Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hello
i set up a firefox browser with the startup page linking to a cgiproxy. to surf the internet anonymously where ever they are. I want that if the user tries to type an address in the address bar, get a forbidden message saying it can't do so.. or is redirected to the cgiproxy script. the goal force the users to go online only using the cgiproxy. is there any iptables configuration or something similar?
thank you
I want that if the user tries to type an address in the address bar, get a forbidden message saying it can't do so.. or is redirected to the cgiproxy script
I'm pretty sure you can achieve what you want with a Squid redirector.
i am most definitely willing to.
i am reading squirm...I don't know if there are better alternatives. I plan installing squid locally, not on the webserver where the cgiscript will be installed.
I guess Squirm should work. Honestly I've never used it so I don't know. I was thinking more along the lines of a simple hand made redirector. Something like:
do I need to install squid? you speak of a squid redirector. so I thought I needed squid... and where do I put that script you ust posted. if i don't have to install squid, even better.
thank you
You can name the script whatever you like, and place it anywhere (just make sure it has proper permissions set). You'd tell Squid to use the redirector by using a "redirect_program" line in your squid.conf file. For example, let's say you make directory /redirectors and you name your redirector script forcecgiproxy.pl. The line in squid.conf would look like:
Code:
redirect_program /redirectors/forcecgiproxy.pl
BTW, considering you are doing this on localhost, you might wanna execute an iptables rule that makes sure outgoing HTTP/HTTPS packets have been generated by Squid - that way users can't bypass the proxy by changing the proxy setting in Firefox. Assuming your OUTPUT policy is set to DROP, and there are no other rules to send TCP port 80 and 443 packets to ACCEPT, something like this should do the trick:
No, the --enable-ssl option is only needed if you were planning to do SSL gatewaying. Here's the options used to compile Squid officially on Ubuntu 7.04 in case you want to look at a known-good set of ./configure options (I am currently using this on localhost, much like you are planning to):
I installed squid using ./configure --prefix=/usr --libexecdir=/usr/lib --sysconfdir=/etc
i search for a line redirect_program in squid.conf but I can't find.. in which section does it have to be written.
I'd suggest you backup the default Squid conf file only for reference and instead use this one here as a base to get started. It's basically what I use on my desktop with some minor edits. I place the redirect_program line at the end (I use a redirector to force the use of HTTPS when accessing my Gmail) but I don't think it matters where you put it.
Notice how I have the disk cache size set to 1GB, and the memory cache size set to 16MB - you'll need to adjust these to your needs (as well as several other things - this is just meant as a base for you).
Here's a quick rundown of what it would take to set Squid up when the above is the content of your squid.conf file:
Create squid group and user (make sure the squid user doesn't get a real shell):
i had to change aufs for ufs in squid-cache.
the address of the proxy is http://marioweb.no-ip.org/cgi-bin/nph-proxy.cgi
i put exactly that on the line
acl cgiproxy dstdomain .marioweb.no-ip.org
but the redirection doesn't work.. it's true that if i type in the address bar google.com i get permission denied... but there's no redirection
Last edited by mariogarcia; 09-02-2007 at 08:09 PM.
but the redirection doesn't work.. it's true that if i type in the address bar google.com i get permission denied... but there's no redirection
Okay, troubleshooting time!
Comment-out the redirector_program line in your squid.conf file and then to activate the changes do a:
Code:
squid -k reconfigure
You should now be able to visit marioweb.no-ip.org, but should receive an Access Denied if you try to visit any other site. If this is the case, then at least the ACL config is sane, and you can then proceed to troubleshoot the redirector itself. What does your redirector script currently look like? My bet is that there is some sort of typo in the script, so it's redirecting to a URL that doesn't exactly match the ACL, hence the ACL kicks-in with an Access Denied.
You can check what is happening by setting the "access_log" line and looking at the log when you get the Access Denied. There should be a TCP_DENIED/403 showing the exact URL Squid redirected to. For example, I just set this redirector so that I get redirected to example.com no matter what I type:
In my access.log I see this when I try to access Slashdot.org (or any other site):
Code:
1188854830.846 421 127.0.0.1 TCP_DENIED/403 1438 GET http://www.example.com/ - NONE/- text/html
1188854831.586 0 127.0.0.1 TCP_DENIED/403 1460 GET http://www.example.com/favicon.ico - NONE/- text/html
This is because even though I have allowed Slashdot.org, I don't have Example.com set as an allowed site (I do whitelisting with an "allowed_sites" type ACL).
maybe it is a mistake in my redirector. here's the code I wrote for it. I don't know if the escape characters are good.
I'll have a look and see.
Quote:
where can I find access.log?
You can put it wherever you want. The config I gave you has it disabled. It's the line "access_log none". Change it to "access_log /path/to/access.log" or whatever you want, then reload the new config with a "squid -k reconfigure".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.