Develop Reference

Can´t access https sites through squid3 - linux

I´m trying to access https sites through squid proxy 3.1.14 on a Ubuntu server but I don´t know why I can´t. Here is my squid -v output:
Squid Cache: Version 3.1.14
configure options: '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-ssl' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 -g -O2 -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -O2 -Wall' --with-squid=/etc/squid3/squid3-3.1.14
And Here is my squid.conf:
http_port 3124
cache_mem 256 MB
maximum_object_size_in_memory 10 MB
maximum_object_size 100 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir diskd /cache/squid1 5000 16 256
cache_dir diskd /cache/squid2 5000 16 256
cache_dir diskd /cache/squid3 5000 16 256
cache_dir diskd /cache/squid4 5000 16 256
cache_dir diskd /cache/squid5 5000 16 256
cache_dir diskd /cache/squid6 5000 16 256
cache_dir diskd /cache/squid7 5000 16 256
access_log /var/log/squid3/access.log squid
cache_peer x.x.x.x parent 3124 0 no-query login=PASS default no-digest
memory_replacement_policy lru
cache_replacement_policy lru
cache_store_log /var/log/squid3/store.log
emulate_httpd_log on
cache_log /var/log/squid3/cache.log
debug_options ALL,2
coredump_dir /var/spool/squid3
minimum_expiry_time 120 seconds
cache_mgr nutel.rn#dprf.gov.br
cache_effective_user squid
cache_effective_group squid
cachemgr_passwd 1234567890 all
refresh_pattern -i ([^.]+.|)jre-6u31-linux-i586\.bin 1440 50% 9999 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i exe$ 1440 50% 9999 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i com$ 1440 50% 9999 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i br$ 1440 50% 9999 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i [0-9]+$ 1440 50% 9999 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i AutoDL?BundleId=59620$ 1440 50% 9999 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i htm$ 1440 50% 9999 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i php$ 1440 50% 9999 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i html$ 1440 50% 9999 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i asp$ 1440 50% 9999 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i zip$ 0 50% 999999 ignore-reload override-lastmod override-expire reload-into-ims
refresh_pattern -i \.(mp3|mp4|m4a|ogg|mov|avi|wmv)$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
refresh_pattern -i flv$ 0 50% 999999 ignore-reload override-lastmod override-expire reload-into-ims
refresh_pattern -i swf$ 0 50% 999999 ignore-reload override-lastmod override-expire reload-into-ims
refresh_pattern -i cab$ 0 50% 999999 ignore-reload override-lastmod override-expire reload-into-ims
refresh_pattern -i rar$ 0 50% 999999 ignore-reload override-lastmod override-expire reload-into-ims
refresh_pattern ^http:// 30 40% 20160
refresh_pattern ^ftp:// 30 50% 20160
refresh_pattern ^gopher:// 30 40% 20160
refresh_pattern . 1440 100% 1440 ignore-reload override-lastmod override-expire reload-into-ims
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl SSL_ports port 443 563
acl cacic_ports port 20 21 22 3306 # cacic
acl Safe_ports port 80 23 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#Cache videos youtube
acl youtube dstdomain .youtube.com
cache allow youtube
# Aqui você irá definir o IP da sua rede interna
acl redelocal src x.x.x.x/24
cache allow redelocal
http_access allow redelocal
http_access allow localhost
http_access deny all
I´ve tried to access gmail, facebook, ...., any site that uses https doesn´t open, but any other sites that doesn´t use https opens perfectly.
What am I doing wrong?
Thanks for the help!!!

Everybody who played with Squid on Ubuntu, have probably encountered with this problem;.
Ubuntu Squid packages had been compiled without SSL option. Therefore, it is not possible to proxy HTTPS connections with Squid on Ubuntu Server.
Refer This

Related

How can I set up haproxy to send layer 7 requests (by domain name) to the right backedn (port 80 and 443)
Here is the an example from my test haproxy config file:
frontend example.com
bind :80,:443
acl ACL_example.com hdr(host) -i example.com www.example.com
use_backend example_80 if ACL_example.com
use_backend example_443 if { dst_port 443 }
backend example_80
balance roundrobin
server 001xx000x017 10.1.0.17:80 check
backend example_443
balance roundrobin
server 001xx000x017 10.1.0.17:443 check
In advance, many thanks for the help.

