These days, it is really important to have proxy server to analyze web traffic of the organization. Among proxy servers, the Squid is very famous, because of it’s flexibility and easy of configuration. Squid can be operated at non-transparent and transparent mode which is going to discuss here. Main benefit of transparent mode is, clients are not aware that their requests are processed through the proxy. Simply there is no configuration at client side. So let’s look at how to configure Squid as HTTP and HTTPS Transparent Proxy

Notice

Before begin please adjust the ip and other configuration as per your requirement. Below values are used only for demonstration.

Internet –> etho
interface IP :- 192.168.2.39/24 Gateway:- 192.168.2.1

LAN –> eth1
interface IP :- 192.168.231.126/24 Gateway:- 0.0.0.0

If you have single interface no need to worry. you can create virtual interface which is act either LAN or Internet interface. This process has more steps to follow, so I thought to divide into 4 major section to make it more easy to understand.

(01) Install and Configure Squid

(02) Install bind DNS

(03) Configure iptables

(04) Configure Windows client.

So Let’s follow each section in depth.

(01) Install and Configure Squid

1) To analyses https traffic, following packages are required.

yum install openssl openssl-devel

2) Download and install latest Squid version

Download location :- http://www.squid-cache.org/Versions/

–squid run as squid user, and following parameters are mandatory.


./configure --with-openssl --enable-ssl-crtd --with-default-user=squid
make
make install

3) Initialize squid ssl_db directory

/usr/local/squid/libexec/ssl_crtd -c -s /var/lib/ssl_db
chown -R squid.squid /var/lib/ssl_db

Dynamically generated ssl certificates are stored at /var/lib/ssl_db directory

4) Comment or add following extra fields to squid.conf file.


http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

cert=/usr/local/squid/ssl_cert/myca.pem key=/usr/local/squid/ssl_cert/myca.pem

ssl_bump server-first all

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

coredump_dir /usr/local/squid/var/cache/squid

5) create the certificate folder and generate the keys

mkdir /usr/local/squid/ssl_cert
chown -R squid.squid /usr/local/squid/ssl_cert
cd /usr/local/squid/ssl_cert

6) execute new certificate request

openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem

ex:-
Country Name (2 letter code) [XX]:lk
State or Province Name (full name) []:western
Locality Name (eg, city) [Default City]:colombo
Organization Name (eg, company) [Default Company Ltd]:it
Organizational Unit Name (eg, section) []:itdept
Common Name (eg, your name or your server's hostname) []:squidserver.local
Email Address []:admin@squidserver.local

7) Generate certificate for web browsers. later this der file (myca.der) needs to add into browser to avoid SSL Error.

openssl x509 -in myca.pem -outform DER -out myca.der

(02) Install bind DNS

1) install bind

yum install bind

2) Configure DNS

vim /etc/named.conf

<strong>####----------------#####
acl mynet {
    192.168.0.0/16;
    127.0.0.1;
    };

options {
        listen-on { mynet; };
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { mynet; localhost; };

        recursion yes;
        forward only;
         forwarders {
        192.168.2.1; 8.8.8.8;
        };
        
 dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "squidserver.local" IN {
    type master;
    file "/var/named/squidserver.local/db.home";
    allow-query {
    mynet;
   };
};</strong>

<strong>####----------------#####

acl mynet {

192.168.0.0/16;

127.0.0.1;

};

options {

listen-on { mynet; };

listen-on port 53 { 127.0.0.1; };

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { mynet; localhost; };

recursion yes;

forward only;

forwarders {

192.168.2.1; 8.8.8.8;

};

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

};

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

zone "squidserver.local" IN {

type master;

file "/var/named/squidserver.local/db.home";

allow-query {

mynet;

};

};</strong>

<strong>####----------------#####</strong>

1	<strong>####----------------#####</strong>

3) Configure zone for squidserver.local

mkdir /var/named/squidserver.local
touch /var/named/squidserver.local/db.home
chown -R named.named /var/named/squidserver.local/db.home

4) Add following line to /var/named/squidserver.local/db.home

$ORIGIN squidserver.local.
$TTL 86400
@    IN    SOA    proxy.squidserver.local.    proxy.squidserver.local. (
2014032801 ; Serial
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400 ; Negative Cache TTL
)
@    IN    NS    proxy.squidserver.local.
proxy    IN    A    192.168.231.126

5) Start named

service named start

(03) Configure iptables

beware about the interface and ip address.alter those values according to your requirement. You can learn about iptables from here if you are novice.

