This small HOWTO will show you how to set up a small virtual machine to speed up and secure your home / small enterprise web surfing network using Ubuntu Server 10.10, Squid 3.1 and Content Security 1.0 deployed in a VMWare Virtual Player running on Windows 7 x64 as a host operating system.
Previously I tested interesting applications using VMWare Virtual Server 1.0 and later 2.0 but always was frustrated by the complex setup procedure of such a heavy weight browser based virtualization beast. Not a long time ago I found out that VMWare Virtual Player is capable of creating virtual machines and was very pleased with its performance and simplicity of the installation.
Step 1. Download and Install Ubuntu Server 10.10
Go to http://www.ubuntu.com/server and get the latest version of Ubuntu server (10.10) 32-bit. The site says the recommended version is x64 bit but as we are trying to create a small virtual machine the 32bit will suffice for our purposes.
Start up the VMWare Virtual Player and create a new virtual machine with the following hardware parameters: name – virtual-qlproxy, hard disk – 8Gb. Press the “Customize the hardware” button and delete the floppy, USB controller, printer and sound card, set the amount of memory to 256Mb. Switch the network adapter from “NAT” mode into “Bridged”. Point the virtual CDROM to the ISO image of Ubuntu Server that you have downloaded and start the virtual machine.
Follow the steps of the Ubuntu install wizard mostly accepting the defaults. The only settings that need to be configured are – the hostname (I set it to “virtual-qlproxy”) and login name and password (I set them to “user” and “P@ssw0rd” respectively). Now wait a little till the installation is complete and reboot the system.
Step 2. Perform post install configuration of Ubuntu
The IP address of the network interface card of our freshly installed Ubuntu server is set to DHCP. While it is possible to leave it like this it means that every time the server is restarted it may be assigned a different IP address so accessing this server later by IP address may become a little irritating. The easiest way is to set the IP address to static one. To do it we must change the file located at
/etc/network/interfaces by typing the following in the terminal:
sudo nano /etc/network/interfaces
find this line in the file
iface eth0 inet dhcp and replace it with
iface eth0 inet static
NOTE: The provided above settings (IP addresses) are valid for my environment that connects to the ISP using the Cisco/LinkSys Wireless N Broadband Router that has a DHCP server build in that gives out internal IP addresses from the
192.168.1.* private subnet. Your router may give other addresses so please beware 🙂 !
One more thing left to do is adjust the DNS settings. Run the following command in the terminal
sudo vi /etc/resolv.conf and add the IP address of the DNS server that runs on router
Now restart your networking by typing
sudo /etc/init.d/networking in the terminal or just restarting the virtual machine. After restart confirm that the networking functions correctly by typing in the terminal:
ping –c 3 192.168.1.1
there should not be any errors in the outputs on these commands.
Step 3. Install Squid Web Caching Proxy
Next we need to install the latest version of the squid proxy server. In order to do that type the following in the terminal
sudo apt-get install squid3. The squid package is downloaded from the Internet and is installed automatically. The only thing to do is to let the external users from our network access the squid. Open the squid configuration file by typing
sudo nano /etc/squid3/squid.conf and uncomment the following lines
acl localnet src 192.168.0.0/16 (approximately line 651) and
http_access allow localnet (approximately line 786).
Save the file and restart the squid by typing
sudo /etc/init.d/squid restart. To verify that squid runs correctly point your browser to the IP address of the proxy server (
192.168.1.2) and surf to some web sites.
Step 4. Install Apache 2
It is also a good idea to have a web server installed on the virtual machine. This web server will later host the status and report information for Squid and Content Security for Squid Proxy. In order to have the Apache2 installed issue the following commands in the terminal
sudo apt-get install apache2 libapache2-mod-php5, then open your browser and navigate to http://192.168.1.2. You should see the “It Works!” greetings from Apache.
