Install Squid and Web Safety

Step 1. Update the system

Before going further run the script bash 01_update.sh as root to upgrade your system to the most recent state.

#!/bin/bash

# update should be done as root
if [[ $EUID -ne 0 ]]; then
 echo "This script must be run as root" 1>&2
 exit 1
fi

# remove unneeded packages
apt -y autoremove

# update and upgrade
apt-get update && apt-get -y upgrade

# and now reboot
reboot

Step 2. Install Apache Web Server

Web Safety has administrator console designed to manage filtering settings and policies from your browser. This web console is built using Python Django framework and requires Apache web server to function correctly. Run bash 02_apache.sh as root to install them. Contents of this script are shown below.

#!/bin/bash

# all web packages are installed as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# install required python libs
apt-get -y install python-ldap python-pip python-openssl

# install django
pip install django==1.11.7
pip install pytz
pip install requests
pip install pandas

# to have PDF reports we need to install reportlab with a lot of dependencies
apt-get -y install python-dev libjpeg-dev zlib1g-dev

# now install reportlab
pip install reportlab==3.4.0

# install apache and mod_wsgi
apt-get -y install apache2 libapache2-mod-wsgi

# install kerberos client libraries
export DEBIAN_FRONTEND=noninteractive
apt-get -y install krb5-user

Step 3. Install Squid Proxy

Install Squid proxy by running bash 03_squid.sh as root. Contents of this script are shown below.

#!/bin/bash

# all packages are installed as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add new repo
echo "deb http://squid3527.diladele.com/ubuntu/ xenial main" > /etc/apt/sources.list.d/squid3527.diladele.com.list

# and install
apt-get update && apt-get install -y \
    libecap3 \
    libecap3-dev \
    squid-common \
    squid \
    squidclient \
    mc

Step 4. Install Web Safety ICAP filter

Download and install the latest version of Web Safety by running bash 04_websafety.sh. Contents of this script are shown below.

#!/bin/bash

# all packages are installed as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# default arc
MAJOR="6.4.0"
MINOR="2517"
ARCH="amd64"

# download
wget http://packages.diladele.com/websafety/$MAJOR.$MINOR/$ARCH/release/ubuntu16/websafety-$MAJOR.${MINOR}_$ARCH.deb

# install
dpkg --install websafety-$MAJOR.${MINOR}_$ARCH.deb

# relabel folder
chown -R websafety:websafety /opt/websafety

Step 5. Install ClamAV eCAP Adapter

Checking downloaded files for viruses will be implemented using eCAP ClamAV adapter by Measurement Factory, see http://www.e-cap.org/downloads. To download and compile all required packages, run bash 05_clamav.sh.

#!/bin/bash

# all packages are installed as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# install clamav
apt-get install -y clamav clamav-daemon libclamav-dev

# we will be working in a subfolder
rm -R ./build/ecap_clamav
mkdir -p ./build/ecap_clamav

# change into the folder
pushd ./build/ecap_clamav

# from now on every error is fatal
set -e

# download the sources
wget http://www.e-cap.org/archive/ecap_clamav_adapter-2.0.0.tar.gz

# unpack and untar them
gunzip ecap_clamav_adapter-2.0.0.tar.gz
tar -xvf ecap_clamav_adapter-2.0.0.tar

# configure, make and install
pushd ecap_clamav_adapter-2.0.0
./configure && make && make install
popd

# and revert back
popd

Step 6. Integrate Web Safety and Apache

Usually integration of Web Safety UI and Apache is done automatically by the installer, but in case of transparent filtering proxy some more steps are required. Normally Admin UI of Web Safety runs on ports 80 or 443 but these ports are now redirected to Squid. We will need to switch the port of Admin UI to, for example, 8000.

Run bash 06_integrate_apache.sh and perform the following additional steps. Contents of this script are shown below.

#!/bin/bash

# all packages are installed as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# integrate with apache
a2dissite 000-default
a2ensite websafety

# restart all daemons
service apache2 restart
  1. Open /etc/apache2/ports.conf using your favorite text editor, find Listen 80 and change it to Listen 8000. Save the file.
  2. Open /etc/apache2/sites-enabled/websafety.conf, find VirtualHost *:80 and change it to VirtualHost *:8000. Save the file.
  3. Restart Apache web server by running systemctl restart apache2 .

Important

Do not forget to allow connections to port 8000 from your LAN. Add the following rules to /etc/network/iptables, section services, somewhere before the -A INPUT -j DROP.

# accept traffic to Web UI of Web Safety on port 8000
-A INPUT -i ens33 -p tcp --dport 8000 -j ACCEPT

Step 7. Integrate Squid and Web Safety

Now we need to integrate Squid with Web Safety. In order to do that, run the bash 07_integrate_squid.sh script. The script looks like the following.

#!/bin/bash

# all packages are installed as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# replace the squid config
if [ ! -f /etc/squid/squid.conf.default ]; then
    cp -f /etc/squid/squid.conf /etc/squid/squid.conf.default
fi
cp -f squid.conf /etc/squid/squid.conf

# create squid storage for mimicked ssl certificates
SSL_DB=/var/spool/squid_ssldb
if [ -d $SSL_DB ]; then
    rm -Rf $SSL_DB
fi

/usr/lib/squid/ssl_crtd -c -s $SSL_DB
if [ $? -ne 0 ]; then
    echo "Error $? while initializing SSL certificate storage, exiting..."
    exit 1
fi
chown -R proxy:proxy $SSL_DB

# reset owner of installation path
chown -R websafety:websafety /opt/websafety

# restart all daemons
systemctl restart wsicapd && service squid restart

Default Squid configuration file is pretty simple and only contains the following setting.

#
# squid.conf - fully managed by Web Safety Admin UI (Web UI)
#

#
# the conf files in /opt/websafety/etc/squid/* folder are generated based on templates
# stored in /opt/websafety/var/console/squid/templates/squid/conf/* folder. For now,
# not all settings of Squid can be managed from Web UI; sometimes it is necessary
# to edit the templates manually and then click Save and Restart from Web UI
# to actually regenerate configuration files from these templates.
#
# We are adding more and more Squid management into Web UI but the work is not yet
# over. Hopefully in several releases you will seldom need to manually change the
# templates.
#
#
include "/opt/websafety/etc/squid/squid.conf"

Reboot your proxy box now before going to the next step.