Saturday, April 29, 2006

Set up HTTP Proxy Server

The famous Apache Web Server has one very useful configuration option -- the Proxy Server. With this option you have the following advantages:

- You have a direct access to the internet with a HTTP server running and you want to offer another HTTP Server for one of your friend under his name. Your friend is connected with you through a LAN or WAN connection, but your friend has no direct internet connection.

- You want to hide your "real" HTTP Server IP-Address behind a Proxy HTTP Server.

- You want to cache the most used HTML pages used in your Intranet for your clients.

The installation and configuration of the Apache HTTP Proxy Service is very easy. In the following example we show you the necessary entries in the Apache configurationfile httpd.conf for the first case (Serving a HTTP Proxy Server for your friend).


This Article was taken from here


----------------- INTERNET FROM HOME/OFFICE OR LAN --------------------

----------------- HTTP PROXY ------------------

----------------- HTTP Server ------------------


Let's suppose, that your HTTP Server with direct internet access is on 193.172.194.10. For your friend HTTP server you establish the IP-Address 193.172.194.42 on Port 80. Of course, this HTTP Server is not only a Proxy Server, it's a real full featured Apache Server with the Proxy module enabled. Your friend has his own Apache Server on 193.247.125.196 and you are connected through a LAN connection with this server. Specify the following Proxy Server directives within a virtual host entry in the configurationfile httpd.conf for your HTTP Server.



ServerAdmin yourname@yourdomain.domain
ServerName yourfriend.yourdomain.domain
ServerPath /yourfriend
ErrorLog logs/yourfriend.error_log
TransferLog logs/yourfriend.access_log
ProxyRequests On
ProxyPass / http://193.247.125.196/


ServerAdmin

E-Mail address for automatic pages generated when some errors occur.

ServerName



You must specify a hostname and IP-Address for your friends machine. The hostname must no be equivalent with the real hostname of this machine on your friends site.

ServerPath



Let your friends name be accessed through the following URL:

http://yourfriend.yourdomain.domain/yourfriend

ErrorLog

Logfile for yourfriend's site

TransferLog

Accesslog for yourfriend's site

ProxyRequests

This directive turns proxy serving on for this virtual host

ProxyPath

This directive passes requests to your friends HTTP Server on 193.247.125.196.


This article was taken from here

Wednesday, April 26, 2006

Browsing Web Anonymously using Privoxy and Tor

First we need to install two things Privoxy and Tor :

In my Mandrake 2006 System I installed using URPMI :

[root@localhost ~]# urpmi privoxy

ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/MandrivaLinux/official/2006.0 /i586/media/contrib/privoxy-3.0.3-6mdk.i586.rpm
installing privoxy-3.0.3-6mdk.i586.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/1: privoxy #############################################
[root@localhost ~]# urpmi tor
To satisfy dependencies, the following 2 packages are going to be installed (1 M B):
libevent1-1.1-1mdk.i586
tor-0.1.0.15-1mdk.i586
Is this OK? (Y/n) Y

ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/MandrivaLinux/official/2006.0 /i586/media/main/libevent1-1.1-1mdk.i586.rpm
ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/MandrivaLinux/official/2006.0 /i586/media/contrib/tor-0.1.0.15-1mdk.i586.rpm
installing tor-0.1.0.15-1mdk.i586.rpm libevent1-1.1-1mdk.i586.rpm from /var/cach e/urpmi/rpms
Preparing... #############################################
1/2: libevent1 #############################################
2/2: tor #############################################
[root@localhost ~]#



You will configure your Browser to use Privoxy port which in turn forwards the request to Tor which is a Onion Router.

So what is Onion Router ?

Onion Routing prevents the transport medium from knowing who is communicating with whom -- the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the OR network.


Add this line to /etc/privoxy/config (anywhere is fine, but line 1010 looks like the right place):

Step 1
File: /etc/privoxy/config

forward-socks4a / localhost:9050 .
# Don't forget the '.' at the end!


Step 2
File: /etc/privoxy/config

listen-address 192.168.0.1:8118

Note: If your firewall works by blocking ports (like mine), then you can tell Tor to only use the ports that your firewall permits by adding "FascistFirewall 1" to your torrc configuration file.

By default, when you set this Tor assumes that your firewall allows only port 80 and port 443 (HTTP and HTTPS respectively). You can select a different set of ports with the FirewallPorts option.

