LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-30-2007, 01:43 PM   #1
mariogarcia
Member
 
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202

Rep: Reputation: 31
force user to use cgiproxy or phproxy


hello
i set up a firefox browser with the startup page linking to a cgiproxy. to surf the internet anonymously where ever they are. I want that if the user tries to type an address in the address bar, get a forbidden message saying it can't do so.. or is redirected to the cgiproxy script. the goal force the users to go online only using the cgiproxy. is there any iptables configuration or something similar?
thank you
 
Old 08-30-2007, 06:12 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by mariogarcia View Post
I want that if the user tries to type an address in the address bar, get a forbidden message saying it can't do so.. or is redirected to the cgiproxy script
I'm pretty sure you can achieve what you want with a Squid redirector.

Is that something you'd be willing to try?
 
Old 08-30-2007, 08:13 PM   #3
mariogarcia
Member
 
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202

Original Poster
Rep: Reputation: 31
i am most definitely willing to.
i am reading squirm...I don't know if there are better alternatives. I plan installing squid locally, not on the webserver where the cgiscript will be installed.
 
Old 08-30-2007, 09:38 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
I guess Squirm should work. Honestly I've never used it so I don't know. I was thinking more along the lines of a simple hand made redirector. Something like:
Code:
#!/usr/bin/perl
$|=1;
        while (<> ) {
                @X = split;
                $url = $X[0];

                if ($url =~ /^http:\/\/www\.yourcgiwebsite\.com/) {
                        print "$url\n";
                }

                else {
                        print "302:http:\/\/www\.yourcgiwebsite\.com\n";
                }
            }
The pseudocode explanation of the above goes like:

If the URL starts with http://www.yourcgiwebsite.com/ then print the URL, else (if it doesn't begin with http://www.yourcgiwebsite.com/) redirect to http://www.yourcgiwebsite.com/.

Last edited by win32sux; 08-30-2007 at 09:40 PM.
 
Old 08-31-2007, 11:05 AM   #5
mariogarcia
Member
 
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202

Original Poster
Rep: Reputation: 31
do I need to install squid? you speak of a squid redirector. so I thought I needed squid... and where do I put that script you ust posted. if i don't have to install squid, even better.
thank you
 
Old 08-31-2007, 11:28 AM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Yes, you'd need Squid.

You can name the script whatever you like, and place it anywhere (just make sure it has proper permissions set). You'd tell Squid to use the redirector by using a "redirect_program" line in your squid.conf file. For example, let's say you make directory /redirectors and you name your redirector script forcecgiproxy.pl. The line in squid.conf would look like:
Code:
redirect_program /redirectors/forcecgiproxy.pl
BTW, considering you are doing this on localhost, you might wanna execute an iptables rule that makes sure outgoing HTTP/HTTPS packets have been generated by Squid - that way users can't bypass the proxy by changing the proxy setting in Firefox. Assuming your OUTPUT policy is set to DROP, and there are no other rules to send TCP port 80 and 443 packets to ACCEPT, something like this should do the trick:
Code:
iptables -I OUTPUT -p TCP -m multiport --dports 80,443 \
-m owner --uid-owner squid -j ACCEPT
This also assumes your Squid is running with UID "squid".

Last edited by win32sux; 08-31-2007 at 02:21 PM.
 
Old 09-02-2007, 10:25 AM   #7
mariogarcia
Member
 
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202

Original Poster
Rep: Reputation: 31
hello, sorry, do i have to enable special features in squid? for ssl... when compiling?
thank you
 
Old 09-02-2007, 12:40 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
No, the --enable-ssl option is only needed if you were planning to do SSL gatewaying. Here's the options used to compile Squid officially on Ubuntu 7.04 in case you want to look at a known-good set of ./configure options (I am currently using this on localhost, much like you are planning to):
Quote:
win32sux@candystore:~$ squid -v
Squid Cache: Version 2.6.STABLE5
configure options: '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' '--enable-async-io' '--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' '--enable-underscores' '--enable-referer-log' '--enable-useragent-log' '--enable-auth=basic,digest,ntlm' '--enable-carp' '--with-large-files' 'i386-debian-linux' 'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux' 'target_alias=i386-debian-linux'
win32sux@candystore:~$
BTW, if you're on Debian you could simply do a (instead of compiling source):
Code:
apt-get install squid

Last edited by win32sux; 09-02-2007 at 12:47 PM.
 
Old 09-02-2007, 01:21 PM   #9
mariogarcia
Member
 
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202

Original Poster
Rep: Reputation: 31
I am actually using LFS

I installed squid using ./configure --prefix=/usr --libexecdir=/usr/lib --sysconfdir=/etc
i search for a line redirect_program in squid.conf but I can't find.. in which section does it have to be written.

thank you
 
Old 09-02-2007, 04:16 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
I'd suggest you backup the default Squid conf file only for reference and instead use this one here as a base to get started. It's basically what I use on my desktop with some minor edits. I place the redirect_program line at the end (I use a redirector to force the use of HTTPS when accessing my Gmail) but I don't think it matters where you put it.
Code:
http_port 127.0.0.1:3128
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log none
cache_log none
cache_store_log none
cache_dir aufs /squid-cache 1024 32 256
cache_replacement_policy heap LFUDA
maximum_object_size 64 MB
cache_mem 16 MB
maximum_object_size_in_memory 48 KB
memory_replacement_policy heap LFUDA
cache_mgr win32sux@example.net
hosts_file /etc/hosts
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
acl cgiproxy dstdomain .yourcgiproxy.com
http_access deny manager
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost cgiproxy
http_access deny all
http_reply_access allow all
icp_access deny all
cache_effective_user squid
cache_effective_group squid
visible_hostname localhost
redirect_program /squid-redirectors/forcecgiproxy.pl
Notice how I have the disk cache size set to 1GB, and the memory cache size set to 16MB - you'll need to adjust these to your needs (as well as several other things - this is just meant as a base for you).