I figured it out, this is the layout of the actual config file for haproxy that works now:
frontend http_80
42 bind :80
41 # example.com
40 acl ACL_example_com hdr(host) -i example.com www.example.com
39
38 # sc.example.com
37 acl ACL_sc_example_com hdr(host) -i sc.example.com www.sc.example.com
36
35 # 001x.example.com
34 acl ACL_001x_example_com hdr(host) -i 001x.example.com www.001x.example.com
33
32 # example.com
31 acl ACL_example_com hdr(host) -i example.com www.example.com
30
29 # 001x01dns.example.com
28 acl ACL_001x01dns_example_com hdr(host) -i 001x01dns.example.com www.001x01dns.example.com
27
26 # example.tech
25 acl ACL_example_tech hdr(host) -i example.tech www.example.tech
24
23
22 use_backend example_80 if ACL_example_com
21 use_backend sc_example_80 if ACL_sc_example_com
ETC...
same logic is for port 443. Works perfect now :)

I have setup a pxeboot which basically works fine. I can run any configured linux image.
Then I have enabled the firewall, released UDP port 69 for TFTP
~# iptables -L |grep tftp
ACCEPT udp -- anywhere anywhere udp dpt:tftp
ACCEPT udp -- anywhere anywhere udp dpt:tftp
~# netstat -tulp|grep tftp
udp 0 0 0.0.0.0:tftp 0.0.0.0:* 15869/in.tftpd
udp6 0 0 [::]:tftp [::]:* 15869/in.tftpd
~# cat /etc/services|grep tftp
tftp 69/udp
and now I get a timeout when pxeboot is pulling tftp://192.168.0.220/images/pxelinux.0 (rc = 4c126035).
Anywhere is ok here for now as there is another firewall running between the pxeserver and the router which blocks everything unwanted from/to WAN
The funny part is that tcpdump shows that the request is incoming on the pxeboot server:
~# tcpdump port 69
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp5s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:00:47.062723 IP 192.168.0.136.1024 > mittelerde.tftp: 47 RRQ "images/pxelinux.0" octet blksize 1432 tsize 0
14:00:47.415412 IP 192.168.0.136.1024 > mittelerde.tftp: 47 RRQ "images/pxelinux.0" octet blksize 1432 tsize 0
14:00:48.184506 IP 192.168.0.136.1024 > mittelerde.tftp: 47 RRQ "images/pxelinux.0" octet blksize 1432 tsize 0
14:00:49.722630 IP 192.168.0.136.1024 > mittelerde.tftp: 47 RRQ "images/pxelinux.0" octet blksize 1432 tsize 0
14:00:52.798136 IP 192.168.0.136.1024 > mittelerde.tftp: 47 RRQ "images/pxelinux.0" octet blksize 1432 tsize 0
Once I stop the firewall service pxeboot works fine again. Of course the conntrack module is loaded:
~# lsmod|grep conntrack
nf_conntrack_tftp 16384 0
nf_conntrack_ftp 20480 0
xt_conntrack 16384 4
nf_conntrack_ipv4 16384 20
nf_defrag_ipv4 16384 1 nf_conntrack_ipv4
nf_conntrack 131072 9 xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat,nf_conntrack_tftp,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,nf_conntrack_ftp
libcrc32c 16384 2 nf_conntrack,nf_nat
x_tables 40960 8 xt_conntrack,iptable_filter,xt_multiport,xt_tcpudp,ipt_MASQUERADE,xt_nat,xt_comment,ip_tables
What I am missing here?

Problem solved. For tftpd-hpa the following UDP ports must be open as well:
1024
49152:49182

