in the present project entitled Squid Server (Proxy Server) on centOS 7 is a record of work done by me and my team, PARISHKAR COLLEGE OF GLOBAL EXCELLENCE. The reports are based on the project work done entirely by us and not copied from any other source. 

 

(Signature Sanjay Meena) 

Roll no. 677998 

 

 

(Signature Piyush Sharma) 

Roll no. 677988

Step1: Minimal Installation of CentOS 7

This section describes the simple procedure to install CentOS after you have created and booted from an installation USB drive.

Prerequisites: Create an installation USB drive and boot it.

After booting the installation USB drive:

1. Select Install CentOS in the boot menu and press Enter.

 

2. After Anaconda, the CentOS installer, started, select your language and region, and click Continue.

  

3. The Installation Summary is the central screen to set configuration options:

You can display and modify the individual options in any order. If a configuration option was automatically configured correctly, no further action is required. However, if items are marked with an exclamation point icon, you must complete the configuration for these items before you can begin the installation.

Nothing will be written to the disk until you click the Begin Installation button.

4. Select Date & Time:

⦁ Set your region and the nearest city in your time zone

⦁ Click Done to return to the Installation Summary.

     

5. Select Keyboard Layout:

a. Use the + and - buttons to add and remove keyboard layouts.

b. If you enable multiple keyboard layouts, move your preferred layout to the top of the list using the ↑ button to set it as default.

c. Click Done to return to the Installation Summary.

            

6. Select Installation Destination:

⦁ Select the target disk. A check mark is displayed next to the selected target.

The selected disk is partitioned automatically.

⦁ Click Done to return to the Installation Summary.

                      

7. Select Network and Hostname:

⦁ Click the Ethernet sliding switch in the top right corner to enable the network configuration.

⦁ Optional, select the device and click Configure to update the network                                  . interface configuration.

⦁ Click Done to return to the Installation Summary.

                  

NOTE: Anaconda applies the network settings immediately. They are used during the           setup and after the installation.

8. On the Installation Summary screen, click Begin Installation.

    

9. The installation starts and the Configuration screen displayed:

    

 During the installation:

a. Select Root Password:

       Enter the password for the root user and confirm it.

      Click Done to return to the Configuration screen.

b. Select User Creation:

⦁ Enter the user’s full name.

⦁ Optionally, update the automatically generated user name.

⦁ Set the password and confirm it.

⦁ Optionally, check the Make this user administrator check box. This will add the user to the wheel group and allow this account to use sudo without any further configuration.

⦁ Click Done to return to the Configuration screen.

    c. Wait until the installation completes and click Reboot.

10. After the installed system has been started.

Set Hostname:

     hostnamectl set-hostname adserver.example.com

     Set iptables & SElinux disable:

               setenforce 0

     Set ipaddress (192.168.1.151)

Our Windows Domain is example.com and it is pointing to 192.168.1.151 and the hostname is adserver.example.com . We are using Windows Server 2022 in this domain.

 

Step2: Integrate RHEL 7 or CentOS 7 with Windows Active Directory

In Most of the Organizations users and groups are created and managed on Windows Active Directory.  We can integrate our RHEL 7 and CentOS 7 servers with AD(Active Directory) for authenticate purpose. 

Step:1 Install the required packages using yum command

Use the yum command to install following packages from the command line.

[root@servera ~]# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

Update the /etc/hosts file and /etc/resolv.conf so that dns name or hostname of AD server gets resolved correctly. In my case AD server hostname is “adserver.example.com“, so place the below line in /etc/hosts file

192.168.0.151    adserver.example.com  adserver

Contents of resolv.conf should be something like below. Just replace the domain name and ip address of dns server as per your setup

[root@servera ~]# cat /etc/resolv.conf

search example.com

nameserver 192.168.0.151

[root@servera ~]#

Step:2 Now Join Windows Domain or Integrate with AD using realm command

When we install above required packages then realm command will be available. We will use beneath realm command to integrate CentOS 7 or RHEL 7 with AD via the user “administrator”. Administrator  is a bind user which have required privileges on AD .

[root@servera ~]# realm join --user=administrator adserver.example.com

Password for administrator:

[root@servera ~]#

Now verify whether our server has joined the Windows domain or not. Simply run the command ‘realm list‘

[root@servera ~]# realm list

example.com

  type: kerberos

  realm-name: EXAMPLE.COM

  domain-name: example.com

  configured: kerberos-member

  server-software: active-directory

  client-software: sssd

  required-package: oddjob

  required-package: oddjob-mkhomedir

  required-package: sssd

  required-package: adcli

  required-package: samba-common-tools

  login-formats: %U@example.com

  login-policy: allow-realm-logins

[root@servera ~]#

Whenever we run ‘realm join’ command it will automatically configure ‘/etc/sssd/sssd.conf‘ file.

