July 7, 2009 -
The setup :
We run a virtualization server on a server in a datacenter (for example Proxmox VE), we only have 1 public IP available.
We run web servers on 2 different virtual machines inside that VM host. We want both web servers to be accessible through the public IP on port 80.
We will use the Squid Proxy to act as a “reverse proxy” (http://en.wikipedia.org/wiki/Reverse_proxy).
Squid will relay the requests to the destination depending on the hostname requested.
The machines :
Virtualization server (VM host)/Squid server : Public IP 10.20.30.40 – bridged LAN IP 172.16.5.97/255.255.0.0
VM1 : bridged LAN IP 172.16.100.25/255.255.0.0 – Hostname example.org
VM2 : bridged LAN IP 172.16.100.122/255.255.0.0 – Hostname example.net
On your client computer (optional if you already have domains) :
Edit /etc/hosts and add :
10.20.30.40 example.org
10.20.30.40 example.net
On VM1 and VM2 :
apt-get install lighttpd (or whatever web server you like)
Edit /var/www/index.ligtthpd.html and replace the content of the file by “VM1″ on VM1 and “VM2″ on VM2.
On the VM host :
If Apache listens on port tcp/80, disable it by editing /etc/apache2/ports.conf and removing or commenting “Listen 80″.
Install Squid :
apt-get install squid
Edit /etc/squid/squid.conf and find the http_port section, and add “http_port 80 vhost vport” :
http_port 3128
http_port 80 vhost vport
Then add the following section :
cache_peer 172.16.100.25 parent 80 0 no-query originserver name=server1
cache_peer_domain server1 example.org
cache_peer 172.16.100.122 parent 80 0 no-query originserver name=server2
cache_peer_domain server2 example.net
And then add the following ACL for our domains :
acl valid_domains dstdomain .example.org
acl valid_domains dstdomain .example.net
Allow requests to our domains by adding “http_access allow valid_domains” just before the “deny all” rule (at the end of ACL’s) :
http_access allow valid_domains
http_access deny all
Restart Squid :
/etc/init.d/squid restart
Back on your computer :
Make a request on example.net or .org, you should either see VM1 or VM2 displayed in your browser depending on the hostname requested.
October 27, 2007 -
I was explaining in this article how to enable the transparent proxy feature under Squid 2.5.
The following options required for transparent proxy are no longer available under Squid 2.6 :
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
The new option under Squid 2.6 is the much simpler :
http_port 8080 transparent
You just need to append “transparent” to the http_port option line.
If you upgrade to Squid 2.6 and don’t update your config file you should get the following in the logs :
messages:Oct 27 13:02:08 x squid: parseConfigFile: line 51 unrecognized: 'httpd_accel_host virtual'
messages:Oct 27 13:02:08 x squid: parseConfigFile: line 52 unrecognized: 'httpd_accel_port 80'
messages:Oct 27 13:02:08 x squid: parseConfigFile: line 53 unrecognized: 'httpd_accel_with_proxy on'
messages:Oct 27 13:02:08 x squid: parseConfigFile: line 54 unrecognized: 'httpd_accel_uses_host_header on'
July 12, 2007 -
If you get the error
socket: (13) Permission denied
while trying to connect to the cache manager of Squid using cachemgr.cgi, it probably means SElinux is enabled and is preventing cgi files from making TCP connections.
Quick and dirty fix : disabling SElinux
Edit /etc/sysconfig/selinux
Change the value SELINUX to “disabled”
Clean fix : make a rule in SElinux to allow the connection
I don’t know much about SElinux yet, so if someone feels like pointing me to the right direction or submitting something, it is welcomed 
June 7, 2007 -
This is my own way of blocking Internet Explorer :
/etc/squid/squid.conf :
### We want to block IE, but some sites (grr) are only working under IE
### so we put up a list of safe URL for Internet Explorer in the following file
acl safe_url_for_IE url_regex -i "/etc/squid/ACL/safe_url"
### The ACL for the IE user-agent
acl internet_explorer browser MSIE
### The world
acl all src 0.0.0.0/0.0.0.0
### Our network
acl intranet src 192.168.1.0/24
### Let's say we still want a machine in the network to use IE
### (like a guest users not having an alternative web browser installed)
### I'm personally allowing IE for the dynamic DHCP clients at work
acl ie_allowed src 192.168.1.100/32
### First, we are allowing the IE-machine here
http_access allow ie_allowed internet_explorer
### Secondly, we are denying Internet Explorer,
### except for the "safe URL" list that is still allowed.
http_access deny internet_explorer !safe_url_for_IE
### Now, after the restrictions, we are allowing our network.
http_access allow intranet
### And finally blocking the rest of the world.
http_access deny all
The safe URL ACL file (/etc/squid/ACL/safe_url) looks like this :
http://.*\.site1.be/.*
http://.*\.site2.be/.*
http://.*\.site3.be/.*
If you have any useful tips or rules, please share !