Step 5. Install QuintoLabs Content Security 1.0
Next step would be to install the Content Security 1.0 for Squid from QuintoLabs (I will refer to it as
qlproxy further in text). In order to do it go to the download area of QuintoLabs web site and download the DEB package for Ubuntu from there http://quintolabs.com/qlicap_download.php. For those who do not know,
qlproxy is a content filtering server to be used as a companion to the Squid web proxy that lets you filter/block web downloads, remove advertisements and banners and control web site usage by the proxy clients (i.e. prohibit explicit and adult content).
For now the program integrates with Squid as URL rewriter but the ICAP and/or eCAP integration is on the way. Anyway current URL rewriter capability will suffice for our needs.
So in order to install the
qlproxy navigate to the downloaded
*.deb package in the terminal and type the following commands
sudo dpkg –install qlproxy_1.0.950.0_i386.deb.
The installer will run and after a short while the program will be installed into
/opt/quintolabs/qlproxy. Now we need to configure it and integrate it with Squid. The configuration files are plain text and stored in
/opt/quintolabs/qlproxy/etc/ *.conf and rather simple to modify with a handful of comments inside. I am going to perform the following modifications:
- Redirect the proxy clients to the local instance of Apache server when the traffic is being blocked – to do it open the
qlproxyd.conffile and find the
qls_redirect_url = http://www.quintolabs.com/redirect/index.phpline and change it to
qls_redirect_url = http://192.168.1.2/redirect/index.php.
- I personally do not like excessive advertising on the web sites so as I often browse through Russian and German web sites I will also enable adblock filtering by uncommenting the corresponding russian and german adblock subscriptions in
- My kids sometimes play online games on my computer so I prefer to set the level of adult blocking heuristics to high in the
qlproxyd.conffile – by changing from
qlurlb_heuristics_level = normalto
qlurlb_heuristics_level = high. If anything is blocked by the
qlproxyI can later add it to the
exceptions.conffile to have it passed through.
- I heard that worms, trojans and other malware related software often connect to the world by IP addresses so I put a magic
qlhttpb.conffile to filter them out
url = http://\d+\.\d+\.\d+\.\d+/.*
Good for now, let us issue a restart command to make the
qlproxyd daemon reload the configuration
sudo /etc/init.d/qlproxy stop && /etc/init.d/qlproxy start.
Next we need to integrate it with Squid. As the
qlproxy now uses the
url rewriter functionality of Squid the integration is straightforward and works for both Squid 3 and Squid 2. Open
/etc/squid3/squid.conf and find the
url_rewrite_program section. Add the following
url_rewrite_program /opt/quintolabs/qlproxy/sbin/qlproxyd_redirector --config_path=/opt/quintolabs/qlproxy/etc/qlproxyd.conf.
The number of url rewriters needs to be set to a reasonable value (default is 5). These 5 would fit nice for the kind of networking environment I have in place so ensure you have the
url_rewrite_children set to 5. The URL rewriter is single threaded so it is better to leave the
url_rewrite_concurrency at its default value.
So the integration with squid is now complete and we can restart the squid and see of it is able to start the url rewriters. Issue the following commands in the terminal
sudo /etc/init.d/squid3 restart, after restart finishes the
ps aux | grep qlproxy should show you the running 5 instances of
qlproxyd_redirector created by
squid and the
qlproxyd daemon itself.
The last thing to do is to integrate the
qlproxy with Apache to be able to see the reports on user activities (generated once a day) and redirect pages that could explain the users why their request was blocked. This is actually quite easy, open the
/etc/apache2/sites-enabled/default file and add the following to it:
Alias /redirect /opt/quintolabs/qlproxy/redirect
Alias /redirect /opt/quintolabs/qlproxy/reports
Now reload the apache by typing in the terminal
sudo /etc/init.d/apache2 restart.
Finally everything is in place to start the accelerated secure web surfing without adverts – point your browser to
3128 and browse to your favourite website and see the difference. The IP addresses in URLs are blocked and explicitly adult content sites are too. The VMWare takes not more than 256 MB and surfing experience is quite acceptable. The system is automatically updated once a day for the latest url block list and advert subscriptions and requires minimal additional maintenance.
Well, by this point I am completely tired of typing… I wonder how strong must fingers of all those professional writers be?