Step:3 Check and Verify  AD users on REHL 7 or CentOS 7 Servers

We have created a user in windows server with name of “linuxtechi”

With ‘id‘ command on Linux we can verify the user’s uid and gid and their group information. At this point of time our server is now the part of windows domain. Use below command to verify AD users details.

[root@servera ~]# id linuxtechi@example.com

uid=1997801106(linuxtechi@example.com) gid=1997800513(domain users@example.com) groups=1997800513(domain users@example.com)

[root@servera ~]#

We might have noticed in above command that i have mentioned domain name as well along with user name because this is controlled by ‘/etc/sssd/sssd.conf’ file. If we execute id command without domain name then we will not get any details for user.

[root@servera ~]# id linuxtechi

id: linuxtechi: no such user

[root@servera ~]#

We can change this behavior by editing the file /etc/sssd/sssd.conf.

Change the following parameters from

use_fully_qualified_names = True

fallback_homedir = /home/%u@%d

to

use_fully_qualified_names = False

fallback_homedir = /home/%u

Restart the sssd service using following systemctl command

[root@servera ~]# systemctl restart sssd

[root@servera ~]# systemctl daemon-reload

Now run the id command and see whether you are able get AD user details without mentioning domain name

[root@servera ~]# id linuxtechi

uid=1997801106(linuxtechi) gid=1997800513(domain users) groups=1997800513(domain users)

[root@servera ~]#

Let’s try ssh CentOS 7 or RHEL 7 Server with AD credentials

[root@lnxdesktop ~]# ssh linuxtechi@192.168.0.20

linuxtechi@192.168.0.20's password:

Last login: Fri Mar  3 10:18:41 2017 from serverb.example.com

[linuxtechi@servera ~]$ id

uid=1997801106(linuxtechi) gid=1997800513(domain users) groups=1997800513(domain users)

[linuxtechi@servera ~]$ pwd

/home/linuxtechi

[linuxtechi@servera ~]$

Squid Proxy  Server

Little introduction about the proxy of the article:

“Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows, and is licensed under the GNU GPL.”

Install Proxy Server: Squid Proxy

Step 1: Update the server

yum -y update

Step 2: Install squid

yum -y install squid

Step 3: Start and enable squid server

systemctl start squid

systemctl enable squid

Step 4: Check the status of squid server

systemctl status squid

Configure Proxy Server: Squid Proxy

The configurations for your Squid server are stored in the /etc/squid/squid.conf file

Configure your Network To Route through your Proxy to the access Internet

You have to add the IP or the IP ranges which will be making contact with your Proxy Server and then the Proxy server will act as a gateway for only those IP(s)

You have to add the IP or the IP ranges which will be making contact with your Proxy Server and then the Proxy server will act as a gateway for only those IP(s)

You can add a source IP range with an ACL using the following format.

acl localnet src <192.168.1.151>

Edit the configuration file /etc/squid/squid.conf. Add the source IP(s) as shown below.

 

Restart the proxy server after making the ACL changes.

systemctl restart squid

Test proxy Server Connectivity

Test if the proxy server is working using a simple curl request. Use the following curl format. By default, squid proxy runs on 3128 port.

curl -x http://<squid-proxy-server-IP>:3128  -L http://virtono.com

 

Now we have to configure SQUID for AD Users

⦁ Configuring Squid LDAP Authentication

⦁ The first step is to configure Squid to authenticate usernames/passwords with the Active Directory. You will need to open your Squid configuration file (squid.conf) and make the following changes:

Find the auth param section of the config file (TAG: auth_param), and change the auth param basic program line to look like this. (Indented text indicates one line)

auth_param basic program /usr/lib/squid/ldap_auth -R

-b “dc=vm-domain,dc=example,dc=com”

-D “cn=Administrator,cn=Users,dc=your,dc=example,dc=com”

-w “password” -f sAMAccountName=%s -h 192.168.1.151

auth_param basic children 5

auth_param basic realm example.com

   auth_param basic credentialsttl 5 minutes

⦁ Now we have to configure group based internet access

Once the user has authenticated, you can define which users have access to network resources (i.e. the internet) using Squid access control lists (ACLs). Squid ACLs are a complex topic and allow very sophisticated control.

external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R 

       -b “dc=vm-domain,dc=example,dc=com” 

       -D “cn=Administrator,cn=Users,dc=your,dc=example,dc=com”

       -w “password” 

       -f “(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=users,dc=your,dc=example,dc=com))” 

       -h 192.168.1.151

⦁ Then enter the values below in the ACL area (Tag: acl) of squid.conf, modifying your internal subnet as appropriate.

acl localnet proxy_auth REQUIRED src 192.168.1.0/24

   acl InetAccess external InetGroup InternetAccessGroup

⦁ Now we have completed the ACL you can reference them in the http_access area of Squid.conf:

  http_access allow InetAccess

------------------------------------------------------------------------------------------------------------------

Now our SQUID Server is ready to provide internet for AD users. We can set a group policy in Windows Server to take all the setting automatically on client machine.