Here's a quick rundown of what it would take to set Squid up when the above is the content of your squid.conf file:

Create squid group and user (make sure the squid user doesn't get a real shell):
Code:
groupadd squid
useradd -g squid -d /dev/null -s /bin/false squid
Create directory for the redirector(s) and the cache:
Code:
mkdir /squid-redirectors
mkdir /squid-cache
(Remember to place the redirector script in the /squid-redirectors directory).

Set the proper permissions on the cache directory:
Code:
chown -R squid:squid /squid-cache
Create the Squid cache:
Code:
squid -z
Now start Squid with something like:
Code:
squid -DF
Now netstat should show Squid listening only on localhost like:
Code:
win32sux@candystore:~$ netstat -an | grep 3128
tcp        0      0 127.0.0.1:3128          0.0.0.0:*               LISTEN

Last edited by win32sux; 09-02-2007 at 04:42 PM.
 
Old 09-02-2007, 06:49 PM   #11
mariogarcia
Member
 
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202

Original Poster
Rep: Reputation: 31
i had a problem with squid starting I had to remove them.

the lines i had to remove were

cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA

i had to change aufs for ufs in squid-cache.
the address of the proxy is http://marioweb.no-ip.org/cgi-bin/nph-proxy.cgi
i put exactly that on the line
acl cgiproxy dstdomain .marioweb.no-ip.org

but the redirection doesn't work.. it's true that if i type in the address bar google.com i get permission denied... but there's no redirection

Last edited by mariogarcia; 09-02-2007 at 08:09 PM.
 
Old 09-03-2007, 12:22 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by mariogarcia View Post
the lines i had to remove were

cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
Likely due to not having used the --enable-removal-policies=lru,heap option.

Quote:
i had to change aufs for ufs in squid-cache.
Likely due to not having used the --enable-storeio=ufs,aufs,coss,diskd,null option.

So nothing weird so far...

Quote:
the address of the proxy is http://marioweb.no-ip.org/cgi-bin/nph-proxy.cgi
i put exactly that on the line
acl cgiproxy dstdomain .marioweb.no-ip.org

but the redirection doesn't work.. it's true that if i type in the address bar google.com i get permission denied... but there's no redirection
Okay, troubleshooting time!

Comment-out the redirector_program line in your squid.conf file and then to activate the changes do a:
Code:
squid -k reconfigure
You should now be able to visit marioweb.no-ip.org, but should receive an Access Denied if you try to visit any other site. If this is the case, then at least the ACL config is sane, and you can then proceed to troubleshoot the redirector itself. What does your redirector script currently look like? My bet is that there is some sort of typo in the script, so it's redirecting to a URL that doesn't exactly match the ACL, hence the ACL kicks-in with an Access Denied.

Last edited by win32sux; 09-03-2007 at 04:35 PM.
 
Old 09-03-2007, 04:36 PM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
You can check what is happening by setting the "access_log" line and looking at the log when you get the Access Denied. There should be a TCP_DENIED/403 showing the exact URL Squid redirected to. For example, I just set this redirector so that I get redirected to example.com no matter what I type:
Code:
#!/usr/bin/perl
$|=1;
        while (<> ) {
                @X = split;
                $url = $X[0];

                if ($url =~ /^http:\/\/www\.example\.com/) {
                        print "$url\n";
                }

                else {
                        print "302:http:\/\/www\.example\.com\n";
                }
            }
In my access.log I see this when I try to access Slashdot.org (or any other site):
Code:
1188854830.846    421 127.0.0.1 TCP_DENIED/403 1438 GET http://www.example.com/ - NONE/- text/html
1188854831.586      0 127.0.0.1 TCP_DENIED/403 1460 GET http://www.example.com/favicon.ico - NONE/- text/html
This is because even though I have allowed Slashdot.org, I don't have Example.com set as an allowed site (I do whitelisting with an "allowed_sites" type ACL).

Last edited by win32sux; 09-03-2007 at 04:38 PM.
 
Old 09-04-2007, 11:01 AM   #14
mariogarcia
Member
 
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202

Original Poster
Rep: Reputation: 31
maybe it is a mistake in my redirector. here's the code I wrote for it. I don't know if the escape characters are good.

where can I find access.log?

thank you

Code:
#!/usr/bin/perl
$|=1;
        while(<> ) {
               @X = split;
               $url = $X[0];

               if ($url =~/^http:\/\/marioweb\.no\-ip\.org\/cgi\-bin\/nph\-proxy\.cgi/) {
                print "$url\n";
          }
           else {
                  print "302:http:\/\/marioweb\.no\-ip\.org\/cgi\-bin\/nph\-proxy\.cgi\n";
                }

    }
 
Old 09-04-2007, 06:17 PM   #15
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by mariogarcia View Post
maybe it is a mistake in my redirector. here's the code I wrote for it. I don't know if the escape characters are good.
I'll have a look and see.

Quote:
where can I find access.log?
You can put it wherever you want. The config I gave you has it disabled. It's the line "access_log none". Change it to "access_log /path/to/access.log" or whatever you want, then reload the new config with a "squid -k reconfigure".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
CGIProxy vs PHProxy vs other? Synesthesia Linux - Software 0 03-18-2007 01:59 PM
Force logout of user. Cannot erase user account. philippeP Linux - General 5 07-12-2006 11:22 AM
force user ID to IP address? Fillys6 Linux - General 3 02-07-2006 10:16 AM
CGIProxy behind Smoothwall kdepa Linux - Networking 0 12-04-2004 12:31 AM
Force user ust Linux - General 1 10-09-2003 11:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration