SQUID TRANSPARENT PROXY FOR HTTP / HTTPS


The following are the steps involved for installing squid proxy as a transparent mode and various troubleshooting which I undergone during the installation.

 

Infrastructure:

Vkarthi_IT_Squid

 

 

 

 

 

 

 

 

The following are the prerequisite in RHEL 6.7 before installing squid are

  1. Disable selinux by #vim /etc/selinux/config
  2. Enable IPforward=1 in /etc/sysctl.conf
  3. Enable EPEL repo

a. #cd /root/

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

(http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm)

b. #rpm -Uvh epel-release-6.8.noarch.rpm

c. Create squid repo by the following syntax

d. #cd /etc/yum.repos.d

e. #vi  SQUID.repo

   Enter or insert the following text in the squid.repo file

[squid]

name=Squid repo for CentOS Linux – $basearch

#IL mirror

baseurl=http://www1.ngtech.co.il/repo/centos/$releasever/$basearch/

failovermethod=priority

enabled=1

gpgcheck=0

4. Do #yum update

 Installation of SQUID

#yum install perl-Crypt-OpenSSL-X509 (We need to install this application successful else https site will not work).

#yum install -y squid

Install squid helper from the url: http://www1.ngtech.co.il/repo/centos/6/x86_64/squid-helpers-3.5.19-1.el6.x86_64.rpm

# wget http://www1.ngtech.co.il/repo/centos/6/x86_64/squid-helpers-3.5.19-1.el6.x86_64.rpm

# yum install -y squid-helpers-3.5.19-1.el6.x86_64.rpm

Now we initialize SQUID ssl_db directory, in the following syntax

#/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db

Assign ownership for squid

#chown -R squid.squid /var/lib/ssl_db

Edit squid.conf file in /etc/squid/squid.conf and the configuration

Define your local source network by

acl localnet src 192.168.201.0/24

Enable and define the ports in squid.conf file

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow all

http_port 3130

http_port 3128 intercept

https_port 3129 intercept ssl-bump generate-host-certificates=on

dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc

/squid/ssl_cert/myca.pem

#always_direct allow all

ssl_bump server-first all

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

Generate Certificate for SQUID using OpenSSL

go to SQUID directory, create the certificate folder and generate the keys:

#mkdir /etc/squid/ssl_cert

#chown -R squid.squid /etc/squid/ssl_cert

#cd /etc/squid/ssl_cert

Generate ssl certificate by the following syntax

#openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem

For Windows clients the key :

#openssl x509 -in myca.pem -outform DER -out myca.der

Now enable squid on all run levels and start the squid service

#chkconfig squid on

#/etc/init.d/squid start

Redirect / Accept HTTP and HTTPS traffic from router/Firewall to Proxy

#iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 –dport 80 -j DNAT –to 192.168.201.250:3128

#iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 –dport 443 -j DNAT –to 192.168.201.250:3129

Save the IPtables configuration

#/etc/ini.d/iptables save

On Windows Client Configuration

We need to copy the /etc/squid/ssl_cert/myca.der file to our

Windows clients

For Internet Explorer :

Tools -> Internet Options -> Content -> Certificates Click on

Import , select myca.der file , make sure that you import to

Root Trusted Certificates

For Mozilla Firefox :

Tools-> Options-> Advanced -> Certificates – > View Certificates

Import

(x) Trust this CA to identify websites

(x) Trust this CA to identify email users

(x) Trust this CA to identify software developers

Click OK you are done.

NOTE : If the main certificate expires for SQUID , and you generate

a new one , don’t forget to delete the old certificates ,

/var/lib/ssl_db/certs also empty the file /var/lib/ssl_db/index.txt, and set the number inside the file /var/lib/ssl_db/size to 0

In our infrastructure the bind service not required for name resolution.

Analysis:

To my experience squid with transparent proxy for http and https is successful with the squid version 3.5.19 and the lower version of squid seems to be some bugs.

Below are the bugs which we come across with the older versions of squid in the /var/log/squid/access.log

1301567341.317 23434 192.168.100.165 TCP_MISS/200 957 POST http://by2msg3010710.by2.gateway.edg…y/gateway.dll? – DIRECT/64.4.34.80 text/html
1301567341.896 531 192.168.100.165 TCP_MISS/200 1056 POST http://by2msg3010710.by2.gateway.edg…y/gateway.dll? – DIRECT/64.4.34.80 text/html
1301567344.042 770 192.168.100.155 TCP_MISS/200 1117 POST http://www.facebook.com/ajax/chat/buddy_list.php? – DIRECT/69.63.190.18 application/x-javascript
1301567347.991 414 192.168.100.161 TCP_MISS/200 316 POST http://oss-content.securestudies.com/cidpost – DIRECT/165.193.73.40 text/plain
1301567351.115 494 192.168.100.161 TCP_MISS/200 316 POST http://oss-content.securestudies.com/cidpost – DIRECT/165.193.73.40 text/plain
1301567352.986 412 192.168.100.161 TCP_MISS/200 316 POST http://oss-content.securestudies.com/cidpost – DIRECT/165.193.73.40 text/plain
1301567354.288 555 192.168.100.150 TCP_MISS/200 6079 GET http://www.google.com.sa/ – DIRECT/209.85.147.104 text/html
1301567354.516 37 192.168.100.150 TCP_MISS/302 683 GET http://www.google.com.sa/gen_204? – DIRECT/209.85.147.104 text/html
1301567354.773 254 192.168.100.150 TCP_MISS/204 367 GET http://www.google.com.sa/gen_204? – DIRECT/209.85.147.104 text/html
1301567354.842 161 192.168.100.150 TCP_MISS/302 856 GET http://www.google.com.sa/csi? – DIRECT/209.85.147.106 text/html
1301567355.165 320 192.168.100.150 TCP_MISS/204 413 GET http://www.google.com.sa/csi? – DIRECT/209.85.147.106 text/html
1301567355.234 456 192.168.100.150 TCP_MISS/204 322 GET http://clients1.google.com.sa/generate_204 – DIRECT/74.125.230.163 text/html

