Quickly configure an enterprise-level Web Proxy Server with CentOS 6

BKJIA: Web Proxy Server allows enterprise employees to quickly and securely browse the network. The Web Proxy Server can cache the memory so that the user can then process requests for the same Web page by the local cache, which is faster than returning the website multiple times. The proxy server can also scan inbound network traffic to find malicious content and protect end users from viruses. They can also control which users access the network content. In order to make full use of all these functions, this article gradually introduces the whole process of installing and configuring a simple Web Proxy server with the virus filtering function.

A perfect secure Web Proxy Server includes the following components:

• Squid-main software and proxy services.

• ClamAV-Checks anti-virus software for inbound content.

• C-icap-a service that uses the Internet Content adaptation protocol ICAP). Squid needs to contact other services.

• SquidClamav-A ClamAV-based anti-virus service. Squid is connected to this service through the ICAP service.

Install configurations

We will run the proxy server on the basic CentOS 6 platform, on which no software package group is installed in advance. For the most basic installation, you can use the minimum image from the official image page. Once the operating system is installed, various components of the proxy server can be installed.

Image download: http://www.centos.org/modules/tinycontent/index.php? Id = 30

Squid

Squid can be obtained from the official CentOS 6 software library. Run yum install squid to install it. Make sure that Squid is automatically enabled and disabled with the system. Therefore, use the command chkconfig squid on to add it to the default system startup and shutdown levels.

By default, Squid's main configuration file/etc/squid. conf allows requests from local websites through common ports. Remove the comments of cache_dir ufs/var/spool/squid 100 16 256, so that the Proxy Server caches the files on the disk. The parameters of this command indicate that the proxy server uses the default ufs storage format. The cache directory is/var/spool/squid. It should be able to store up to 256 MB of content, 16 first-level sub-directories and sub-directories. Consider increasing the cache size from 1000 MB to MB. Because MB is too low to meet today's browsing needs.

In the same file, add the following commands after the default configuration information:

icap_enable onicap_send_client_ip onicap_send_client_username onicap_client_username_encode officap_client_username_header X-Authenticated-Usericap_preview_enable onicap_preview_size 2048icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamavadaptation_access service_req allow allicap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamavadaptation_access service_resp allow all

This basic configuration indicates that Squid uses the SquidClamav ICAP service running on the local host, and the local host uses TCP port 1344. This service is required for non-cached content. You can find more information about all configuration commands from the official Squid instruction.

ClamAV

ClamAV does not exist in the default CentOS 6 software library, so you can either install it from the source code or use a third-party software library. I recommend using the EPEL software library because it makes it easy for users to install and maintain.

To install the EPEL software library on CentOS 6, run the command rpm-ivh http://download.fedoraproject.org/pub/epel/6/ I #/epel-release-6-5.noarch.rpm. To install ClamAV, run yum install clamav-db clamd. Because this is the first installation from the EPEL software library, you will see a reminder about its key; Confirm that the key is correct before proceeding to the next step.

Run chkconfig clamd on to ensure that the ClamAV background daemon is automatically started and terminated.

You can set the most basic ClamAV configuration by editing the file/etc/clamd. conf. You must at least remove the line that shows Example so that the service can start. You may also consider changing the default values of some commands. For example, you can define which file extensions to scan using ScanPE, ScanELF, and ScanPDF. To improve performance, you can change the default maximum MaxFileSize of the file to be scanned from 25 MB to another value, or change the data size of each file to MaxScanSize.) -- MB is the default value. The larger the value, the more resources required, and the slower the proxy server.

The ClamAV virus feature database is updated by an independent program named freshclam. The configuration file is/etc/freshclam. conf. To use it, you must at least remove the line that displays Example at the beginning of the file. You do not need to worry about most settings. Keep the default value.

If you execute freshclam without parameters, the virus features are updated once, and the program exits. You can configure freshclam as a scheduled task cron job), regularly check the latest ClamAV version, or enable it in background daemon mode, simply run freshclam-d-c 2, -d indicates the backend daemon mode, and-c 2 indicates the number of updates per day-two times a day in this example. Add this command to the/etc/rc. local file to ensure that it is enabled during the next server restart.

In/etc/freshclam. conf, a noteworthy setting that may need to be changed is SafeBrowsing, Which is disabled by default. This setting specifies whether you want to use Google's Safe Browsing secure Browsing database. This database contains an updated list containing known malicious websites. You should enable it to only affect the performance, unless your enterprise's end users are using browsers that already use the database, such as Mozilla Firefox and Google Chrome. You only need to specify SafeBrowsing yes to enable it.

