Monday, December 26, 2005

Transparent Proxying with Squid

Taming the Squid

You’ll need to make sure you have IP forwarding enabled.

$ cat /proc/sys/net/ipv4/ip_forward
If that command returns 0, you can enable IP forwarding by putting net.ipv4.ip_forward=1 in your /etc/sysctl.conf. And since that won’t
take effect until you reboot, you can temporarily enable the
feature by running:
# echo 1 > /proc/sys/net/ipv4/ip_forward


After downloading and possibly patching the code, you can build
Squid. Squid has a wide variety of build options, and you should
research all of them carefully, since many can greatly impact
both security and performance. The options shown here are the
minimum for building Squid as a transparent proxy using WCCP.

To compile Squid, run:

$ ./configure ––enable-linux-netfilter ––enable-wccp && make

Next, run make install as root.

With Squid installed, you can configure it to suit your needs.
Edit the squid.conf file, which is located in /usr/local/squid/etc/ by default.

(The squid.conf file is heavily commented and contains a ton of
useful information. Read the entire file when you have time.)

For transparent proxying to work, ensure that the following lines are present:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Minimally, you’ll also need to adjust the http_access directives to
allow traffic from your IP addresses. Depending on your distribution,
you may also need to create a Linux user and group based on your cache_effective_user and cache_effective_group directives.

Once you’re happy with your configuration, run squid –z to initialize
the cache directories. Then start Squid by running the included
RunCache
script. By default, Squid runs on port 3128. If you’ve
changed that default, remember which port you’ve chosen,
as you’ll need that information in the next step.


Playing Traffic Cop

With Squid up and running, you now need to redirect traffic destined
for port 80 to Squid running on port 3128. (While you can configure
squid to run on port 80, this can cause problems, including endless
loops when Squid tries to contact itself.) Use an iptables rule to
redirect traffic.

To setup the rule, you’ll need to know which interface the requests
to be proxied will be coming in on (for example eth0) and the
port number for Squid on. Once you have this information,
run the following command:

# iptables –t nat –A PREROUTING –i eth0 –p tcp ––dport 80 –j
REDIRECT ––to-port 3128


Of course, you’ll also need to add this command to the appropriate
init
script so that the rule is recreated on subsequent reboots.

To make https proxied( it is not actually because we can't proxied encrypted packets but they are just forwarded), the command is as below :

#iptables -t nat -I PREROUTING -s 192.168.0.0/24 -p tcp --dport 443
-j REDIRECT --to-port 3128

You can also do the same for ftp (port 21).

There's one more way to handle https connection. Instead of going through squid, you can also NAT it. Drop the above https command and use this :

#iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -p tcp --dport 443
-j SNAT --to 111.222.333.444

Where 111.222.333.444 is your proxy server public IP address.

It is up to you which way you want to use, there's no noticeable difference in
terms of performance.

Build your own Internal Knowledge Base

Imagine you have different sections of people working for you who must have volumes of information, best practices field notes with them. These can be shared among office colleagues among different sections of people all with security.

Lets explore Knowledge Tree Document Management System

KT is written in PHP and made available under the GNU General Public License. Development on KT is ongoing. The latest version 2.02 (dated April 12, 2005) is available on SourceForge at http://kt-dms.sourceforge.net/

Getting Started with KT

KT is an impressive repository system which provides web-based browsing/publishing, a version control system, subscription-based change notification, auto-archiving, document-level discussion forums, full-text search of common file formats and metadata, and internationalization of front-end web interface.

What’s more impressive is its authentication integration with such LDAP servers as OpenLDAP, Sun ONE Directory Server, and the ubiquitous Active Directory. KT also provides access control via group, role or business unit rules, as well as audit trails for change control auditing.


Requirements for KT

Apache 1.3 or greater
PHP 4.3 or greater
MySQL 4.0 or greater with INNODB support.

It is highly recommended that you install SSL capabilities into Apache. The sample installation was running Linux kernel 2.4.20-8, Apache 1.3.28, PHP 4.3.4, Mod_SSL 2.8.15-1.3.28 supported by OpenSSL 0.9.7e, and MySQL 4.0.14-standard.


Installing and Configuring KT

Step 1

Download knowledgeTree-3.0b3.tgz from --- http://kt-dms.sourceforge.net/


Step 2

Unzip in your document root mine was /var/www/html/

I created a directory kb in my DocRoot /var/www/html/kb

Unzip and it will give a directory knowledgeTree.

now do,

#cd knowledgeTree
# mv * .. /

This move all required files to /var/www/html/kb

The idea is to have http://localhost/kb rather knowledgeTree.