w – command in linux


W is a command in Linux which gives the system uptime, who command (No. of users in the session) and the average load the system.

It is interesting to see a single word (W) command gives more useful resources. Refer the screen shot below.

w-command

 

To run a shell script in an encrypted mode


Scenario:  To encrypt a shell script for security reason and to call the encrypted shell script in another shell script.

Prerequisite for installing shc (encrypting a shell script):
Gcc library is required before installing shc application.

SHC installation in Centos:

Step1:  #yum install gcc

Step2: #yum install shc ( it will install shc.x86_64) based on the OS version.
Now steps to encrypt a shell script.

After the successful installation of SHC the following steps to be carried out.

Step3: create a shell script to display your login-id and the computer hostname.
Script1:
#!/bin/bash
Echo –n “I am logged on as”; whoami
Echo –n “ My computer name”; hostname
Save the file and close (:wq) - File name login.sh

Step4:  now run the command
#shc –f  login.sh
This will create two files a. login.sh.x b. login.sh.x.c

Step5:  Run the command to execute in another shell script
# shc –v  –r  -T –f  login.sh

Step 6: Create another script to call the encrypted script.
#!/bin/bash
PATH_TO_A=/root/login.sh.x
echo Calling sh login.sh.x
$PATH_TO_A

Step7:  Execute another script and check with the original one; both output must be similar.

How to configure SFTP in CENTOS


Configuration of SFTP in CentOS

[root@Karthick~]# cd /etc/vsftpd/
[root@Karthick~]# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
[root@Karthick~]#[root@station1 ~]# vim /etc/vsftpd/vsftpd.conf
#For SSL
ssl_enable=YES
#To allow anonymous users to use SSL
allow_anon_ssl=YES
#local users to use both ssl and unsecure way
force_local_data_ssl=YES
#Force ssl
force_local_logins_ssl=YES
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=YES
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=YES
#RSA certificate
rsa_cert_file=/etc/vsftpd/vsftpd.pem

[root@Karthick~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@Karthick~]#sftp karthick@localhost
Connecting to localhost..
karthick@localhost password:
sftp> ls
Desktop Documents Downloads Music Pictures Public Templates Videos
sftp> bye
[root@Karthick~]#

Password reset for Windows machine using linux tool


In my earlier post , I have mentioned using ubuntu we can change the windows password using the command chntpw. Update to that there is a tool of chntpw which comes with bootable iso and makes the job easier.

Today I tried with this tool and reset the Administrator password for windows 2003 server. (Local account not domain admin).

Please find the application and procedure enclosed.

Application: – https://www.dropbox.com/s/xyrbeo88nju8sw8/cd100627.zip

Procedure:- https://www.dropbox.com/s/kaklok06c1ghgyf/password%20reset%20procedure.pdf

More info: http://pogostick.net/~pnh/ntpasswd/

 

Easiest way to lock or unlock the user account in Linux


We traditionally use to lock an user account in Linux by doing “username:x:Pr.Group:Sec.Group ::/home/username: /sbin/nologin” in /etc/passwd file.

There is an easy way to lock and unlock the user account in Linux. The syntax given below

#passwd –l username —à to lock the account

#passwd –u username —à to unlock the account

To know the passwd creation date for the users

# passwd -S -a; this will list the dates along with users when the password was created.

For more interesting info about passwd # man passwd

 

rpc.nfsd unable to set any sockets for nfsd


Error: When you install and restart NFS service you will get an error “rpc.nfsd unable to set any sockets for nfsd”

Root cause: This problem may occur due to rpcbind service is not working or the app is not been installed on the server.

Solution:

1. Check the rpcbind service works perfectly by:- #rpcbinfo -p

2. If it throws an error by “rpcinfo: can’t contact portmapper: RPC: Remote system error – No such file or directory”

3. Then we need to install the rpc package by

3a. # yum install avahi
Installing : libdaemon-0.14-1.fc13.i686
Installing : avahi-0.6.27-1.fc14.i686

4. Then restart rpcbind service and check # rpcinfo -p status

5. Then restart nfs service.

6. Check the NFS daemon are avaiable in all run levels by #chkconfig nfs –list

7. Now restart the NFS service where the service starts successfully.