I have a problem with streaming with ffserver. After I start ffserver and desktop-capture, everything seems to work fine.
Then I open the browser and access the output(http://localhost:8090/test1.mpeg). It
plays fine for 6-7 seconds then it stops and I have to refresh the page to get it work again. Does anyone know why that happens and how I can correct it?
Here is my ffserver.conf
HTTPPort 8090
HTTPBindAddress 0.0.0.0
MaxHTTPConnections 2000
MaxClients 1000
MaxBandwidth 40000
CustomLog -
<Feed feed1.ffm>
File /tmp/feed1.ffm
FileMaxSize 10000K
ACL allow 127.0.0.1
ACL allow localhost
ACL allow 192.168.0.0 192.168.255.255
</Feed>
<Stream test1.mpeg>
Feed feed1.ffm
Format mpeg
AudioBitRate 32
AudioChannels 1
AudioSampleRate 44100
VideoBitRate 300
VideoFrameRate 30
VideoSize 1280x1024
VideoCodec mpeg1video
AudioCodec libvorbis
NoAudio
StartSendOnKey
</Stream>
my desktop-capture:
ffmpeg -f x11grab -r 40 -s 800x600 -framerate 50 -i :0.0+4,529 -map 0 -codec:v mpeg1video -codec:a libvorbis http://localhost:8090/feed1.ffm

The Problem was, that the VideoBitRate was too low. I changed it to 3000 and now it runs without Problems.
now my ffserver.conf looks like this:
HTTPPort 8090
HTTPBindAddress 0.0.0.0
MaxHTTPConnections 2000
MaxClients 1000
MaxBandwidth 40000
CustomLog -
<Feed feed1.ffm>
File /tmp/feed1.ffm
FileMaxSize 10000K
ACL allow 127.0.0.1
ACL allow localhost
ACL allow 192.168.0.0 192.168.255.255
</Feed>
<Stream test1.mpeg>
Feed feed1.ffm
Format mpeg
AudioBitRate 50
AudioChannels 1
AudioSampleRate 44100
# Bitrate for the video stream
VideoBitRate 3000
VideoFrameRate 30
VideoSize 1280x1024
VideoCodec mpeg1video
AudioCodec libvorbis
NoAudio
StartSendOnKey
</Stream>

I need a little help.
My rc.conf:
gateway_enable="YES"
natd_enable="YES"
natd_interface="xl0"
natd_flags="-f /etc/natd.conf"
ifconfig_xl0="inet 74.92.224.225 netmask 255.255.255.0"
ifconfig_xl0_alias0="inet 74.92.224.227 netmask 255.255.255.255"
ifconfig_xl0_alias1="inet 74.92.224.226 netmask 255.255.255.255"
ifconfig_xl0_alias2="inet 74.92.224.228 netmask 255.255.255.255"
ifconfig_xl0_alias3="inet 74.92.224.229 netmask 255.255.255.255"
ifconfig_re0="up"
ifconfig_re1="up"
cloned_interfaces="lagg0"
ifconfig_lagg0="laggproto loadbalance laggport re0 laggport re1 172.27.240.33 netmask 255.255.0.0"
firewall_client_net="172.27.0.0:255.255.0.0"
firewall_enable="YES"
firewall_logging="YES"
firewall_type="/etc/ipfw.rules"
My natd.conf:
interface xl0
use_sockets yes
same_ports yes
redirect_address 172.27.240.44 74.92.224.227
My ipfw.rules:
add 50 divert natd log ip4 from any to any via xl0
add 2000 pass all from 172.27.0.0:255.255.0.0 to 172.27.0.0:255.255.0.0 via 172.27.240.33
add 2040 deny log all from any 23 to any
add 2050 deny log all from any to any 23
add 2060 deny log all from any 111 to any
add 2070 deny log all from any to any 111
add 2080 deny log all from any 221 to any
add 2090 deny log all from any to any 221
add 2100 deny log all from any 222 to any
add 2110 deny log all from any to any 222
add 5000 pass all from any to any
Everything works fine expect coming into 74.92.224.227 does not go to 172.27.240.44 it ends up on the gateway fine but not on the LAN.
thx Thanks in advance.
Don

