Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

NETWORK APPLICATIONS

Squid proxy

  • Squid server
    • consists of a main server program - 'squid'
    • a Domain Name System lookup program 'dnsserver'
    • optional programs for rewriting requests and performing authentication, management and client tools.

    When squid starts up, it spawns a configurable number of 'dnsserver' processes, each of which can perform a single blocking DNS lookup. This reduces the amount of time the proxy waits for DNS lookups.

    Server configuration file - /etc/squid/squid.conf

    • there are over a 125 option tags in this file
    • only need to change eight options to get squid up and running, the other options give additional flexibility
    • default 'squid.conf' denies access to all browsers.
    • need to edit the Access Control Lists to allow clients to use the squid proxy.
    • most basic way to perform access control is to use the http_access option.

    Reload 'squid.conf' after any changes

    # squid -k reconfigure
    

    All Squid configuration directives.

  • Some configuration options
    /etc/squid.conf

    Commonly used options

    http_port                  Port(s) squid will listen on for requests.
                               Default=3128, another is 8080.
    
    cache_dir                  <storage_type> <dir_name> <size(MB)> <L1> <L2> [options]
                               Configure specific storage areas. If using more than one
                               disk for cached data then more than one mount point
                               (/usr/local/squid/cache1, /usr/local/squid/cache2, ).
                               Can have multiple cache_dir options in config file.
       <storage_type>              ufs is the default, only change if problems with it.
       <dir_name>                  Location of the cache.
       <size(MB)>                  Cache size, default=100MB, usually a few GB.
       <L1>                        No. of top-level sub-dirs in cache_dir, default=16.
       <L2>                        No. of second-level sub-dirs, default=256.
                                   Example: 
                                       cache_dir ufs /var/spool/squid 100 16 256
    
    cache_mem                  Amount of memory to use for caching. Once limit is
                               reached, squid starts paging to disk.
                               Example: 
                                   cache_mem 8MB
    
    http_access                Basic syntax: http_access allow|deny [!]aclname
                               Example: 
                                   acl home src 10.0.0.0/255.0.0.0
                                   http_access allow home     
                                   Allows access to an internal network, deny all else.
    
    authenticate_program       Program and args to start up as a authenticator.
    redirect_program           Program to start up as a redirector.
    redirect_children          Number of processes to start up to do redirection.
    maximum_object_size        Max file size(KB) that will be cached. Greater sizes
                               will NOT be saved. Default is 4MB.  If speed is more
                               important than saving bandwidth, leave this low.
    minimum_object_size        Objects smaller than this (KB) will NOT be cached.
                               Default=0 which implies everything will be cached.
    cache_swap                 Amount of disk space it may use. A large disk cache
                               requires greater RAM.
    
  • Squid daemon

    Check your version's man page for latest flags etc..

    squid [-options] [-d level] 
          [-s | -l facility]
          [-f config-file] [-u port]
          [-k signal]
    
    Some options:
     -d level                Write debugging to stderr also
     -f file                 Use given config-file instead of /etc/squid/squid.conf
     -h                      Print help message
     -k signal               Valid signals are: reconfigure|rotate|shutdown|interrupt|
                             kill|debug|check|parse
     -s | -l facility        Enable logging to syslog
     -u port                 Specify ICP port number (default: 3130), disable use 0
     -v                      Print version
     -z                      Create swap directories
     -C                      Do not catch fatal signals
     -D                      Disable initial DNS tests
     -F                      Don't serve any requests until store is rebuilt
     -N                      No daemon mode
     -R                      Do not set REUSEADDR on port
     -S                      Double-check swap during rebuild
     -X                      Force full debugging
     -Y                      Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload
    
  • URL re-writting
    Redirectors

    Squid can be configured to pass every incoming URL through a redirector which returns either a new URL or a blank line to indicate no change.

    A redirector is:

    • An external program e.g. a script (Some examples are provided in the contrib/ dir. of the source distribution).
    • It allows the administrator to control the locations to which users may go.
    • Can be used in conjunction with transparent proxies to deny users access to certain sites.
    • A redirector program must read URLs (one per line) on stdin and write rewritten URLs or blank lines on stdout.
    • can get 3rd. party redirectors e.g. squirm or write your own

    Input line to a Redirector

    The input line consists of four fields:

    [channel id] <URL> <ip-address/fqdn> <ident> <method> [urlgroup] <kv pair>
    
    Where:
    channel id             concurrency channel number. When concurrency is off (set to 1) this
                           field and the following space will be completely missing.
    URL                    URL originally requested.
    ip-address/fqdn        IP address and domain name of client (if cached by squid)
    ident                  Results of any IDENT/AUTH lookup done for the client, if enabled.
    method                 HTTP method used in the request e.g. GET
    urlgroup               Squid2 only, sent with URL-grouping tag (configured on http_port). 
    kv pair                list of key=value pair.  Only "myip" (squid recv. addr.) and "myport" 
                           (squid recv. port) pairs sent unconditionally.  Any key that ends in
                           '_' is reserved for administrative purposes.
    

