Step 7. Integrate and Configure Squid
Now we need to integrate Squid with Web Safety. In order to do that, run the bash 07_integrate.sh script. The script looks like the following.
#!/bin/bash # integration should be done as root if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" 1>&2 exit 1 fi # adjust the squid.conf if [ ! -f /etc/squid/squid.conf.original ]; then mv /etc/squid/squid.conf /etc/squid/squid.conf.original fi # copy new config cp squid.conf /etc/squid/squid.conf # allow web ui read-only access to squid configuration file chmod o+r /etc/squid/squid.conf # create storage for generated ssl certificates SSL_DB=/var/spool/squid_ssldb if [ -d $SSL_DB ]; then rm -Rf $SSL_DB fi /usr/lib64/squid/security_file_certgen -c -s $SSL_DB -M 4MB # and change its ownership chown -R squid:squid $SSL_DB # parse the resulting config just to be sure /usr/sbin/squid -k parse # restart squid to load all config systemctl restart squid.service
The default squid configuration file is pretty simple and contains the following settings.
# # squid.conf - fully managed by Web Safety Admin UI (Web UI) # # # the conf files in /opt/websafety/etc/squid/* folder are generated based on templates # stored in /opt/websafety/var/console/squid/templates/squid/conf/* folder. For now, # not all settings of Squid can be managed from Web UI; sometimes it is necessary # to edit the templates manually and then click Save and Restart from Web UI # to actually regenerate configuration files from these templates. # # We are adding more and more Squid management into Web UI but the work is not yet # over. Hopefully in several releases you will seldom need to manually change the # templates. # # include "/opt/websafety/etc/squid/squid.conf"
We also need to integrate Apache and Admin UI of Web Safety. Please note we run Admin UI on non standard port 8000 because default ports 80 and 443 are used by transparent redirection. To switch the Admin UI to port 8000 follow these steps:
- Ensure you do not have file
/etc/httpd/conf.d/welcome.conf. It is default page of non configured Apache that may interfere with Admin UI.
Listen 80in file
/etc/httpd/conf/httpd.confon line 42 to
Listen 8000. Save the file.
<Virtual Host *:80>in file
<Virtual Host *:8000>. Save the file.
- Restart Apache web server by running
systemctl restart httpd.
To make Squid listen on transparently redirected ports 3126 and 3127 as described on the previous step, login into Admin UI of Web Safety at http://10.0.0.1:8000 , click Squid / Settings / Network and select Default Gateway Proxy transparent mode as shown on the screenshot below. Do not forget to click Save and Restart afterwards.
After clicking Save and Restart, Admin UI will generate required
https_port directives in
/opt/websafety/etc/squid folder. These will look something like
# port configuration http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem http_port 3126 intercept https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
IMPORTANT: please note, ports 3126 and 3128 are prefixed with http_port directive and port 3127 is prefixed with https_port directive.