This small HOWTO will show you how to set up a small virtual machine to speed up and secure your home / small enterprise web surfing network using CentOS 6, Squid 3.1 and QuintoLabs Content Security 1.4 applications deployed in a VMware Virtual Player running on Windows 7 x64 as a host operating system. This howto is targeted at novice users and may sometimes seem too thorough for more advanced gurus.
See previous versions of this HOWTO for examples of creating similar virtual appliances running on Debian 6 or Ubuntu 10.04 Linux.
Step 1. Download and Install CentOS 6
Go to http://www.centos.org and get the latest i386 based ISO image of CentOS 6 (CentOS-6.0-i386-minimal.iso). Although the usual recommended version for a modern server is x64 but as we are trying to create a small virtual machine the i386 will suffice for our purposes.
Start up the VMware Virtual Player and create a new virtual machine with the following hardware parameters: name – virtual-proxy, hard disk – 8Gb. Press the “Customize the hardware” button and delete the floppy, USB controller, printer and sound card, set the amount of memory to 512Mb. Switch the network adapter from “NAT” mode into “Bridged”. Point the virtual CDROM to the ISO image that you have downloaded earlier and start the virtual machine.
Follow the steps of the CentOS install wizard mostly accepting the defaults. Configure machine hostname as “proxy” and root password as “P@ssw0rd” (without quotation marks). Now wait a little until the installation is complete and then reboot the system.
Step 2. Perform post install configuration of CentOS
CentOS 6 deployed in VMware Player does not have network subsystem enabled by default. In order to set the static IP address and enable networking we need to modify the scripts located in the
/etc/sysconfig/network-scripts. So start the root terminal and open the script file in vi.
NOTE: The provided above settings (IP addresses) are valid for my environment that connects to the ISP using the LinkSys Wireless N Broadband Router (with custom dd-wrt firmware) that has a DHCP server build in that gives out internal IP addresses from the 192.168.1.* private subnet. Your router may give other addresses so please beware 🙂 !
Add these lines to the ifcfg-eth0 file
then save the file (ESC + : + wq) and exit vi. Next we need to set the gateway settings in /etc/sysconfig/network configuration file. Open the file in
vi /etc/sysconfig/network and add this line:
Save the file and exit vi. Now we need to set the DNS server settings that
are stored in /etc/resolv.conf. Open the file in
vi /etc/resolv.conf and add the IP address of the DNS server that runs on router:
Now restart your network subsystem by typing
/etc/init.d/network restart in the root terminal or by just restarting the virtual machine. After restart confirm that the network functions correctly by typing in the terminal (there should not be any errors in the outputs on these commands):
ping -c 3 192.168.1.1
Before we do any further installation it is recommended to update the freshly installed system with the latest security patches that may have come out after ISO has been released. So type in the root terminal and reboot the virtual machine after update completes.
Step 3. Install VMware tools
It is recommended to install VMware tools in a virtual machine to make it perform faster and enable some useful host integration features (like easy click out of the VM and clipboard sharing). As we are building the console only server this might not be a thing of the first priority but still here are the detailed instructions on how to do it.
Select Virtual Machine -> Install VMware Tools from the VMware player interface, wait until VM mounts the virtual ISO disk and type in the root terminal:
mount /dev/cdrom /mnt
cp /mnt/VMwareTools-8.4.6-385536.tar.gz /root
taf -xvf VMwareTools-8.4.6-385536.tar.gz
Follow the installation wizard mostly pressing Enter (i.e. accepting [yes]). Then reboot the VM.
Step 4. Install Squid Web Caching Proxy
Next we need to install the latest version of Squid proxy server. In order to do that type the following in the root terminal
yum install squid. All squid related packages are downloaded from the Internet and installed automatically.
The only thing to do is to let the external users from our home network to access the Squid. Open the Squid configuration file by typing
vi /etc/squid/squid.conf and add the following line
visible_hostname proxy. Also check that
http_access allow localnet and
acl localnet src 192.168.0.0/16 are present in the config file.
Now make Squid proxy service autostart on system boot by typing
chkconfig squid on in the command prompt. Reboot your VM or just start squid for the first time manually
service squid start.
Step 5. Adjust firewall settings to allow network users to connect to Squid
In order to adjust the firewall settings we need to install a console based program called
system-config-firewall-tui, so type in the root terminal:
yum install system-config-firewall-tui
The settings that need to be customized are shown on the following screenshots:
Again restart your network subsystem by typing
/etc/init.d/network restart in the root terminal or by just restarting the virtual machine.
Verify that squid runs correctly by pointing your browser to the IP address of the proxy server (192.168.1.4) and surfing to some of your favorite websites.
Step 6. Install Apache
It is also a good idea to have a web server installed on the virtual machine. This web server will later host the status and report information for Squid and QuintoLabs Content Security. In order to install Apache type the following in the root terminal
yum install httpd php.
Make the Apache service autostart on system boot by typing
chkconfig httpd on in the command prompt. Reboot your VM or just start Apache for the first time manually by typing
service httpd start.
Open your browser and navigate to http://192.168.1.4. You should see the It Works! greetings from Apache.
