= Overview = * A proxy server receives traffic from any client and acts as an intermediary to communicate with external services.
** i.e. A corporate LAN is locked down so that no traffic is allowed out (prevents infected workstations from becoming spambots or DDOS bot zombies). All workstations must send traffic (i.e. trying to reach the internet) through the proxy server (this also allows for an aggregate caching for performance and filtering to prevent access to certain sites).
** A "transparent proxy" pretends to be a router (default gateway for network traffic) and so does not require additional configuration for use.
- Oxygen Desktop supports Proxy configuration through "preferences"
- Ubuntu (OxygenVM) supports proxy too ** Java JVM supports proxy but apps must be written to use it
== Transparent Proxy == host/IP: 10.10.10.205 port: 3128 you do '''NOT''' need to connect to QA-Proxy .google.com and dropbox.com are unaccessable if working properly
== Password Required Proxy ==
- IP 10.10.10.206 (popup NCSA Auth requires username and password)
- port: 3128
- Username: theUser
- Password: thePassword
=== WIFI ===
- SSID: QA-Proxy (password leapfile1!) ** OLD user password ubuntu/internal1 ?
== OxygenVM - ubuntu server JAVA with proxy ==
sudo vi /etc/java-6-sun/net.properties
https.proxyHost=10.10.10.206 https.proxyPort=443 https.nonProxyHosts=localhost|127.0.0.1 https.proxyUser=qauser1 *https.proxyPassword=leapfile1!
For just the OS, check the current configuration with: cat /etc/environment env
Manually add as required the configuration:
export http_proxy="http://10.10.10.205:3128" export https_proxy="http://10.10.10.205:3128" ftp_proxy="ftp://110.10.10.205:8080"
PASSWORD REQUIRED PROXY: export http_proxy="http://username:password@10.10.10.205:8080"
To make it permanent append the settings above for all users sudo vi /etc/profile Or for just one user ~/.bashrc
=== IPTABLES ===
To properly test the OxygenVM with proxy you must
# DEBUG BLOCK ALL (force Proxy usage) /sbin/iptables -I INPUT 1 -p tcp -s 10.10.10.1 -j DROP /sbin/iptables -I OUTPUT 1 -p tcp -d 10.10.10.1 -j DROP # DEBUG ALLOW ALL TO PROXY /sbin/iptables -I INPUT 1 -p tcp -s 10.10.10.205 -j ACCEPT /sbin/iptables -I OUTPUT 1 -p tcp -d 10.10.10.205 -j ACCEPT # DEBUG SSH /sbin/iptables -I INPUT 1 -p tcp -s 0/0 --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -I OUTPUT 1 -p tcp -s 0/0 --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
= Wireless access to the Test Proxy =
- Turn on your wireless antenna
- Disconnect any plugged-in network cables.
- Hop on QA-Proxy wireless, password is: leapfile1!
- Set proxy to 10.10.10.206, port: 3128
-
Username: qauser1 / password: leapfile1
-
You will not have ANY internet connectivity until you input the proxy settings (if you do, then you may have forgotten the second step above).
Test this out by attempting to access an external site from your internet browser. If you enter your Proxy settings into your browser, internet access should resume again. ** Don't forget that even though you have internet connectivity via your browser, you still need to enter Proxy Settings for Oxygen in order to get Oxygen to work. - Squid Proxy v3.0
= OLD Windows System wide configuration =
Right click My Computer, then Click Properties Select the Advanced tab, then click the Environment Variables button near the bottom On the top window click New Variable name should be: https_proxy Variable value should be: http://username:password@proxyserver:port
- Configure your Proxy settings by going to the launcher app menu and selecting Change Settings.
- set proxy to 10.10.10.205 port 3128 (test on IE, if you able to use IE with that proxy, it's ok)
= Squid Proxy 3 Setup/Config =
Edit /etc/squid3/squid.conf
-
If the setup requires username and password: Create a username/password:
-
htpasswd /etc/squid3/passwd user1 Enter new password
-
Make sure squid can read passwd file: chmod o+r /etc/squid3/passwd
-
Locate nsca_auth authentication helper: dpkg -L squid | grep ncsa_auth = /usr/lib/squid3/ncsa_auth
-
Configure nsca_auth for squid proxy authentication: vi /etc/squid/squid.conf
# the order of the statements is important auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 8 hours auth_param basic casesensitive off acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl SSL method CONNECT acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? access_log /var/log/squid3/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /var/spool/squid3
- Transparent Set Up
acl lan1 src 10.10.10.0/255.255.255.0 #may not be necessary acl lan2 src 192.168.1.0/255.255.255.0 #may not be necessary acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl SSL method CONNECT acl blocklist dstdomain .dropbox.com # If using the browser you should not be able to access dropbox http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost icp_access deny all http_access deny blocklist http_access allow lan1 http_access allow lan2 http_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /var/log/squid3/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /var/spool/squid3
=== IPTABLES ===
port forwarding to a specific LAN IP
iptables -t nat -I PREROUTING -d 192.168.1.1 -j DNAT --to 10.10.10.206 #This pushes ALL TRAFFIC from router to Proxy #!/bin/sh PROXY_IP=10.10.10.206 PROXY_PORT=3128 LAN_IP=`nvram get lan_ipaddr` LAN_NET=$LAN_IP/`nvram get lan_netmask` iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT iptables -t nat -A INPUT -i br0 -s 192.168.1.1/255.255.255.0 -d 10.10.10.206 -p tcp --dport 80 -j ACCEPT iptables -t nat -A -i br0 -s 192.168.1.1/255.255.255.0 -d 10.10.10.1/255.255.255.0 -p tcp --dport 80 -j DROP
Useful commands:
iptables -t nat -nvL --line-numbers | more # numbered list of iptablesiptables -t nat -D POSTROUTING 4 #delete number 4 in iptable list ''BEWARE of PRE,POST ROUTING''
Normally a Squid Proxy standalone needs iptables to redirect port 80 to 3128, BUT if you're using dd-wrt with
iptables THEN: your traffic is already altered at the dd-wrt device before being forwarded...
SO SQUID NEEDS TO BE CONFIGURED:
http_port 192.168.0.1:3128 transparent CANNOT USE TRANSPARENT WHEN LOGIN REQUIRED
In this example, the IP address that Squid is set to listen to is 192.168.0.1 using port number 3128, and your
firewall rules is already set up to transparently intercept port 80 and forward to this port.
!/bin/sh
PROXY_IP=10.10.10.206
PROXY_PORT=3128
LAN_IP=nvram get lan_ipaddr
LAN_NET=$LAN_IP/nvram get lan_netmask
iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 443 -j ACCEPT iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 443 -j DNAT --to $PROXY_IP:$PROXY_PORT iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT
iptables -t nat -I PREROUTING 1 -i br0 -s 192.168.1.1/255.255.255.0 -p tcp --dport 80 -j DROP iptables -t nat -nvL --line-numbers | more iptables -t nat -D PREROUTING 1 iptables -t nat -nvL --line-numbers | more
iptables -t nat -I PREROUTING 1 -i br0 -s 192.168.1.1/255.255.255.0 -p tcp --dport 443 -j DROP
iptables -t nat -I PREROUTING 1 -i br0 -s 192.168.1.1/255.255.255.0 -d 10.10.10.206/255.255.255.255 -p tcp --dport
443 -j ACCEPT
iptables -t nat -I PREROUTING 1 -i br0 -s 192.168.1.1/255.255.255.0 -d 10.10.10.206 -j ACCEPT