Thursday, December 10, 2009
Thursday, November 12, 2009
RHEL Installing Apache2 With PHP5 And MySQL Support LAMP Server
LAMP is short for Linux, Apache, MySQL, PHP. This tutorial shows how you can install an Apache2 webserver on a Fedora 11 server with PHP5 support (mod_php) and MySQL support.
Step 1
#yum install mysql mysql-server httpd php php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc phpmyadmin
Step 2
In this tutorial I use the hostname rajat.yeswedeal.com with the IP address 192.168.1.110 These settings might differ for you, so you have to replace them where appropriate.
Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
Run
mysqladmin -u root password yourrootsqlpassword
mysqladmin -h rajat.yeswedeal.com -u root password yourrootsqlpassword
to set a password for the user root (otherwise anybody can access your MySQL database!).
Apache2 is available as a RHEL package, therefore we can install it like this:
Now configure your system to start Apache at boot time...
chkconfig --levels 235 httpd on
... and start Apache:
/etc/init.d/httpd start
Now direct your browser to http://192.168.1.110, and you should see the Apache2 placeholder
Apache's default document root is /var/www/html on Fedora, and the configuration file is /etc/httpd/conf/httpd.conf. Additional configurations are stored in the /etc/httpd/conf.d/ directory.
We must restart Apache afterwards:
/etc/init.d/httpd restart
Testing PHP5 / Getting Details About Your PHP5 Installation
The document root of the default web site is /var/www/html. We will now create a small PHP file (info.php) in that directory and call it in a browser. The file will display lots of useful details about our PHP installation, such as the installed PHP version.
vi /var/www/html/info.php
Now we call that file in a browser (e.g. http://192.168.1.110/info.php):
As you see, PHP5 is working, and it's working through the Apache 2.0 Handler, as shown in the Server API line. If you scroll further down, you will see all modules that are already enabled in PHP5. MySQL is not listed there which means we don't have MySQL support in PHP5 yet.
Now restart Apache2:
/etc/init.d/httpd restart
Now reload http://192.168.1.110/info.php in your browser and scroll down to the modules section again. You should now find lots of new modules there, including the MySQL module:
Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the stanza):
vi /etc/httpd/conf.d/phpMyAdmin.conf
# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
#
# order deny,allow
# deny from all
# allow from 127.0.0.1
# allow from ::1
#
# This directory does not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
Order Deny,Allow
Deny from All
Allow from None
# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#
#
# SecRuleInheritance Off
#
#
Restart Apache:
/etc/init.d/httpd restart
Afterwards, you can access phpMyAdmin under http://192.168.1.110/phpmyadmin/:
Step 1
#yum install mysql mysql-server httpd php php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc phpmyadmin
Step 2
In this tutorial I use the hostname rajat.yeswedeal.com with the IP address 192.168.1.110 These settings might differ for you, so you have to replace them where appropriate.
Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
Run
mysqladmin -u root password yourrootsqlpassword
mysqladmin -h rajat.yeswedeal.com -u root password yourrootsqlpassword
to set a password for the user root (otherwise anybody can access your MySQL database!).
Apache2 is available as a RHEL package, therefore we can install it like this:
Now configure your system to start Apache at boot time...
chkconfig --levels 235 httpd on
... and start Apache:
/etc/init.d/httpd start
Now direct your browser to http://192.168.1.110, and you should see the Apache2 placeholder
Apache's default document root is /var/www/html on Fedora, and the configuration file is /etc/httpd/conf/httpd.conf. Additional configurations are stored in the /etc/httpd/conf.d/ directory.
We must restart Apache afterwards:
/etc/init.d/httpd restart
Testing PHP5 / Getting Details About Your PHP5 Installation
The document root of the default web site is /var/www/html. We will now create a small PHP file (info.php) in that directory and call it in a browser. The file will display lots of useful details about our PHP installation, such as the installed PHP version.
vi /var/www/html/info.php
Now we call that file in a browser (e.g. http://192.168.1.110/info.php):
As you see, PHP5 is working, and it's working through the Apache 2.0 Handler, as shown in the Server API line. If you scroll further down, you will see all modules that are already enabled in PHP5. MySQL is not listed there which means we don't have MySQL support in PHP5 yet.