1) Redirect HTTP and HTTPS traffic to squid

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 3129

2) Enable udp and tcp port 53 , tcp port 80,443,3128,3129 from inbound lan port.

ex:- Added to rule 5, it may be changed according to existing iptable rule
iptables -I INPUT 5 -p udp -m udp –dport 53 -j ACCEPT

iptables -I INPUT 5 -p tcp –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 80 -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 443 -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 3128 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 3129 -m state –state NEW,ESTABLISHED -j ACCEPT

3) So what happen to other traffic such as ftp, vpn. Let’s by pass those traffic.

Here assume squid does not handle those requests. Accept connection from inside (eth1) and forward them to (eth0) internet
iptables -I FORWARD 1 -o eth0 -i eth1 -s 192.168.231.0/24 -m conntrack –ctstate NEW -j ACCEPT

We accept to forward all already established connection
iptables -I FORWARD 2 -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

Masquerading (substitute the local source ip address to the public address)
iptables -A POSTROUTING -t nat -j MASQUERADE

4) enable packet forwarding for IPv4

edit /etc/sysctl.conf and add following
net.ipv4.ip_forward=1

(04) Configure Windows client.

1) Configure client Default gateway and DNS as 192.168.231.126 (LAN ip address)

2) Upload myca.der to web browser to avoid SSL error.

feels free to comment here if you have faced any issues 🙂

Have you ever tried to connect MSSQL through PHP ? If you are looking a way, then this would be most effective way of doing that.
These steps are done at CentOS by compiling Freetds and PHP from source. So let’s look at how to connect PHP code in Linux to MSSQL Server using Freetds .

1) Download latest stable Freetds version.

wget ftp://ftp.freetds.org/pub/freetds/stable/freetds-0.95.tar.gz (stable version at the moment )

2) Compile Freetds with following config.

./configure –enable-msdblib –enable-sybase-compat –prefix=/usr/local/freetds –with-tdsver=7.3

Then execute ‘make’ and ‘make install’ .

3) Add “/usr/local/freetds/bin” to ~/.bash_profile file

ex:- PATH=$PATH:$HOME/bin:/usr/local/freetds/bin
when above step is finished tsql command should work on the command prompt, so Let’s check tsql compatibility using following command.

[root@WEB_SERVER]# tsql -C
Compile-time settings (established with the “configure” script)
Version: freetds v0.95
freetds.conf directory: /usr/local/freetds/etc
MS db-lib source compatibility: yes
Sybase binary compatibility: yes
Thread safety: yes
iconv library: yes
TDS version: 7.3
iODBC: no
unixodbc: no
SSPI “trusted” logins: no
Kerberos: no
OpenSSL: no
GnuTLS: no

4) Compile php with following config.

To integrate mssql with php, you must compile php with following configuration. you can keep any other configuration as you need.
–with-pdo-dblib=/usr/local/freetds

Then execute ‘make’ and ‘make install’ .

5) Restart Apache

That’s all. feel free to comment here if you have any questions.!

TechTute

Configure Squid as HTTP and HTTPS Transparent Proxy

(01) Install and Configure Squid

(02) Install bind DNS

(03) Configure iptables

(04) Configure Windows client.

(01) Install and Configure Squid

1) To analyses https traffic, following packages are required.

2) Download and install latest Squid version

3) Initialize squid ssl_db directory

4) Comment or add following extra fields to squid.conf file.

5) create the certificate folder and generate the keys

6) execute new certificate request

7) Generate certificate for web browsers. later this der file (myca.der) needs to add into browser to avoid SSL Error.

(02) Install bind DNS

1) install bind

2) Configure DNS

3) Configure zone for squidserver.local

4) Add following line to /var/named/squidserver.local/db.home

5) Start named

(03) Configure iptables

1) Redirect HTTP and HTTPS traffic to squid

2) Enable udp and tcp port 53 , tcp port 80,443,3128,3129 from inbound lan port.

3) So what happen to other traffic such as ftp, vpn. Let’s by pass those traffic.

4) enable packet forwarding for IPv4

(04) Configure Windows client.

1) Configure client Default gateway and DNS as 192.168.231.126 (LAN ip address)

2) Upload myca.der to web browser to avoid SSL error.

Share this:

Block https web traffic using ZeroShell proxy

1) Open firewall menu from web GUI

2) Add new rule to the “FORWARD” chain.

3) Configure the https blocking rule from “Rule Config” sub windows.

4) Make sure you have ticked the “Active” to above rule.

Share this:

How to connect PHP code in Linux to MSSQL Server using Freetds

1) Download latest stable Freetds version.

2) Compile Freetds with following config.

3) Add “/usr/local/freetds/bin” to ~/.bash_profile file

4) Compile php with following config.

5) Restart Apache

Share this:

Recent Posts

Find us on Facebook

Old Posts

Copyright