Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
08-30-2007, 01:43 PM
|
#1
|
Member
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202
Rep:
|
force user to use cgiproxy or phproxy
hello
i set up a firefox browser with the startup page linking to a cgiproxy. to surf the internet anonymously where ever they are. I want that if the user tries to type an address in the address bar, get a forbidden message saying it can't do so.. or is redirected to the cgiproxy script. the goal force the users to go online only using the cgiproxy. is there any iptables configuration or something similar?
thank you
|
|
|
08-30-2007, 06:12 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by mariogarcia
I want that if the user tries to type an address in the address bar, get a forbidden message saying it can't do so.. or is redirected to the cgiproxy script
|
I'm pretty sure you can achieve what you want with a Squid redirector.
Is that something you'd be willing to try?
|
|
|
08-30-2007, 08:13 PM
|
#3
|
Member
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202
Original Poster
Rep:
|
i am most definitely willing to.
i am reading squirm...I don't know if there are better alternatives. I plan installing squid locally, not on the webserver where the cgiscript will be installed.
|
|
|
08-30-2007, 09:38 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
I guess Squirm should work. Honestly I've never used it so I don't know. I was thinking more along the lines of a simple hand made redirector. Something like:
Code:
#!/usr/bin/perl
$|=1;
while (<> ) {
@X = split;
$url = $X[0];
if ($url =~ /^http:\/\/www\.yourcgiwebsite\.com/) {
print "$url\n";
}
else {
print "302:http:\/\/www\.yourcgiwebsite\.com\n";
}
}
The pseudocode explanation of the above goes like:
If the URL starts with http://www.yourcgiwebsite.com/ then print the URL, else (if it doesn't begin with http://www.yourcgiwebsite.com/) redirect to http://www.yourcgiwebsite.com/.
Last edited by win32sux; 08-30-2007 at 09:40 PM.
|
|
|
08-31-2007, 11:05 AM
|
#5
|
Member
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202
Original Poster
Rep:
|
do I need to install squid? you speak of a squid redirector. so I thought I needed squid... and where do I put that script you ust posted. if i don't have to install squid, even better.
thank you
|
|
|
08-31-2007, 11:28 AM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Yes, you'd need Squid.
You can name the script whatever you like, and place it anywhere (just make sure it has proper permissions set). You'd tell Squid to use the redirector by using a "redirect_program" line in your squid.conf file. For example, let's say you make directory /redirectors and you name your redirector script forcecgiproxy.pl. The line in squid.conf would look like:
Code:
redirect_program /redirectors/forcecgiproxy.pl
BTW, considering you are doing this on localhost, you might wanna execute an iptables rule that makes sure outgoing HTTP/HTTPS packets have been generated by Squid - that way users can't bypass the proxy by changing the proxy setting in Firefox. Assuming your OUTPUT policy is set to DROP, and there are no other rules to send TCP port 80 and 443 packets to ACCEPT, something like this should do the trick:
Code:
iptables -I OUTPUT -p TCP -m multiport --dports 80,443 \
-m owner --uid-owner squid -j ACCEPT
This also assumes your Squid is running with UID "squid".
Last edited by win32sux; 08-31-2007 at 02:21 PM.
|
|
|
09-02-2007, 10:25 AM
|
#7
|
Member
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202
Original Poster
Rep:
|
hello, sorry, do i have to enable special features in squid? for ssl... when compiling?
thank you
|
|
|
09-02-2007, 12:40 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
No, the --enable-ssl option is only needed if you were planning to do SSL gatewaying. Here's the options used to compile Squid officially on Ubuntu 7.04 in case you want to look at a known-good set of ./configure options (I am currently using this on localhost, much like you are planning to):
Quote:
win32sux@candystore:~$ squid -v
Squid Cache: Version 2.6.STABLE5
configure options: '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' '--enable-async-io' '--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' '--enable-underscores' '--enable-referer-log' '--enable-useragent-log' '--enable-auth=basic,digest,ntlm' '--enable-carp' '--with-large-files' 'i386-debian-linux' 'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux' 'target_alias=i386-debian-linux'
win32sux@candystore:~$
|
BTW, if you're on Debian you could simply do a (instead of compiling source):
Code:
apt-get install squid
Last edited by win32sux; 09-02-2007 at 12:47 PM.
|
|
|
09-02-2007, 01:21 PM
|
#9
|
Member
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202
Original Poster
Rep:
|
I am actually using LFS
I installed squid using ./configure --prefix=/usr --libexecdir=/usr/lib --sysconfdir=/etc
i search for a line redirect_program in squid.conf but I can't find.. in which section does it have to be written.
thank you
|
|
|
09-02-2007, 04:16 PM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
I'd suggest you backup the default Squid conf file only for reference and instead use this one here as a base to get started. It's basically what I use on my desktop with some minor edits. I place the redirect_program line at the end (I use a redirector to force the use of HTTPS when accessing my Gmail) but I don't think it matters where you put it.
Code:
http_port 127.0.0.1:3128
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log none
cache_log none
cache_store_log none
cache_dir aufs /squid-cache 1024 32 256
cache_replacement_policy heap LFUDA
maximum_object_size 64 MB
cache_mem 16 MB
maximum_object_size_in_memory 48 KB
memory_replacement_policy heap LFUDA
cache_mgr win32sux@example.net
hosts_file /etc/hosts
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
acl cgiproxy dstdomain .yourcgiproxy.com
http_access deny manager
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost cgiproxy
http_access deny all
http_reply_access allow all
icp_access deny all
cache_effective_user squid
cache_effective_group squid
visible_hostname localhost
redirect_program /squid-redirectors/forcecgiproxy.pl
Notice how I have the disk cache size set to 1GB, and the memory cache size set to 16MB - you'll need to adjust these to your needs (as well as several other things - this is just meant as a base for you).