Step 3

Create a database dms

mysqladmin create dms -uroot -p

Input the password this will create a database name dms

Step 4

Populate database

- Create and populate the tables:
#cd /var/www/html/kb
# mysql -p dms <>
# mysql -p dms <>


- Create the database users
$ mysql -p dms < style="font-weight: bold;">Check the post-installation checklist:


Go to your knowledgeTree installation is at http://localhost/kb, go to:

http://localhost/kb/setup

And click on "Post-installation checkup".

This allows you to check that your KnowledgeTree configuration is set up correctly. You can run this at any time after configuration to check that things are still set up correctly.


* Login:

http://mybox.sriram.com/kb/

- default user is "admin" with password "admin"



Troubleshooting

Please read the INSTALL.txt located in docs folder as they may have different instructions for different version.

Refer to the Frequently Asked Questions list on the KnowledgeTree Wiki
at http://support.ktdms.com/confluence/

Ask on the KnowledgeTree forums on http://forum.ktdms.com/

Upgrading
---------

Refer to docs/UPGRADE.txt

Command Tips

Creating a list of users :

Create a list of users in a password-like file and run the command

[sriram@mybox sriram] newusers filename


Disable a User account :

passwd -l username


To enabe a User Account :

passwd -u username

Cron tricks
  Instead of the first five fields, one of eight special strings may
appear:

string meaning
------ -------
@reboot Run once, at startup.
@yearly Run once a year, "0 0 1 1 *".
@annually (same as @yearly)
@monthly Run once a month, "0 0 1 * *".
@weekly Run once a week, "0 0 * * 0".
@daily Run once a day, "0 0 * * *".
@midnight (same as @daily)
@hourly Run once an hour, "0 * * * *".

Hmm. @reboot. Isn't that handy. There's an easy way to give users the ability to run something at boot time without root access.


Modes made easy

chmod g+w adds group write without changing other permission.
chmod o-a removes all permissions for others.
chmod u=rw gives read/write file permission to the owner.


Killing Process :


Suppose you want to kill galeon

do a ps -auxwww |grep

and now kill path to the program

For Eg :
[root@mybox sriram]# killall /usr/bin/galeon-bin - This will kill galeon.

Expire Passwords :
[sriram@mybox sriram]passwd -x 30 sriram

Forces sriram to change his password after 30 days.

Directories made easy :
If you want to create multiple directories in /home/sriram

Say a, b, and c.

[sriram@mybox sriram]mkdir -p /home/sriram/a/b/c

To See which all group a user belongs
[sriram@mybox sriram] id -Gn <--- This has effectively replaced groups and whoami To

See machine architecture


[sriram@mybox sriram] arch

i686


Setting up Time Zone

If you want to know the proper name of your current time zone, run the interactive command tzselect. Follow the prompts and use the output in your shell login file.

[root@mybox downloads]# tzselect
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
1) Africa
2) Americas
3) Antarctica
4) Arctic Ocean
5) Asia
6) Atlantic Ocean
7) Australia
8) Europe
9) Indian Ocean
10) Pacific Ocean
11) none - I want to specify the time zone using the Posix TZ format.
#? 5
Please select a country.
1) Afghanistan 18) Israel 35) Palestine
2) Armenia 19) Japan 36) Philippines
3) Azerbaijan 20) Jordan 37) Qatar
4) Bahrain 21) Kazakhstan 38) Russia
5) Bangladesh 22) Korea (North) 39) Saudi Arabia
6) Bhutan 23) Korea (South) 40) Singapore
7) Brunei 24) Kuwait 41) Sri Lanka
8) Cambodia 25) Kyrgyzstan 42) Syria
9) China 26) Laos 43) Taiwan
10) Cyprus 27) Lebanon 44) Tajikistan
11) East Timor 28) Macau 45) Thailand
12) Georgia 29) Malaysia 46) Turkmenistan
13) Hong Kong 30) Mongolia 47) United Arab Emirates
14) India 31) Myanmar (Burma) 48) Uzbekistan
15) Indonesia 32) Nepal 49) Vietnam
16) Iran 33) Oman 50) Yemen
17) Iraq 34) Pakistan
#? 14

The following information has been given:

India

Therefore TZ='Asia/Calcutta' will be used.
Local time is now: Sun Dec 25 23:42:29 IST 2005.
Universal Time is now: Sun Dec 25 18:12:29 UTC 2005.
Is the above information OK?
1) Yes
2) No
#? 1

You can make this change permanent for yourself by appending the line
TZ='Asia/Calcutta'; export TZ
to the file '.profile' in your home directory; then log out and log in again.

Here is that TZ value again, this time on standard output so that you
can use the /usr/bin/tzselect command in shell scripts:
Asia/Calcutta
[root@mybox downloads]# TZ='Asia/Calcutta';
[root@mybox downloads]# export TZ
[root@mybox downloads]# date
Sun Dec 25 23:42:54 IST 2005
[root@mybox downloads]#