کد:
http://articles.techrepublic.com.com/5100-10878_11-6181327.html
Takeaway: You want to control where your users can go on the Internet, but you don't want to buy an expensive proprietary solution. Nor do you want to fiddle with complex .conf files or Linux commands. What do you do? Check out this article by Jack Wallen.

This article is also available as a TechRepublic download.


 A proxy server is one of those ubiquitous servers that can offer up a number of possible services. But until the likes of Webmin arrived, setting up a proxy server in Linux was a daunting task, with configuration files filled with parent and sibling nodes that would give many a GUI-centric administrator a heart attack. Those days are gone; now, the Linux administrator has a number of GUI tools to choose from.
For the task of setting up a proxy server, none of those tools are better than Webmin. Its ease of installation and use far surpass its competition. On top of that, it's one of the few server administration tools that covers proxy configuration. In this article, I'll show you how it works.
What's Webmin?

Before we get into the thick of things, it might be best to let you know that Webmin is really just a front-end for the configuration of the Squid Proxy Server. Squid is a very powerful, flexible Web-caching proxy daemon. If you don't already know, Squid is configured in the /etc/squid/squid.conf file. The squid.conf file runs approximately 4,273 lines in length, so having a GUI that can handle nearly 100% of the configuration of this file is most helpful.
Setting up a Web proxy

So let's get working. We are going to do is set up a simple Web proxy, which can do a number of important tasks: Block offensive Web content (with the help of SquidGuard), reformat content for specific purposes, and confine viruses served from hostile sources. Let's take a look at setting up a Web proxy to block offensive content.
The Environment

This installation is based on a full install of OpenSuSE 10.2 (all five CDs). You need to have two network interfaces and your server set up as a router. In order to get routing working, you can use this script (we will call this route_on) and place it in /etc:
#!/bin/bash
# /etc/route_on

# Shell "debug" on
set -x

# define variables
XETH=eth0
INETH=eth1
#WHERE XX.XX.XX.XX IS YOUR ACTUAL EXTERNAL IP ADDRESS
IP_X=XX.XX.XX.XX

# flash all firewall and NAT rules

iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

# delete user defined chains
iptables -X

# define default policies
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# allow all locally
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# activate FORWADING
echo 1 > /proc/sys/net/ipv4/ip_forward

# activate SNAT
iptables -t nat -A POSTROUTING -o $XETH -j SNAT --to $IP_X
The above script will need to be run after the server is up.
You'll also need to ensure that Webmin has been installed. Installing Webmin is a simple matter of getting the RPM, installing it, and pointing your browser to http://Webmin_server_address:10000. Log in as root (the same root as on your system). Once there, you will see the Webmin welcome screen shown in Figure A.
Figure A

The left navigation is where you'll find all the listings of services. Select the Servers menu entry to get a full list of services. Initially, you may not see SquidGuard listed. If not, you'll need to install. So log out of Webmin and install SquidGuard.
SquidGuard

The first thing you need to do is install the squidGuard Webmin module. The installation is handled in the same way Webmin was installed. Open up a terminal window and change to the directory the SquidGuard file was downloaded into (most likely ~/Desktop.) As root, issue the command:
rpm -ivh Webmin-squidGuard-0.91.2-2.noarch.rpm
where -0.91.2-2 is the current release number.
You will also have to install two other packages: squidGuard and db. Download those files, place them in a temporary directory and run the command:
rpm -ivh *rpm
Now when you log back into Webmin, and expand the Server listing, you will see an entry for SquidGuard, as shown in Figure B.
Figure B

Webmin can configure just about any service you can imagine. When you select the SquidGuard link, the first thing you'll see is a warning that the configuration file does not exist, as in Figure C. Underneath the warning is a link to create a configuration file. Select that link.
Figure C

By clicking the Create link a basic configuration file for SquidGuard will be created. Once you click the link, you will land on a new window (Figure D) asking for specific information about the configuration file. Specifically, you need to enter a location for the database files and for the log files. You can also decide if the basic file will allow All traffic or No traffic (misspellings notwithstanding). I chose to use the same directory where the SquidGuard configuration file is housed, /etc/squidGuard (note the capitalization).
Figure D

You can either enter the locations by hand or click the "..." buttons to browse for locations. Once you have your configurations settled, press Save to move on. When you click on the SquidGuard link (from the left navigation) now, the main configuration screen will open for you, as shown in Figure E.
Figure E

You can further configure SquidGuard by pressing the Module Config button near the top left of the configuration screen. Getting deep in the configuration

We are now at the heart of the SquidGuard configuration. The first button, Paths, was already configured during installation (the location of the database and log files). The next button, Time Spaces, allows you to configure time allocations for SquidGuard. Say, for example, you want to block certain sites during work hours. To do that, select Timespaces to set up what I will call a during_work time space, as shown in Figure F.
Figure F

You cannot use a space in your Timespace naming scheme. Once you enter the name, press Add Timespace to save the name. After the name has been added, your Timespaces configuration will list all created times, as in Figure G.
Figure G

You can add more Timespaces from this same screen. Now it's time to configure that new Timespace. Select the during_work timespace to open up the configuration window. It will appear as shown in Figure H.
Figure H

You can add a weekly or a dated timespace as well as delete the timespace from this screen. Select the Add Weekly link to open up the Time Details editor. You'll see the screen shown in Figure I.
Figure I

You can control weekly schedules. As you can see, the All option is the default for days of the week. If we are holding true to the name of the timespace, we would only want to select those days work is performed. Let's say work only occurs Monday-Friday. For that option, you would highlight only those days and then select the time frame you want this block to work. The only thing to note is that the time is in 24-hour format. So I am going to select Monday-Friday from 8:00 until 18:00 and press Save.
Uh oh!