    If a field value is unknown then a '-' is used e.g.

    Example input line

    ftp://ftp.gnome.org/pub/GNOME/stable/releases/gnome-1.0.53/README 192.168.12.34/- - GET -
    

    Configure a custom python redirector - /etc/squid.conf

    redirect_program /usr/bin/python /etc/squid/custom_redirect.py
    
    # Number of instances. Recommended not < 5.
    redirect_children 5 
    

    Reload 'squid.conf' after any changes

    # squid -k reconfigure
    
  • Authentication levels
    • Authentication can be done on various levels, e.g. network or user.
    • Browsers can send the user's authentication credentials using a special "authorisation request header".

    When squid gets a request: If there is an http_access rule list that points to a proxy_auth ACL it looks for an authorisation header.

    • If the header is present squid decodes it and extracts a username and password.
    • If the header is missing squid returns an HTTP reply with status 407 (Proxy Authentication Required).

      • User agent (browser) receives the 407 reply and then prompts the user to enter a username and password.
      • Username and password are encoded and sent in the authorisation header for subsequent requests to the proxy

    Security Issue

    HTTP protocol has two authentication modes: basic and digest, most proxies are not capable of using digest mode so use basic mode.

    In basic mode:

    • The username and password are encoded using base64.
    • They are NOT encrypted which means clear text between the browser and the proxy
    • Therefore should not use the same username and password that you would use for your account login

    Squid supports digest mode, versions older than 2.5 need to be patched.

    The squid source code comes with a few authentication processes, these include:

    Auth. Description
    LDAP Uses the Lightweight Directory Access Protocol
    NCSA Uses an NCSA-style username and password file
    MSNT Uses a Windows NT authentication domain
    PAM Uses the Linux Pluggable Authentication Modules scheme
    SMB Uses a SMB server like Windows NT or Samba
    getpwam Uses the old-fashioned Unix password file
  • User authentication
    • Need to compile and install one of the authentication programs
    • Tell squid which authentication program to use
    • Set up an ACL of type proxy_auth
    • Add a line to regulate the access to the web-cache, using that ACL

    Example configuration - /etc/squid/squid.conf

    authenticate_program /sbin/my_auth -f /etc/my_auth.db
    acl name proxy_auth REQUIRED
    http_access allow name               # acts as a deny rule
    http_access allow all                # common solution - add an extra rule 
    

    If the external authenticator allowed access, the allow rule actually acts as if it were a deny rule! Any following rules are consequently checked until another matching ACL is found.

  • Access Control Lists (ACLs)

    Many squid.conf options require use of Access Control Lists (ACLs).

    Each ACL consists of:

    <acl keyword> <name> <type> <value (a string or filename)>
    
    Can regulate access based on:
    source or destination IP address
    domain or domain regular expression
    hours
    days
    URL
    port
    protocol
    method
    username
    type of browser

    See Squid.org available acl types

    To regulate access to certain functions

    1. Define the ACL first
    2. Add a line to deny or allow access to a function of the cache, using that ACL as a reference

    ACLs can also require user authentication, specify an SNMP read community string or set a TCP connection limit.

  • ACL configuration examples

    Allow access from machines within a certain IP range - squid.conf

    acl allowedhosts src 192.168.1.0/255.255.255.0
    acl all src 0.0.0.0/0.0.0.0
    http_access allow allowedhosts
    http_access deny all
    

    Keep all internal IPs off the Web except during lunchtime - squid.conf

    acl allowed_hosts 192.168.1.0/255.255.255.0
    acl lunchtime MTWHF 12:00-13:00                   # MTWHF - monday to friday
    http_access allow allowed_hosts lunchtime
    

    Block certain sites based on their domain names - squid.conf

    acl adults dstdomain playboy.com sex.com
    acl ourallowedhosts src 196.4.160.0/255.255.255.0
    acl all src 0.0.0.0/0.0.0.0
    http_access deny adults
    http_access allow ourallowedhosts
    http_access deny all