Step 7. Install QuintoLabs Content Security 1.4.0
Next step would be to install the Content Security 1.4 for Squid from QuintoLabs (I will refer to it as
qlproxy further in text). For those who do not know, QuintoLabs Content Security is an ICAP daemon/URL rewriter that integrates with existing Squid proxy server and provides rich content filtering functionality to sanitize web traffic passing into internal home / enterprise network. It may be used to block illegal or potentially malicious file downloads, remove annoying advertisements, prevent access to various categories of the web sites and block resources with explicit content (i.e. prohibit explicit and adult content).
Unfortunately QuintoLabs does not yet have online package repository for qlproxy so we have to get the CentOS / RedHat RPM package manually from QuintoLabs web site at http://www.quintolabs.com/qlicap_download.php using your favorite browser and upload the package to the system using
scp. Another way is to type the following commands in the root terminal (as one line):
curl http://www.quintolabs.com/qlproxy/binaries/1.4.0/qlproxy-1.4.0-72bbf.i386.rpm >
Wait a little until the download completes (approx. 21Mb) and run the following command to install the downloaded package:
rpm --install qlproxy-1.4.0-72bbf.i386.rpm
The RPM manager will run for a while and the program will be installed into
NOTE: this howto assumes you have SELinux disabled on your machine. For specific notes considering
SELinux based installation of qlproxy see their web site and sample SELinux policy installed in /opt/quintolabs/qlproxy/usr/share/selinux. In order to disable SELinux set SELINUX=disabled in /etc/selinux/config and reboot.
Now we need to configure qlproxy and integrate it with Squid. The configuration files are plain text and stored in
/opt/quintolabs/qlproxy/etc/ *.conf and rather simple to modify with a handful of comments inside. I am going to perform the following modifications:
- As I personally do not like excessive advertising on the web and as I often browse through Russian and German sites I will enable extended adblock filtering by uncommenting the corresponding Russian and German AdBlock subscriptions in
/opt/quintolabs/qlproxy/etc/adblock.conffile. I also do not like sites tracking me so I usually uncomment easy_privacy subscription in the same file.
- My kids sometimes play online games on my computer so I prefer to set the level of adult blocking heuristics to high in the
/opt/quintolabs/qlproxy/etc/adultblock.confby changing from
heuristics_level = normalto
heuristics_level = high. If anything is falsely blocked by the qlproxy I can later add it to the
exceptions.conffile to have it passed through.
- The Parental Controls module of 1.4 now supports filtering of HTML page contents for banned words and phrases (like Dansguardian) and I will enable it too. The potential pitfall here is the type of algorithm used that requires a lot of computational power from your PC – that is why the recommended way is to leave the module switched off in a typical installation. Next version of qlproxy is known to include a much better implementation.
- The urlblock module that uses community developed database of categorized domains incorrectly puts blogspot.com into an adult category… so I add it to the exception list in
/opt/quintolabs/qlproxy/etc/exceptions.confto be able to read some of my favorite blogs hosted there.
- I know that worms, trojans and other malware related software often connect to the world by IP addresses so I put a magic regexp into the
/opt/quintolabs/qlproxy/etc/httpblock.conffile to filter them out
url = http://\d+\.\d+\.\d+\.\d+/.*
Good for now, let us issue a restart command to make the qlproxyd daemon reload the configuration
Next we need to integrate it with Squid. As the qlproxy daemon supports the shiny ICAP protocol this is a little bit different from the
url_rewrite_program integration described in the previous version of this howto. By the way, README file in
/opt/quintolabs/qlproxy/ contains instructions on how to do that. Anyway here are the steps required:
- Open the
/etc/squid/squid.confin vi by typing
vi /etc/squid/squid.confin the root terminal.
- Add the following lines:
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
Now restart Squid by typing
service squid restart in the root terminal. After restart try surfing the same sites with your browser and see how nicely ads are blocked. Another useful test is to go to the
eicar.com web site and try to download a sample artificial eicar.com virus to see that com files are blocked by the download filter.
Note: for those of you who must stick with squid 2.7 for some other reasons or if you are on Windows(!) qlproxy can be integrated with Squid as url rewriter. Open /etc/squid/squid.conf and find the url_rewrite_program section and add the following (as one line):
url_rewrite_program /opt/quintolabs/qlproxy/sbin/qlproxyd_redirector --config_path=/opt/quintolabs/qlproxy/etc/qlproxyd.conf.
The last thing to do is to integrate the qlproxy with Apache to be able to see the reports on user activities generated once a day. This is actually quite easy, open the
/etc/httpd/httpd.conf file and add
the following near the </VirtualHost> directive:
Alias /qlproxy /var/opt/quintolabs/qlproxy/www
<Directory /var/opt/quintolabs/qlproxy/www >
Now reload the apache by typing in the terminal
service httpd restart.
You can navigate to http://192.168.1.4/qlproxy to see the generated reports. The funny thing is that qlproxy blocks access by the IP address according to our settings in
httpblock.conf described earlier. Solution would be to add the 192.168.1.2 as entry to the
/opt/quintolabs/qlproxy/etc/exceptions.conf or just tell the browser not to use proxy for this address.
Finally everything is in place to start the accelerated secure web surfing without adverts – point your browser to 192.168.1.4 port 3128, surf to your favorite web sites and see the difference. The IP addresses in URLs are blocked and explicitly adult content sites too. The VMware takes not more than 512 MB and surfing
experience is quite acceptable. The system is automatically updated once a day for the latest url block list and advert subscriptions and requires minimal additional maintenance.