As I understand you clear, you want to NAT all packets that are coming from 172.27.240.44 to 74.92.224.227?
Also I don't think that your syntax in ipfw rules file is correct.
I would rather use ipfw kernel nat:
rc.conf (don't forget to disable LRO/TSO, because currently libalias don't work with this options correctly):
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_nat_enable="YES"
firewall_logging="YES"
ifconfig_re0="up -rxcsum -txcsum -tso -lro"
ifconfig_re1="up -rxcsum -txcsum -tso -lro"
ifconfig_xl0="up -rxcsum -txcsum -tso -lro"
ifconfig_xl0="inet 74.92.224.225 netmask 255.255.255.0"
ifconfig_xl0_alias0="inet 74.92.224.227 netmask 255.255.255.255"
ifconfig_xl0_alias1="inet 74.92.224.226 netmask 255.255.255.255"
ifconfig_xl0_alias2="inet 74.92.224.228 netmask 255.255.255.255"
ifconfig_xl0_alias3="inet 74.92.224.229 netmask 255.255.255.255"
cloned_interfaces="lagg0"
ifconfig_lagg0="laggproto loadbalance laggport re0 laggport re1 172.27.240.33 netmask 255.255.0.0"
/etc/ipfw.rules:
#!/bin/sh -
fwcmd="/sbin/ipfw"
${fwcmd} -f flush
${fwcmd} -q flush
${fwcmd} -q table all flush
${fwcmd} -q pipe flush all
${fwcmd} -q queue flush all
${fwcmd} nat 1 config ip 74.92.224.227 same_ports reset deny_in
# Pass local traffic
${fwcmd} add 101 allow all from any to any via lo0
# Apply NAT on external interface
${fwcmd} add 201 nat ip from 172.27.240.44 to any out xmit xl0
${fwcmd} add 202 nat ip from any to 74.92.224.227 in recv xl0
${fwcmd} add 301 allow all from 172.27.0.0/16 to 172.27.0.0/16 via re0
${fwcmd} add 2040 deny log all from any 23 to any
${fwcmd} add 2050 deny log all from any to any 23
${fwcmd} add 2060 deny log all from any 111 to any
${fwcmd} add 2070 deny log all from any to any 111
${fwcmd} add 2080 deny log all from any 221 to any
${fwcmd} add 2090 deny log all from any to any 221
${fwcmd} add 2100 deny log all from any 222 to any
${fwcmd} add 2110 deny log all from any to any 222
${fwcmd} add 5000 allow all from any to any
Here rule 201 will map all packet coming from 172.27.240.44 to 74.92.224.227. And rule 202 will do the reverse operation.

I am currently testing the Snort IDS for a project, I followed the Snort 2.9.5.3 installation guide. I am having an issue to correctly configure http_inspect so that it alerts to traffic.
The (virtual) network Snort is monitoring consists of it, an Ubuntu machine running DVWA (192.168.9.30) and a Kali Linux VM (192.168.9.20). I have created a local rule for any packet's contents of /etc/passwd. This rule has detected fragmented packets sent from the Kali VM to the DVWA VM (using file inclusion)
I believe I have configured the http_inspect to generate alerts for URL encoding, multiply slashes and self-referencing (see below). After running the evasion methods I check the terminal output from Snort and it shows that it did detect the use of these methods but it doesn't generate an alert.
snort.conf
# HTTP normalization and anomaly detection. For more information, see README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
chunk_length 500000 \
server_flow_depth 0 \
client_flow_depth 0 \
post_depth 65495 \
oversize_dir_length 500 \
max_header_length 750 \
max_headers 100 \
max_spaces 200 \
small_chunk_length { 10 5 } \
ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 591 593 631 801 818 901 972 1158 1220 1414 1533 1741 1830 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6988 7000 7001 7144 7145 7510 7770 7777 7779 8000 8008 8014 8028 8080 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 10000 11371 12601 34443 34444 41080 50000 50002 55252 55555 } \
non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
enable_cookie \
extended_response_inspection \
inspect_gzip \
normalize_utf \
unlimited_decompress \
normalize_javascript \
apache_whitespace no \
ascii yes \
bare_byte no \
directory yes \
double_decode yes \
iis_backslash no \
iis_delimiter no \
iis_unicode no \
multi_slash yes \
utf_8 yes \
u_encode yes \
webroot no
Local rule
alert tcp any any -> 192.168.9.30 80 (msg:"Potential File Inclusion of /etc/passwd"; flow:to_server,established; classtype:attempted-recon; content:"/etc/passwd"; nocase; sid:1122; rev:1;)

Discovered the answer, more through luck. Turns out the rule I have supplied in the question needed a slight modification over the snort.conf file. The 'content' field needed to be changed to 'uricontent'. With this modification the http_inspect pre-processor will examine the URI field of any packets examined.
Click here for more detail