How To Solutions

Installing and Configuring SquidNT 2.7 on a Windows Domain

Posted on the January 14th, 2009 under Installs by admin

If your company is looking to beef up its security somewhat then a free and flexible proxy is a good thing to have. A proxy such as squidnt sits between your users and the Internet and handles requests, usually for websites. It can provide protection for users and use a web cache to make browsing faster. SquidNT is a free Windows version of the popular linux based proxy.

In this How To Solutions guide I’ll walk you through …

• installing SquidNT
• configuring browsers to use the proxy
• Using user authentication across a Windows domain
• Blocking websites of your choice
• Accessing and reviewing web logs of sites users have visited

I write this merely because nearly all of the documentation is for Linux or is outdated and not centralised. This was installed on a Windows XP machine but I imagine it will work on Windows Server 2003 too.

Installing SquidNT

Download SquidNT 2.7 here – you’re looking under binaries for 2.7 STABLE5, the Standard build type which is in zip format.

Unzip the squid file to your desktop. This should create a squid folder – move it into your C: drive at the top level. Don’t put it in Program Files! Squid doesn’t like spaces in folder structures.

Open up CMD by clicking Start > Run > typing “cmd” > OK. Type in the following commands, pressing Enter after each line.

cd c:\squid cd sbin squid.exe -i

Leave the cmd window open. This will install SquidNT as a Windows service – starting it when the computer first boots.

In Windows Explorer navigate to C:\squid\etc. Rename the four files in there so that the .default extensions are removed from all of them.

Next we will create the Squid cache directories. This should improve browser performance by caching websites locally reducing the need to download each item on the webpage. Create the directories by again using CMD to run the following command:

C:\squid\sbin>squid -z

We can now start Squid running. Open up Windows services by clicking Start > Control Panel > Administrative Tools > Services. You should see Squid listed there – right click it and Start.

Configuring Browsers

Firefox (v2)

Tools > Options > Advanced > Network tab > Settings.

Click on “Manual proxy configuration” and enter the IP of the machine which SquidNT was installed. For the port use 3128 (the squid default).

Internet Explorer (v7)

Tools > Internet Options > Connections tab > LAN Settings

Under the proxy server section click the “Use a proxy server for your LAN” box. For the server use the IP of the machine SquidNT was installed on and use port 3128 (the default for Squid).

Testing

Once the settings are saved in the browser of your choice then test to make sure you can still access websites. You can see the access logs if you navigate to C:\squid\var\logs\access.log and open it in a text editor.

User Authentication on a Windows domain

If you’re going to run the Squid proxy over a Windows domain using Active Directory then rather than log an IP address you can set Squid to log authenticated users. This comes in particular use when reviewing the logs later on.

Open up Windows Services (Control Panel > Administrative Tools > Services) and stop Squid. You need to go to C:\squid\etc and open the squid.conf file in a text editor.

Go to line 292 which should be a blank line below “#auth_param basic casesensitive off”. Paste in the following and leave a blank line below it.

auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe auth_param ntlm children 5

We then determine the access control list (ACL) that will allow only authenticated users on the network to go through the proxy. Navigate to line 623 (it might be a few lines more due to the previous input!) and look for the blank line below “acl CONNECT method CONNECT”. Paste in the following

acl localnet proxy_auth REQUIRED src 10.0.0.1/255

Note: Change th IP range to suit your specific network. I have used 10.0.0.x as an example but you may use another range.

Once that is pasted in scroll down again until line 649 (again this will be lower due to the two previous pastes. Look for the line that reads “http_access deny manager”. Under that line paste the following…

http_access allow localnet

At this point you should save the squid.conf file and restart Squid as a Windows Service. Go back to your favourite web browser and make sure you can still access sites. Again you can check the access logs (C:\squid\var\logs\access.log) to make sure the Windows authentication is being recorded.

Blocking Websites

A very good reason to use a web proxy is to block websites across a network that could be potentially harmful. Again we’ll need to use the squid.conf file to declare which sites to block.

Open up squid.conf and look for where you pasted in “acl CONNECT method CONNECT” around line 628. Create a new blank line BELOW this line. It should be directly above an earlier line you pasted in (acl localnet proxy_auth REQUIRED src 10.0.0.1/255). Paste in the contents below making sure to edit the URLs. I have used Facebook and Myspace as an example but you can use anything.

acl facebook url_regex facebook.com acl myspace url_regex myspace.com

This should create something that looks like what is in the box below.

acl CONNECT method CONNECT acl facebook url_regex facebook.com acl myspace url_regex myspace.com acl localnet proxy_auth REQUIRED src 10.0.0.1/255

Now let’s look for line 655 (again it will be somewhere near there but depends on the earlier pastes). Look for the line that reads “# Only allow cachemgr access from localhost”. Make the http_access lines read like in the box below. It is important to make sure “http_access allow localnet” is the last line in this section. If you have added more sites to be blocked then use “http_access deny name”, where ‘name’ is what you defined in the acl section (acl name url_regex urlforname.com).

http_access allow manager localhost http_access deny manager http_access allow manager localhost http_access deny manager http_access deny facebook http_access deny myspace http_access allow localnet

Lastly scroll up to line 613 (or there abouts). Look for the section that reads like the box below. We don’t want to include this section so put a hash sign (#) before each acl statement.

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

Save squid.conf and close the file. Restart the Squid service and make sure your browsers can see the Internet.

Reviewing Web Logs

To review Squid logs I wouldn’t recommend opening the log file in a text editor. I’ve previously used Kraken Reports though it’s not very nice to look at. In fact all free Squid log analysers for Windows I’ve seen are fairly horrible. It would be nice to find a well made one that was more flexible.