As of Tor 0.1.1.6-alpha, FascistFirewall and FirewallPorts replaced with a new config option:

ReachableAddresses *:80,*:443


As of Tor 0.1.1.14-alpha ReachableAddresses will be split in two:

ReachableDirAddresses *:80
ReachableORAddresses *:443

[root@localhost tor]# /etc/rc.d/init.d/privoxy start
Starting privoxy: [ OK ]
[root@localhost tor]# /etc/rc.d/init.d/tor start
Starting tor: [ OK ]


In your Browser you will you will use the IPaddress of Privoxy and Port as 8118

In our example it is 192.168.0.1:8118


Now the Browser connects to Privoxy on Port 8118 which in turn Forwards to Tor which Runs on Port 9050.

This Set Up is Good in Case if you are Constantly Facing DOS Attacks !!!

Monday, April 24, 2006

Apache Quick Session

Apache - Its a Linux based Web Server

Setup a Virtual Domain


NameVirtualHost *

DocumentRoot /web/example.com/www
ServerName www.example.com
ServerAlias example.com
CustomLog /web/example.com/logs/access.log combined
ErrorLog /web/example.com/logs/error.log


Include another conf file


Include /etc/apache/virtual-hosts/*.conf

Hide apache version info

ServerSignature Off
ServerTokens Prod

Custom 404 Error message

ErrorDocument 404 /404.html

Create a virtual directory (mod_alias)

Alias /common /web/common

Perminant redirect (mod_alias)

Redirect permanent /old http://example.com/new

Create a cgi-bin

ScriptAlias /cgi-bin/ /web/cgi-bin/

Process .cgi scripts

AddHandler cgi-script .cgi

Add a directory index

DirectoryIndex index.cfm index.cfm

Turn off directory browsing

Options -Indexes

Turn on directory browsing


Options +Indexes


Create a new user for basic auth (command line)

htpasswd -c /etc/apacheusers

Apache basic authentication


AuthName "Authentication Required"
AuthType Basic
AuthUserFile /etc/apacheusers
Require valid-user

Only allow access from a specific IP

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Only allow access from your subnet


Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16

mod_rewrite
Turn on the rewrite engine

RewriteEngine On

Redirect /news/123 to /news.cfm?id=123

RewriteRule ^/news/([0-9]+)$ /news.cfm?id=$1 [PT,L]

Redirect www.example.com to example.com

RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^(.*)$ http://example.com$1 [R=301,L]



Taken from Pete Freitag

Saturday, April 15, 2006

Skype can cause Enormous Traffic

Everyone loves Skype, the software that enables phone calls for free or a very low cost--along with other services such as instant messaging--using voice over Internet protocol (VOIP) technology. The European company has been a wildly successful start-up and a darling of the media. eBay bought it in September for $2.6 billion, plus another billion dollars or so if they reach some future financial targets. The software has been downloaded some 250 million times.

The issues are a bit complex. Let’s try to break them down:-

First, the “supernode” question. “Skype can turn user computers into ‘supernodes’ which route traffic through CERN,” François Grey of CERN’s IT communications team explained in an email exchange: “We have encountered some operational problems as a result.” That’s because Skype’s design is based on peer-to-peer, distributed networking principles. This means that the core functions of the system are decentralized, as is the database of Skype users (the tool that lets you look up other Sykpers and tells the system where to forward a call). The calls are set up and passed on among users, flowing through a chain of computers around the world without traversing any central infrastructure.

That’s good for robustness and scalability -- and for Skype, which can avoid massive investments and add new users at near-zero marginal cost. For the system to work, however, some users have to take over its vital functions: routing traffic and holding portions of the database. In Skypeville, these tasks are farmed out to those users with the most powerful computers and the biggest bandwidth, such as CERN. Skype turns them into supernodes.

You can find the article here

How Skype Works :

"Calls made using the system are directed through 'Supernodes', which can be
ordinary PC's with Skype installed. Machines on fast and well connected
Internet feeds like the $Network are likely to automatically become
'Supernodes' and forward a considerable amount of traffic.

This allows Skype to route other peoples Voice over IP calls using your
machine . This can at times put your Network at risk."

You can easily avoid becoming a Supernode by not permitting incoming connections to the port Skype has opened for itself. The downside to this is that your calls will now be routed to another supernode, but if you're paying for bandwidth, there may be no way around that. You can still place and receive calls, and the added latency is not worth mentioning in most cases.

If you run Skype on Linux or Mac OS X, it is reduced to using high ports anyway, so it's easy to block. An example iptables command line would be

#iptables -A INPUT -p tcp --dport 1024: --syn -j DROP

To Check which port Skype has openned, do

[root@localhost ~]# netstat -apln --inet |grep skype

Skype stores its buddy information in teh Windows Registry. Buddy list is
digitally singed and encrypted.....

FYI, if you want to look at the "registry" info for Skype on Linux, it's in $HOME/.Skype/shared.xml.