Here's a quick rundown of what it would take to set Squid up when the above is the content of your squid.conf file:
Create squid group and user (make sure the squid user doesn't get a real shell):
Code:
groupadd squid
useradd -g squid -d /dev/null -s /bin/false squid
Create directory for the redirector(s) and the cache:
Code:
mkdir /squid-redirectors
mkdir /squid-cache
(Remember to place the redirector script in the /squid-redirectors directory).
Set the proper permissions on the cache directory:
Code:
chown -R squid:squid /squid-cache
Create the Squid cache: Now start Squid with something like: Now netstat should show Squid listening only on localhost like:
Code:
win32sux@candystore:~$ netstat -an | grep 3128
tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN
Last edited by win32sux; 09-02-2007 at 04:42 PM.
|
|
|
09-02-2007, 06:49 PM
|
#11
|
Member
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202
Original Poster
Rep:
|
i had a problem with squid starting I had to remove them.
the lines i had to remove were
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
i had to change aufs for ufs in squid-cache.
the address of the proxy is http://marioweb.no-ip.org/cgi-bin/nph-proxy.cgi
i put exactly that on the line
acl cgiproxy dstdomain .marioweb.no-ip.org
but the redirection doesn't work.. it's true that if i type in the address bar google.com i get permission denied... but there's no redirection
Last edited by mariogarcia; 09-02-2007 at 08:09 PM.
|
|
|
09-03-2007, 12:22 PM
|
#12
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by mariogarcia
the lines i had to remove were
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
|
Likely due to not having used the --enable-removal-policies=lru,heap option.
Quote:
i had to change aufs for ufs in squid-cache.
|
Likely due to not having used the --enable-storeio=ufs,aufs,coss,diskd,null option.
So nothing weird so far...
Quote:
the address of the proxy is http://marioweb.no-ip.org/cgi-bin/nph-proxy.cgi
i put exactly that on the line
acl cgiproxy dstdomain .marioweb.no-ip.org
but the redirection doesn't work.. it's true that if i type in the address bar google.com i get permission denied... but there's no redirection
|
Okay, troubleshooting time!
Comment-out the redirector_program line in your squid.conf file and then to activate the changes do a:
Code:
squid -k reconfigure
You should now be able to visit marioweb.no-ip.org, but should receive an Access Denied if you try to visit any other site. If this is the case, then at least the ACL config is sane, and you can then proceed to troubleshoot the redirector itself. What does your redirector script currently look like? My bet is that there is some sort of typo in the script, so it's redirecting to a URL that doesn't exactly match the ACL, hence the ACL kicks-in with an Access Denied.
Last edited by win32sux; 09-03-2007 at 04:35 PM.
|
|
|
09-03-2007, 04:36 PM
|
#13
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
You can check what is happening by setting the "access_log" line and looking at the log when you get the Access Denied. There should be a TCP_DENIED/403 showing the exact URL Squid redirected to. For example, I just set this redirector so that I get redirected to example.com no matter what I type:
Code:
#!/usr/bin/perl
$|=1;
while (<> ) {
@X = split;
$url = $X[0];
if ($url =~ /^http:\/\/www\.example\.com/) {
print "$url\n";
}
else {
print "302:http:\/\/www\.example\.com\n";
}
}
In my access.log I see this when I try to access Slashdot.org (or any other site):
Code:
1188854830.846 421 127.0.0.1 TCP_DENIED/403 1438 GET http://www.example.com/ - NONE/- text/html
1188854831.586 0 127.0.0.1 TCP_DENIED/403 1460 GET http://www.example.com/favicon.ico - NONE/- text/html
This is because even though I have allowed Slashdot.org, I don't have Example.com set as an allowed site (I do whitelisting with an "allowed_sites" type ACL).
Last edited by win32sux; 09-03-2007 at 04:38 PM.
|
|
|
09-04-2007, 11:01 AM
|
#14
|
Member
Registered: Sep 2005
Distribution: debian, solaris 10
Posts: 202
Original Poster
Rep:
|
maybe it is a mistake in my redirector. here's the code I wrote for it. I don't know if the escape characters are good.
where can I find access.log?
thank you
Code:
#!/usr/bin/perl
$|=1;
while(<> ) {
@X = split;
$url = $X[0];
if ($url =~/^http:\/\/marioweb\.no\-ip\.org\/cgi\-bin\/nph\-proxy\.cgi/) {
print "$url\n";
}
else {
print "302:http:\/\/marioweb\.no\-ip\.org\/cgi\-bin\/nph\-proxy\.cgi\n";
}
}
|
|
|
09-04-2007, 06:17 PM
|
#15
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by mariogarcia
maybe it is a mistake in my redirector. here's the code I wrote for it. I don't know if the escape characters are good.
|
I'll have a look and see.
Quote:
where can I find access.log?
|
You can put it wherever you want. The config I gave you has it disabled. It's the line "access_log none". Change it to "access_log /path/to/access.log" or whatever you want, then reload the new config with a "squid -k reconfigure".
|
|
|
All times are GMT -5. The time now is 07:13 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|