How To Install Trac on Windows

Posted on the September 24th, 2008 under Installs by admin

Trac is front end to subversion with integrated wiki for developers. Use this How To article to help you install Trac on a Windows computer that isn’t running Apache. The guide assumes you have a working Subversion repository and are using the TortoiseSVN shell on client PC’s.

Introduction

Firstly let me say Trac is a brilliant bit of software. It is basically a friendly front end to subversion which is a version control system. Trac allows you to use its in-built tracd software so you can view Subversion changes through a browser. Working with developers, this lets you track changes to code easily as well as support development goals through Trac’s project management tools.

This How To guide is by no means a replacement for the Trac documentation. The Trac site and the support provided by their developers is really very good. However I ran into a number of problems when installing the software on a standalone Windows server that wasn’t running Apache.

Installation Files

• Python 2.5
• Trac
  
• SVN Python
  
• pysqlite
• Genshi
• TortoiseSVN
• ez_setup.py

Installing the Software

1. OK so let’s assume you have a working repository which we will say is located at E:\repos and a folder with all of your code located at E:\code.

2. Let’s install Python – Double click the python-2.5.2.msi file and select ‘Install for all users’. Click Next and then Next again (change the location of the Python install if you wish). Click Next once more and Python will start installing. Click Finish and that’s Python installed.

3. Now let’s install the Python SVN file (”svn-python” etc) – Double click the file and then click Next, Next again and Next once more. The installation will run and click the Finish button when prompted.

4. Then we install Python SQLite – Double click the file and then click Next, Next again and Next once more. The installation will run and click the Finish button when prompted.

5. Trac needs to be installed now – Double click the Trac exe and then click Next, Next again and Next once more. The installation will run and click the Finish button when prompted.

6. Lastly we need to install Genshi – Double click the Genshi file and then click Next, Next again and Next once more. The installation will run and click the Finish button when prompted.

Getting Trac Running

1. Create a folder called tracproject or something similar – I’d recommend putting it in the same directory as your repository.

2. Get your ez_setup.py file and move it into C:\Python25\Scripts folder(or wherever your Python install is located). Bring up a command prompt (Click on Start > Run and type ‘cmd‘). Enter the following making sure you hit Enter after each of the four lines.

cd c:\ cd pyth* cd scr* ez_setup.py

3. This will bring up about 10 lines of code and then leave the command prompt in the same directory. Now type the following and hit Enter.

trac-admin E:\project initenv

This will install Trac to the E:\project directory. Now the CMD window will prompt you to input four pieces of information. Look at what I used below to indicate what you should use.

Project Name [My Project] – I used “mycode” Database connection string [sqlite:db/trac.db]> Leave blank by hitting Enter Repository type [svn]> Leave blank by htting Enter Path to Repository [/path/to/repos]> E:\repos

The CMD window will install Trac based on the existing repository. The more existing revisions you have in the repository the longer this process will take, it’s indexing each change you’ve ever made. Once the install is complete the last line should say “Congratulations!” but don’t close the cmd window!. So Trac is now installed but you’re not done yet. It must be configured correctly to get the most out of it’s use.

4. To easily handle accounts in Trac I would 100% recommend installing the Account Manager Plugin available from Trac Hacks (a handy site with lots of Trac plugins) – let’s do this now. In the same cmd window (which should still be in C:\Python25\Scripts) type the following and hit Enter.

easy_install http://trac-hacks.org/svn/accountmanagerplugin/trunk

This will bring up about 12 lines of code with the last line starting “Finished processing dependencies”.

5. In Windows open up the E:\project folder and go into the conf sub-directory. There’s a file called trac.ini - open it in an editor like Notepad. You need to copy the following lines below and paste them into Notepad above the [header_logo] section.

[components] acct_mgr.admin.accountmanageradminpage = enabled acct_mgr.api.accountmanager = enabled acct_mgr.db.sessionstore = enabled acct_mgr.htfile.htdigeststore = enabled acct_mgr.pwhash.htdigesthashmethod = enabled acct_mgr.web_ui.accountmodule = enabled acct_mgr.web_ui.loginmodule = enabled acct_mgr.web_ui.registrationmodule = enabled trac.web.auth.loginmodule = disabled

Once that’s been pasted in save the ini file and close Notepad. In explorer go up a level to E:\project and create a new text file called passwd.txt – leave the file blank.

6. Lastly let’s give all anonymous users (those who aren’t logged in) admin access. In the same CMD window type the following and hit Enter.

trac-admin E:\project permission add anonymous TRAC_ADMIN

Note this will not return any lines. We will remove the admin access later once you, the real admin, have created your account. And with that we can start Tracd. In CMD type the following and hit Enter.

tracd –p 8000 E:\project

7. Open up your favourite browser and paste this URL: http://localhost:8000/. You should see a link to the name you gave your project, such as mycode. Click on that and there you have Tracd – the front end of the Trac software.

8.In the top right there’s a tab called Admin – click on it. On the menu on the right click on Configuration and when the page loads select HtDigestStore where the filename is E:\project\passwd.txt and the realm is “trac“.

9. Below Configuration is Users – click on it. Create yourself an admin account. Now using the menu go to Permissions. On the right of that page you will see the Grant Permission section. Use the subject field for the username you gave yourself on the Users page and select the TRAC_ADMIN as Action. Click Add and you will see your username in the middle column of the page with TRAC_ADMIN next to it. For the subject anonymous click on the TRAC_ADMIN so it’s ticked and then click on the Remove selected items button.

10. From now on you will need to use that Admin account to Login and make changes to the Trac environment. By default anonymous users can still view all of the Tracd menu’s to see changes to the repository and view tickets.

I hope this How To guide has helped you get Trac running on your systems. Please feel free to make comments/suggestions/improvement.