An Advanced Proxy Server

The mission is to configure caching Proxy Server with NCSA authorization and some Internet content restrictions.
I use for this task the next stuff: Ubuntu Server 9.10, squid 2.7, and Squidguard.
Update your system and install software:

# sudo su
# aptitude update
# aptitude upgrade
# aptitude install squid squidguard mc htop

Download blacklist archive and unpack it to /var/lib/squidguard/db:

# wget http://urlblacklist.com/cgi-bin/commercialdownload.pl?type=download&file...
# mc
… =)

Configure Squid:

# cat /etc/squid/squid.conf
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hierarchy_stoplist cgi-bin ?
http_port 3128
#http_port 3128 transparent

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Proxy-Caching Web Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl users proxy_auth REQUIRED

access_log /var/log/squid/access.log squid
cache_store_log none
cache_log /var/log/squid/cache.log
logfile_rotate 5
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 1024 MB
cache_dir ufs /var/spool/squid 51200 64 512
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
visible_hostname proxy
cache_effective_user proxy

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 5190
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 22 # ssh
acl Safe_ports port 443 5190 # https

acl CONNECT method CONNECT
acl purge method PURGE

icp_access allow all
http_access allow manager localhost
http_access allow manager to_localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !users
http_access allow localnet
http_access deny all

Make cache directories and start Squid:

# squid -z
# squid

Configure Squidguard:

# cat /etc/squid/squidGuard.conf
dbhome /var/lib/squidguard/db
dest ads {
domainlist ads/domains
expressionlist ads/expressions
urllist ads/urls
}

dest audio-video {
domainlist audio-video/domains
urllist audio-video/urls
}
dest chat {
domainlist chat/domains
urllist chat/urls
}

dest drugs {
domainlist drugs/domains
urllist drugs/urls
}

dest porn {
domainlist porn/domains
expressionlist porn/expressions
urllist porn/urls
}

dest proxy {
domainlist proxy/domains
urllist proxy/urls
}
dest radio {
domainlist radio/domains
urllist radio/urls
}

dest virusinfected {
domainlist virusinfected/domains
urllist virusinfected/urls
}

dest jobsearch {
domainlist jobsearch/domains
}

dest stuff {
domainlist stuff/domains
urllist stuff/urls
expressionlist stuff/expressions
}

dest filehosting {
domainlist filehosting/domains
urllist filehosting/urls
}

dest mail {
domainlist mail/domains
urllist mail/urls
}

dest webmail {
domainlist webmail/domains
urllist webmail/urls
}

src inet_full {
userlist /etc/squid/inet_full
}

src inet_users {
userlist /etc/squid/inet_users
}

src inet_no-stuff {
userlist /etc/squid/inet_no-stuff
}

acl {

inet_full {
pass all
}

inet_users {
pass !ads !audio-video !chat !drugs !porn !proxy !radio !virusinfected !jobsearch !stuff !mail !webmail !filehosting all
redirect http://proxy.domain.net/block.html
}

inet_no-stuff {
pass !stuff all
redirect http://proxy.domain.net/block.html
}

default {
pass none
redirect http://proxy.domain.net/block.html
}

}

You need to add manually restricted sites to squidguard database and than execute the next script:

# cat /etc/squid/squidguard.sh

#!/bin/sh
echo “Processing…..”
squidGuard -C all
chmod -R 777 /var/lib/squidguard/db
squid -k reconfigure
echo “Done!”
exit

Make files inet_users, inet_full, inet_no-stuff for our users, make password database and add some users:

# touch /etc/squid/passwd
# htpasswd -b /etc/squid/passwd username userpasswd
…
# squid -k reconfigure

That's all. Have a nice day.