When I pressed Save, I encountered an error. The error was:
Error - Perl execution failed
Undefined subroutine &main::chown called at /usr/libexec/Webmin/squidguard/save_weekly.cgi line 63.
After digging around in the save_weekly.cgi and save_date.cgi files in /user/libexec/Webmin/squidguard, I discovered that save_weekly.cgi had an error at line 63. Open up that file and change:
&chown($config{'conf'});
to
&sgchown($config{'conf'});
Problem solved

Now Save Weekly will work. Once you press Save, you will be returned to a listing of the various saved times in the during_work timespace, as seen in Figure J.
Figure J

If you select Return To List Of Timespaces, you will be be sent back to the listing of your created timespaces. Select the Module Index link in the top left of the window. The next step is to add a source group. The source group will consist of, say, a certain department in your company. Let's say, for example, you want to block all users from going to MySpace.com during work hours. (I am not advocating censorship; just showing an example.)
If your company uses the internal network address space 192.168.1.x, you have to add a Source Group called Company_wide. Select the Source Groups icon, enter Company_wide and press Add Source Group. You will be taken back to the previous screen where you can see your Company_wide source added in the window shown in Figure K.
Figure K

Add another Source Group or click in the newly created Source Group to configure. Press the Company_wide button to configure the source. Since you want to block an entire range of addresses, press Add Range. You'll see the screen shown in Figure L.
Figure L

You can configure a source group in many ways including userlists, hosts, domain, ranges, and subnets. Since we mentioned the 192.168.1.x range of addresses, we are going to use that one. If you take a look at Figure M, you'll see that entering a range of IP addresses is quite easy. Enter the first address, 192.168.1.1, and the last address on your range (we'll use 192.168.1.200).
Figure M

Ranges must be complete; no wild-card addresses. Once you have entered your range, press Save and you'll end up at the Company_wide listing. Take a look again at Figure L. Notice the drop-down lists next to Timespace? From those drop-down lists, you decide if the configuration is to work within or outside of the selected timespace (in our case, during_work.) Naturally, we would want this to occur within, so we'll select within from the first drop down list. Press Save.
You've configured your group and your time. Now it's time to move on. Press Module Index from the upper-left corner. The next step is to configure a destination group. Remember, our purpose is to block users from using MySpace.com. Enter the name myspace and press Add Destination Group. This will look like Figure N.
Figure N

If you're not sure where you are in the configuration, you can always click Module Index to return to the SquidGuard main index. Once you have added the new destination, it will appear in the Destination Listings, as seen in Figure O.
Figure O

You can still add other destination groups from this screen. Click on the myspace icon to configure this group. We are going to be blocking the www.myspace.com URL, so press the Add URL button. In the next window, Figure P, enter the myspace.com domain and press Save.
Figure P

Enter the URL www.myspace.com and press Save. Once you press Save, you will be back at the Edit Destination Group window. Now the www.myspace.com listing is present, as shown in Figure Q.
Figure Q

You can add more URLs if needed. The last configuration you need to take care of here is to select the correct timespace. So select within from the drop-down list and press Save. Now press the Module Index button at the top left.
You can create a rewrite rule if you like. Let's say you want to ensure that users know MySpace.com is blocked by directing any attempts to www.myspace.com to a page on your internal Web server, forbidden.html. To do this, go to Rewrite Rule Groups. Once there, you will have to enter a name of the rule group. Let's call ours blocked_site, as shown in Figure R.
Figure R

You can either add another rewrite group or configure the group just added. Select the newly created group and press the Add Rewrite Rule button. You'll see the screen shown in Figure S. Enter the following in the new window:
Under Replace String add:
http://www.myspace.com
and under With String add:
http://192.168.1.100/forbidden.html
where 192.168.1.100 is the address of your internal Web server.
Figure S

If you select Case Sensitive, the rule will match the case exactly. Press Save and your rewrite rule is almost complete. The only other setting you have to take care of is the timespace. Select within and during_work and press Save. Your rewrite rule is complete. Now press the Module Index button at the top left.
There are two other configurations: ACL list and Blacklist. The ACL list is just a way to further refine all of the configurations you have entered. If you have a number of Destinations, Timespaces, Rewrite Groups, and Blacklists you can take control of them more easily with ACLs. Figure T illustrates this.
Figure T

Edit your ACL item to fit your needs and press Save. The Blacklists option, shown in Figure U, allows you to download a set of blacklists. You have two options: you can choose the default -- SquidGuard.org -- or enter your own URL.
Figure U

Enter the proper URL and press Download. Unfortunately, SquidGuard.org was down when I attempted to get the list. Instead, I had to download a tar/gzipped list from http://squidguard.shalla.de/Downloads/shallalist.tar.gz, unpack the file, and copy the entire contents of the directory into /var/lib/squidGuard/db/.
I discovered one other problem. After looking through the log file, I noticed I was getting a syntax error in the SquidGuard.conf file (at line 14.) The line was:
time Before Work {
but the line should read:
time Before_Work {
Once I rewrote that, everything was ready.
The last thing you will need to do on this server is to select the Squid Proxy Server module of Webmin and then click the Start Squid button.
With your proxy server set up for routing, with Squid started, and SquidGuard set up, you can set up your user PCs to use your new proxy server.
Final thoughts

Squid is an incredibly complex package. Getting to know the finer points of setting up a proxy server will take you some time, but using Webmin and SquidGuard will at least get you started quickly and easily



موضوعات مشابه: