squid configuration : ACL's based on MAC address

There are many times that client are having dynamic ip address (assigned by DHCP server) and in this cases it's hard to set any rules on bases of ip address as, you would not know what ip address the client machine be getting, in such case we could use mac based ACL's to set up any rules on that particular machine.

 # vi /etc/squid/squid.conf 

Look for acl section and append ACL as follows:

acl mac1 arp 00:11:22:70:44:90 

acl mac2 arp 00:11:22:33:44:55 

http_access allow mac1 

http_access allow mac2 

http_access deny all 

Save and close the file.

Restart squid server:

# /etc/init.d/squid restart

Read More

Squid Password Authentication Using NCSA

You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file.

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it’s universally readable.

# touch /etc/squid/squid_passwd
# chmod o+r /etc/squid/squid_passwd

2) Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called nikesh:

# htpasswd /etc/squid/squid_passwd nikeshNew
password:Re-type new password:
Adding password for user nikesh

3) Find your ncsa_auth file using the locate/find command. (different distro stores this file at different locations)

# locate ncsa_auth/usr/lib/squid/ncsa_auth

4) Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here’s a simple user authentication example; the order of the statements is important:

## Add this to the auth_param section of squid.conf

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

# Add this to the bottom of the ACL section of squid.conf
acl ncsa_users proxy_auth REQUIRED

# Add this at the top of the http_access section of squid.conf
http_access allow ncsa_users

Remember to restart Squid for the changes to take effect.

Read More

cachemgr (Cache Manager) configuration for Squid

The cache manager (cachemgr.cgi) is a CGI utility comes with squid for displaying statistics about the squid process as it runs. The cache manager is a convenient way to manage the cache and view statistics without logging into the server

To make this configuration you need a webserver (Apache) running and configured.

1) Try to locate your cachemgr.cgi file which comes with the squid package, this can be done using rpm -ql command (different distro stores this file at different location), here you can also use locate/find command.

# rpm -ql squid | grep cachemgr.cgi
/usr/share/doc/packages/squid/scripts/cachemgr.cgi
/usr/share/man/man8/cachemgr.cgi.8.gz

In this case my cachemgr.cgi is in /usr/share/doc/packages/squid/scripts/ directory

2) Copy cachemgr.cgi file to your configure script alias (/var/www/cgi-bin) directory of you Apache

3) Open squid.conf file and insert following two parameters at the end of the file

cache_mgr nikesh@domain.com
cachemgr_passwd your_Password all

4) Restart your squid and open your browser and type
http://localhost/cgi-bin/cachemgr.cgi
you should see something like … , provide a configure e-mail and password (mentioned above)

Read More

Squid Password Authentication Using PAM

We’ll be using the pam_auth module. This will allow anyone who has a shell account to also be able to use the Squid server. 

Search for the auth_param section in the config and add these lines:

auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Next search for this line and uncomment it:

acl password proxy_auth REQUIRED

Now create a pam module called /etc/pam.d/squid that contains:

auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so

Restart the squid and you are done.

Read More

Configure Squid to use other Proxy (cache)

If you want Squid to be part of a hierarchy of proxies or want Squid to fetch content from another proxy

cache_peer proxy.isp.com parent 8080 0 no-query no-digest ever_direct allow all

For Multiple parent

cache_peer proxy.isp1.com parent 8080 0 no-query no-digest default

cache_peer proxy.isp2.com parent 8080 0 no-query no-digest

Multiple parents with weight:

cache_peer proxy.isp1.com parent 8080 0 no-query no-digest weight=1 

cache_peer proxy.isp2.com parent 8080 0 no-query no-digest weight=2

Multiple parents with round-robin:

cache_peer proxy.isp1.com parent 8080 round-robin no-query

cache_peer proxy.isp2.com parent 8080 round-robin no-query

cache_peer proxy.isp3.com parent 8080 round-robin no-query

In above examples proxy.isp1.com, proxy.isp2.com and proxy.isp2.com are other cache servers

Read More

HowTo do Transparent proxy with Squid

Modify or add following to squid configuration file (/etc/squid/squid.conf):

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

acl lan src 192.168.1.1 192.168.2.0/24

http_access allow localhost

http_access allow lan

Added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :

[eth0 connected to internet and eth1 connected to local lan]

iptables -t nat -A PREROUTING -i eth1 -p tcp –-dport 80 -j DNAT –to 192.168.1.1:3128

iptables -t nat -A PREROUTING -i eth0 -p tcp –-dport 80 -j REDIRECT –-to-port 3128

Read More

Forward Squid traffic to secure tunnel (SSH)

When Squid is installed and running, it uses port 3128 by default. 

