Web proxy filtering with SquidGuard – Using Active Directory group memberships

This guide will give you a walk through how to configure your existing Squid proxy server to provide content filtering capabilities for your Active Directory users.

This guide has been produced using Red Hat Enterprise Linux 6.3 and a Microsoft 2008r2 Active Directory domain.

If you currently do not have an existing Squid installation, you can follow my previous article on how to configure Squid for Active Directory authentication.

To start with, if you have read this far, you most likely already have an existing Squid installation on a server that has system authentication back to Active Directory. Follow the below steps to add Content Filtering with SquidGuard.

Prerequisite:

We will require an Active Directory account to act as an LDAP bind account for squidGuard to use so that it can validate the user making the request.

Do not use the Domain Admin account of your domain as a bind account.

The following details have been used for this document.

Active Directory Domain Controller: dc01.nt.example.com

Bind User: squid_user

Bind User Password: RedHat123

 

Now, lets begin.

1. Install the necessary software. At the time of writing this, I have literally just QA tested the LDAP support for SquidGuard in the Fedora and EPEL software repositories, so it should now be available in all EPEL mirrors.

For this installation to be successful, you will require squidGuard version 1.4-9.el6.

yum install -y squidGuard

2. Take a copy of the original squidGuard.conf file, as we will be replacing it with our own.

mv /etc/squid/squidGuard.conf{,.orig}

3. Create a new /etc/squid/squidGuard.conf configuration file, using the below as a template.

Don’t forget to change the ldapbinddn to represent your non-admin bind account and matching password, as well as your Active Directory Domain Controller’s FQDN. See prerequisites.

#
# CONFIG FILE FOR SQUIDGUARD
#

ldapbinddn      cn=squid_user,cn=Users,dc=nt,dc=example,dc=com
ldapbindpass    RedHat123
ldapprotover    3

dbhome  /var/squidGuard/blacklists
logdir  /var/log/squidGuard

dest porn {
domainlist      porn/domains
urllist         porn/urls
}
dest warez {
domainlist      warez/domains
urllist         warez/urls
}

src internet_users {
ldapusersearch  ldap://dc01.nt.example.com:3268/dc=nt,dc=example,dc=com?userPrincipalName?sub?(&(userPrincipalName=%s)(memberOf=cn=allow_internet,ou=svc_grps,dc=nt,dc=example,dc=com))
}

acl {

internet_users {
pass !porn !warez all
}

default {
pass none
redirect     302:http://proxy01.nt.example.com/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetgroup=%t&url=%u
}
}

4.  Modify your Squid config file to pass all requests to squidGuard for validation.

echo "url_rewrite_program /usr/bin/squidGuard" >> /etc/squid/squid.conf

5. Now that we have everything configured, we need to compile the blacklists. There is a tarball of blacklists provided with the installation package. Extract and compile it as follows

cd /var/squidGuard/
tar -zxf blacklists.tar.gz
/usr/bin/squidGuard -C all
chown -R squid /var/squidGuard/blacklists

6. Restart Squid to activate the changed that you’ve just made

service squid restart

7. Time to test. Tail your logs to watch the requests come in from your users.

tail -f /var/log/squid*/*
..
..
==> /var/log/squid/cache.log <==
2012-07-30 18:46:33 [22573] Added LDAP source: wuser1@nt.example.com

==> /var/log/squid/access.log <==
1343670393.363   3382 10.0.2.200 TCP_MISS/200 28757 GET http://www.google.co.uk/ wuser1@NT.EXAMPLE.COM DIRECT/173.194.67.94 text/html

==> /var/log/squid/cache.log <==
2012-07-30 18:46:34 [22573] Added LDAP source: wuser1@nt.example.com

==> /var/log/squid/access.log <==
1343670394.096     38 10.0.2.200 TCP_MISS/204 385 GET http://www.google.co.uk/csi? wuser1@NT.EXAMPLE.COM DIRECT/173.194.67.94 image/gif

Above you see that the user wuser1 has initiated a request to browse the site http://www.google.co.uk which has been allowed.

 

3 comments on “Web proxy filtering with SquidGuard – Using Active Directory group memberships

  1. Arno Fellskern October 7, 2015 12:18

    Hi Dale, thank you for this excellent documentary. I am stuck however with this last part.
    frist, you use as computername proxy01 and proxy02, but since there is only one computer involved I am a bit puzzled which machine you are referring to. I changed it to my squid machine name and it works. (used CentOS6.7 sind I didn’t want to mess with Systemd)

    The two issues are :
    The logfile isn’t giving out the username, but the IP adress of the surfing Computer instead.

    and

    if I activate the URL rewrite, I am not able to surf anymore due to too many redirects…
    Any idea why that might be?

  2. Joimel D May 20, 2016 14:03

    Thank you for your article i want to use squidguard with squid in 2008 A.D but i did not work. Squid work very well, but squidguard Did not authenticate me. In access.log, i see my account but in cache.log, i’m not see added ldap source.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>