Jump to content
hotfloppy

Bridging Transparent Proxy

Recommended Posts

Assalamualaikum dan salam sejahtera..

Aku diberi satu project oleh trainer (a.k.a lecturer) untuk buat [b]Bridging Transparent Proxy[/b]..

[b]Internet (Modem kat Bilik Server) --> PC1 (Bridge) --> PC2 (Client)[/b]

Jadikan PC1 sebagai bridge dah okay.. Ni command2 yg aku guna..

[code]
brctl addbr mybridge
brctl addif mybridge eth0
brctl addif mybridge eth1
ifconfig eth0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up
ifconfig mybridge 10.1.1.30 netmask 255.255.0.0 up
route add default gw 10.1.0.4 dev mybridge
[/code]

Ni lak result ifconfig

[code]
[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1C:F0:0C:41:4F
inet6 addr: fe80::21c:f0ff:fe0c:414f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1153 errors:0 dropped:0 overruns:0 frame:0
TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:136220 (133.0 KiB) TX bytes:11312 (11.0 KiB)
Interrupt:217

eth1 Link encap:Ethernet HWaddr 00:24:81:1D:4C:76
inet6 addr: fe80::224:81ff:fe1d:4c76/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:5712 errors:0 dropped:0 overruns:0 frame:0
TX packets:31865 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:669987 (654.2 KiB) TX bytes:2881578 (2.7 MiB)
Memory:f0500000-f0520000

mybridge Link encap:Ethernet HWaddr 00:1C:F0:0C:41:4F
inet addr:10.1.1.30 Bcast:10.1.255.255 Mask:255.255.0.0
inet6 addr: fe80::21c:f0ff:fe0c:414f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:5690 (5.5 KiB)
[/code]

Skang ni, yang aku tau, kena running Squid service.. Kat bawah ni script untuk [b]squid.conf[/b] aku:

[code]
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl blacklist_domain_contain url_regex -i "/etc/squid/blacklist_domains_contain.acl"
acl blacklist_domain dstdomain "/etc/squid/blacklist_domain.acl"
acl access_by_ip url_regex \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny Connect !SSL_ports
http_access deny blacklist_domain_contain
http_access deny blacklist_domain
http_access deny access_by_ip
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128 transparent
https_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
[/code]

Dalam file [b]/etc/squid/blacklist_domain.acl[/b] ngan [b]/etc/squid/blacklist_domain_contains.acl[/b] aku letak 1 URL je:

[code]
www.facebook.com
[/code]

Pastu kat Webmin..
Under [b]Squid Proxy Server > Ports and Networking[/b], aku assign port [b]3128[/b] dan [b]option for port aku letak transparent [/b]utk both Proxy & SSL..
Under [b]Squid Proxy Server > Access Control[/b], [b]Add Proxy Restrictions[/b], tick pada [b]Deny[/b], select [b]blacklist_domain_contains[/b] ngan [b]blacklist_domain[/b] dan [b]Save[/b]..

Bila aku cuba run kan Squid, kluar error:

[code]
[root@localhost ~]# service squid status
squid (pid 6793) is running...
2011/02/02 21:05:00| strtokFile: /etc/squid/blacklist_domain.acl not found
2011/02/02 21:05:00| aclParseAclLine: WARNING: empty ACL: acl blacklist_domain dstdomain "/etc/squid/blacklist_domain.acl"
2011/02/02 21:05:00| Failed to acquire SSL certificate '(null)': error:0200100E:system library:fopen:Bad address
[root@localhost ~]#
[/code]

Aku cuba cari kat Google berkenaan error nih, ramai yang kata masalah permission.. So, aku set permission utk folder /etc/squid supaya Squid boleh access:

[code]
chown -R root:squid /etc/squid
[/code]

Cuba run Squid and error tadi still not resolved..

Search lagi kat Google.. Kali ni aku jumpa command [b]setfacl[/b] lak.. Aku try:

[code]
setfacl -m u:apache:r /etc/squid/blacklist_domain.acl
setfacl -m u:squid:r /etc/squid/blacklist_domain.acl
[/code]

Tetap error tadi kuar..

Apa lagi yg perlu aku buat eh ??

p/s: Ada pape maklumat yg aku tak bagi ka ?? Ni bukan project yg ada dateline.. Just project sampingan.. Esok cuti, so, kalo ada reply lepas dari kol 4, minggu depan la baru aku leh try.. :P

Share this post


Link to post
Share on other sites
Untuk masalah [b]*.acl[/b] tu, aku dah setelkan..

Aku check guna [b]Webmin[/b], mmg file tu nampak empty padahal ada isi.. So, aku just fill maklumat dari Webmin dan warning tu pun takde dah..

Cuma skang ni, masalah SSL certificate tu je la.. Untuk penyelesaian sementara, aku disable kan dulu [b]https_port 3128 transparent [/b]kat dalam [b]squid.conf[/b]..

Skang ni, aku tengah cari cara camna nak bagi Squid monitor https activities..

Any idea??

p/s: Bleh tak sesapa suggest apa aku perlu study untuk membolehkan Squid monitor https activities nih.. Any keywords?

Share this post


Link to post
Share on other sites
[quote name='hotfloppy' timestamp='1296824673' post='1061102']
Untuk masalah [b]*.acl[/b] tu, aku dah setelkan..

Aku check guna [b]Webmin[/b], mmg file tu nampak empty padahal ada isi.. So, aku just fill maklumat dari Webmin dan warning tu pun takde dah..

Cuma skang ni, masalah SSL certificate tu je la.. Untuk penyelesaian sementara, aku disable kan dulu [b]https_port 3128 transparent [/b]kat dalam [b]squid.conf[/b]..

Skang ni, aku tengah cari cara camna nak bagi Squid monitor https activities..

Any idea??

p/s: Bleh tak sesapa suggest apa aku perlu study untuk membolehkan Squid monitor https activities nih.. Any keywords?
[/quote]


ehehe tak penah wat monitor https :D

Share this post


Link to post
Share on other sites
mungkin kena study pasal certificate tu dlu kot..

nanti aku update balik..

p/s: kalo ada sesapa yg tau cara penyelesaian, sila2 la kongsi eh..

Share this post


Link to post
Share on other sites
aku pnah jumpa step yang SNAT packet dari satu network ke network lain, jadi tak perlu bridging

https pula setakat nampak level domain je kot, tapi boleh terus drop per domain connection. langsung tak boleh buka. cuba cari https facebook squid kalau berminat di halaman google.com :D

sekadar menambah bagi yang mencari Edited by umarzuki

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...