You should test it manually by setting your HTTP proxy to the server that runs Squid. 

For instance, in Firefox to go Tools -> Options -> Advanced -> Network -> Settings and enter the IP address or host of the Squid proxy (e.g. 192.168.0.100) and 3128 for the port. 

Try to load any web page. If you see an access denied error, check out the http_access configuration in the squid configuration file.

Once Squid is all set and ready to go, you need to forward your connection to it over SSH. 

 

To set the tunnel up on your Windows 

download Plink, a command-line version of Putty SSH client, 

and run this command:

plink.exe -batch -N -l UserName -pw Password -L 3128:localhost:3128 SSH_Server

On Unix-based systems, simply run this command:

ssh -L 3128:localhost:3128 SSH_Server -f -N

Finally, tell your browser to use the SSH tunnel as a proxy. Basically you need to change the host to localhost and the port number to 3128 (See below).

Read More

Setting up squid proxy server on Ubuntu

Install Squid
Open up the terminal and type the following command to install squid:
sudo apt-get install squid

Squid Configuration
Open the squid.conf file for editing using command:
gksudo gedit /etc/squid/squid.conf

Find the http_port tag, By default it reads
# http_port 3128

This is the default port that Squid will listen on for requests. If you want to change it, uncomment the line and set the correct port. If you want Squid to listen only on one specific NIC, you can also change the IP address – for example : 192.168.1.5:3128

Next, find the http_access section Uncomment these 2 lines:
acl our_networks src 192.168.1.0/24 192.168.2.0/24
http_access allow our_networks

NOTE: You'll need to change 192.168.1.0/24 to match your network. Unless you have a second subnet you can delete 192.168.2.0/24

With above change, the basic squid configuration is done, you can now start/stop the squid server using command: sudo /etc/init.d/squid start|restart|stop

Configuring squid Clients
To configure any application including a web browser to use squid, modify the proxy setting with the IP address of the squid server and the port number that you have specified in the squid configuration file 

(default 3128).

Below example showing the Firefox configuration for using squid proxy server running on ip address 192.168.1.2 and port 3128.

Read More

Convert Nero image (.nrg) to ISO9660 (.iso)

n case you need to convert Nero image file .nrg into regular ISO9660 .iso utility nrg2iso might be helpful then.

It’s included into apt repositories of Debian and Ubuntu, so to install it execute:

sudo aptitude install nrg2iso

When it’s done, convert file by command:

nrg2iso image.nrg image.iso

Read More

Allow Remote Control To Your Desktop On Ubuntu

Enabling remote desktop mode is extremely easy on Ubuntu since Dapper. You can allow other users to access your desktop using the VNC Viewer utility that is bundled with Ubuntu, or offered as a free download for Windows.

Note that enabling remote control of your desktop is never a safe thing to do unless you have a firewall installed and configured correctly, and even then is still a potential security problem. Now that you’ve been warned of the risks, let’s move on.

Navigate to the System \ Preferences \ Remote Desktop on the Gnome top menu.

You’ll see this window:

The first two checkboxes need to be checked in order for remote desktop to be enabled.

The Security section is important: If you select the “Ask you for confirmation” code, then you will need to be at the computer in order to allow the other person to access your desktop. If you are trying to remotely access one of your own computers, you will want to uncheck this box.

The second checkbox should always be checked, and you should enter a secure password. You will be prompted for this password when you try to log on.

Tested on: Ubuntu Dapper Drake, Ubuntu Edgy Eft

Read More

How To Edit Your Hosts File : Ubuntu

In Ubuntu 10.04 and most Linux distro’s you can edit the hosts file directly in the terminal. You can use your favorite editor or even open your favorite GUI text editor. For this example we will use VIM. Like Windows 7, Ubuntu’s hosts file is located in the /etc/ folder, though here it is in the root of the drive. In order to edit the file you will need to open it as root which is why we use sudo here.

Now that it is open we can edit it to redirect Facebook into nothing. You will notice that with Ubuntu there is also a section for IP6. For most needs you will only need to edit it the top section and ignore the IP6.

Now we can save the file and try to go to Facebook.com. Just like in windows we will see that we are now redirected to a site that does not exist.

Read More