C-icap

C-icap does not exist in the default software library or EPEL, so you have to install it from the source code of your website, decompress it, and complete the standard configuration, compilation, and installation process.

Because C-icap is customized from source code, it is not supported by chkconfig. Therefore, to enable the C-icap server to automatically enable it when the system starts, use a new line, add the binary executable code/usr/local/bin/c-icap to the/etc/rc at the bottom. local.

You can find the C-icap configuration file in/usr/local/etc/c-icap.conf by default. Most default options do not care about it. Specify ServerLog/var/log/icapserver. logs the server activity to the file/var/log/icapserver. log; we will use the server logs in the future to ensure that everything is running normally.

When checking the configuration, pay attention to the ModulesDir and ServicesDir commands. By default, both of them point to/usr/local/lib/c_icap. This directory is where you install ICAP services and modules such as SquidClamav.

SquidClamav

You have to install SquidClamav from the source code for the same reason as C-icap. Once you download it from its SourceForge webpage, decompress it, and complete the standard configuration, compilation, and installation process.

To ensure that SquidClamav is correctly installed, check the directory/usr/local/lib/c_icap. You should see two files: squidclamav. lalibtool library files) and squidclamav. so module itself ).

SquidClamav does not run as an independent service, so it does not need to be added to the default running level for Automatic startup. Instead, it is accessed through the C-icap server.

The configuration file of SquidClamav is located in/etc/squidclamav. conf. Most of the default configurations can be used directly. One of the options to change is redirect. When an end user tries to download the virus, they will be redirected to the URL you specified here. Create a page with a detailed description. Otherwise, the Administrator will receive a large number of complaints, reflecting that the downloaded content is inexplicably unavailable.

To create a redirection page, you can use the script cgi-bin/clwarn. cgi. You can find it in the source code archive file of SqidClamav. You only need to upload it to the website and specify redirect example.org/cgi-bin/clwarn.cgi.

Test Proxy Server

At this point, your proxy server should have been installed and properly configured. To ensure that all services are automatically enabled, restart the server and start testing.

When you start the test, make sure that you can use the default proxy port TCP port 3128 to connect to the IP address of the server. You must allow connection to this port in the default CentOS 6 firewall, unless the firewall is disabled as recommended in basic CentOS 6 installation.

Once you make sure that you can connect to this port, make the same detailed configuration for the browser: As for the HTTP Proxy address, use the Server IP address; as for the port, use port 3128. Then, start browsing the network to see what the proxy server returns compared to browsing without a proxy. You may want to simulate the common browsing scenarios of many users. You may find that as more users start to use the proxy server, the server resources must increase accordingly.

On the server side, monitor the following logs:

• Squid log-by default, it is in the file/var/log/squid/access. log. You will see which users' IP addresses are making what kind of requests.

• C-icap server logs -- as configured before via ServerLog in/usr/local/etc/c-icap.conf, it should be in/var/log/icapserver. log.

The most important test for your proxy server is to download the virus and see how it works. There are many resources on the Internet to show you how to create a test file containing known virus characteristics. Once a file is created and uploaded to a specific place, try to use the new proxy server and download it in a browser. If everything runs normally, the following entries should be displayed in the log of the C-icap Server:

Wed Feb 22 01:03:57 2012, general, DEBUG squidclamav_end_of_data_handler: received from Clamd: stream: Eicar-Test-Signature FOUNDWed Feb 22 01:03:57 2012, general, DEBUG squidclamav_end_of_data_handler: Virus redirection: http://example.org/cgi-bin/clwarn.cgi?url=http://the_url_of_your_test_virus_file: Eicar-Test-Signature FOUND.

Further Improvement

If you have completed all the steps described in this article so far, you should have a basic proxy server with the virus protection function. On this basis, you can continue to improve and add more features. The following are some suggestions for adding additional components to enhance user security:

• Use secure DNS. This DNS not only prevents the spread of malware domains from consuming resources, but also blocks adult websites, IF configured accordingly. A popular security DNS service is Norton DNS.

• Use URL Filter Redirector ). The URL filter can be used together with the domain list of the sub-category. You can allow or disable access to the website based on the permission granted by the user. These filters are often used to prevent employees from accessing websites unrelated to work. SquidGuard is a popular filter that can work with Squid. It is free and open-source and can be used with a blacklist that is everywhere.

For some reason, this open-source proxy solution cannot fully meet your needs. You can study several major commercial products, such as SmoothWall, to better meet your enterprise needs.

Original article: http://olex.openlogic.com/wazi/2012/a-fast-and-secure-web-proxy-for-corporate-users/