December 19, 2006 -
I’ll explain here how to setup a web proxy with antivirus capabilities.
We will use these tools : Squid + ClamAV + a patched version of DansGuardian
The clamav packages provided are now outdated, I’m going to build an updated version as soon as I can
December 18, 2006 -
How to run squid as a transparent squid proxy :
Squid 2.5 and earlier :
Edit /etc/squid/squid.conf and add this :
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
-
By default, the queries sent to google and other search engines are not logged into Squid proxy logs. This is meant to protect the user’s privacy.
See below how to enable queries logging..
May 16, 2006 -
1. Iptables
This is my iptables config stored under /etc/sysconfig/iptables :
(eth0 = WAN interface, eth1 = LAN interface)
You’ll notice 192.168.1.16 is allowed to connect to any services
You’ll also notice that the default stance for output traffic is ACCEPT.
You can of course set it to DROP and only accept what you specifically define.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Basic protections against syn floods and other stuff
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Block MSN
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j DROP
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j LOG --log-prefix "MESSENGER MSN > "
-I FORWARD -s 192.168.1.16 -p tcp -m tcp --dport 1863 -j ACCEPT
# Block AIM/ICQ
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG --log-prefix "MESSENGER ICQ/AIM > "
-I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT
# Block Yahoo IM
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG --log-prefix "MESSENGER YIM > "
-I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT
# Allowing anything else
-A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
As soon as the MSN client is not able to connect to the server on port tcp 1863, it’ll try to connect using port tcp 80, which is probably allowed :
Web activity upon connection :
1.10 gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.2422
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.1885
1.10 207.46.25.15/gateway/gateway.dll?Action=poll&SessionID=1047611159.24447
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.7573
2. More firewall rules or Squid web proxy
Now you have two choices :
- making an ACL blocking the microsoft IP ranges… if new ranges are made available, MSN clients would be able to connect again.. this is not an ideal stance, unless you enjoy tracking the IP of MSN servers.
- blocking Internet Explorer (and MSN which uses the Internet Explorer engine) in your web proxy : you’ll need to run a transparent web proxy (Squid does the job pretty well) to block Internet Explorer, so MSN won’t be able to connect to port 80… See here for a short howto
Of course, you’d need something like Firefox installed on your client PC’s if you decide to block IE… you can always make an ACL in Squid allowing safe websites under Internet Explorer… This is not a bad stance as IE is known to have many unfixed security flaws.
Edit june 2007 : I'm blocking the Internet Explorer User Agent which apparently blocks the MSN client as well, but I noticed this page mentions the user agent for MSN is "MSMSGS". Please let me know if the described solution does not work for you.
I’ve not put much efforts into blocking AIM/ICQ/YIM since 99 % of people use MSN in Belgium
The MSN blocking is working well for me, I’m not sure about the other IM’s (the IP ranges can change from times to times)
3. Additional notes
It is reported at many places that the following squid rules are working.. I have tried them and they do NOT work for me.. If they do for you, let me know
acl mi_intranet src 192.168.1.0/255.255.255.0
acl msn req_mime_type -i ^application/x-msn-messenger
http_access deny mi_intranet msn
http_access allow mi_intranet
This is a working Squid ACL blocking a bunch of web messenger :
http://.*e-messenger.net/.*
http://193\.238\.160\.*
http://.*meebo.com/.*
http://.*messenger.msn.com/.*
http://.*clientless.net/.*
http://.*wbmsn.net/.*
http://.*msn2go.com/.*
http://64\.92\.173\.*
http://.*iloveim.com/.*
http://info.sytes.net/.*
http://chatenabled.mail.google.com/.*
May 11, 2006 -
Find out viruses on your network and prevent spammers from abusing your wireless network ! With simple iptables rulesets…
OK, let’s calm down, this needs a bit of explanation before proceeding.
ISP’s usually block port 25 :
Unlike many ISP’s, mine doesn’t ! They still allow customers to send emails directly through and to any SMTP servers (tcp/25).
The goal in blocking port 25 is to block viruses from spreading around by sending emails using their own SMTP daemon.
At work, by just reading our email server logs, I know which ISP’s aren’t blocking port TCP/25 (damn Wanadoo and Road Runner).
If your ISP blocks port TCP/25, you need to send emails through their own (usually overwhelmed) SMTP server.
Worst case scenario :
Let’s say someone breaks into my wireless network with a linux laptop (pretty unlikely with WPA2 security but who knows ), the attacker would be able to send as much spam as one would like using a local sendmail or postfix server.
To fill that breach, we need to block port tcp/25 for wireless clients.
November 18, 2005 -
Running a transparent FTP proxy is an easy way to control FTP connections made by people on your network (using ACL’s)
If you are already running Squid as a transparent (web) proxy, it cannot act as a transparent FTP proxy along, thus you have to use another tool for FTP proxying : frox will do the job