Now restart Apache2:
/etc/init.d/httpd restart
Now reload http://192.168.1.110/info.php in your browser and scroll down to the modules section again. You should now find lots of new modules there, including the MySQL module:
Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the
vi /etc/httpd/conf.d/phpMyAdmin.conf
# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
#
# order deny,allow
# deny from all
# allow from 127.0.0.1
# allow from ::1
#
# This directory does not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
Order Deny,Allow
Deny from All
Allow from None
# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#
#
# SecRuleInheritance Off
#
#
Restart Apache:
/etc/init.d/httpd restart
Afterwards, you can access phpMyAdmin under http://192.168.1.110/phpmyadmin/:
Tuesday, November 3, 2009
RedHat / CentOS Clustering Linux HA
Creating a service in Red Hat Enterprise Linux using Conga
1. Log in to the Conga web interface
*
Go to https://:8084 (replacing with the hostname of the Conga web server) and login.
*
Click the cluster tab.
*
Choose the cluster to configure.
2. Add a service
*
In the navigation bar on the left, choose Services => Add A Service.
*
Enter a descriptive Name for the service.
*
Choose whether to Automatically start this service and/or Run exclusive
*
Choose a Failover Domain.
*
Choose a Recovery Policy.
*
Optionally enter the maximum number of restarts and the restart counter timeout.
3. Add an IP Resource
*
Click Add a resource to this service.
*
Under Add a new local resource, choose IP Address.
*
Enter the IP Address that clients will use to access the MySQL database.
*
Choose whether to monitor the link for failures or not.
4. Add an LVM Resource
NOTE: This step is only required if HA-LVM is in use. If LVM will not be used at all or if clvmd is running in this cluster, then an LVM resource is not needed.
*
Under the previously created IP resource, click Add a child.
*
Under Add a new local resource, choose LVM.
*
Enter a descriptive name for the resource.
*
Fill in the Volume Group Name and Logical Volume Name.
5. Add a filesystem resource
*
Under the previously created LVM resource (or the IP resource if step 4 was skipped), click Add a child.
*
Under Add a new local resource, select File System.
*
Enter a a descriptive Name for the resource.
*
Choose the File system type.
*
Enter a Mount point, such as /var/lib/mysql.
*
Enter the Device path. If step 4 was followed then this should match the device that was entered, such as /dev/mysqlvg/datalv.
*
Enter any mount Options to use.
*
Optionally choose to Force unmount the filesystem, Reboot the host node if unmount fails, and/or Check the file system before mounting.
NOTE A MySQL resource can be created in one of two ways. Follow only one of 6a or 6b:
6a. Add a MySQL resource
*
Under the above filesystem resource, click Add a child.
*
Under Add a new local resource, select MySQL.
*
Enter a descriptive Name for the resource.
*
Enter the path to the Config File, such as /etc/my.cnf. See the above section on Configuring MySQL to Use Shared Storage for details.
*
Enter a Listen Address. In most situations this should match the IP address that was created as a resource in step #3.
*
Optionally enter any Options that should be passed to the mysqld daemon.
*
Optionally enter a Shutdown Wait in seconds. This determines the length of time that rgmanager will wait while stopping the resource before determining something has gone wrong and throwing an error.
6b. Add a script resource
*
Under the above filesystem resource, click Add a child.
*
Under Add a new local resource, select Script.
*
Enter a descriptive name for the resource.
*
Enter the Full path to script file, such as /etc/init.d/mysqld.
7. Save the service
*
Click Submit at the bottom of the page
Creating a service in Red Hat Enterprise Linux 4 and 5 using system-config-cluster
1. Open the system-config-cluster tool by running
# system-config-cluster
in a terminal.
2. Create a Service
*
In the Cluster Configuration tab, highlight the Services group.
*
Click the Create a Service button on the right side.
*
Enter a descriptive Name for the service.
*
Choose whether to Autostart This Service and/or Run Exclusive.
*
Select a Failover Domain in the upper right corner.
*
Select a Recovery Policy.
3. Add an IP resource
*
Click the Create a new resource for this service button.
*
Select IP Adress from the drop-down menu.
*
Enter the IP address that clients will connect to the MySQL service on.
*
Choose whether to monitor the link for failures or not.
*
Click OK.
4. Add an LVM resource
NOTE: This step is only required if HA-LVM is in use. If LVM will not be used at all or if clvmd is running in this cluster, then an LVM resource is not needed.
*
Highlight the previously created IP resource.
*
Click Attach a new Private Resource to the Selection.
*
Select LVM from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the Volume Group Name and Logical Volume Name.
*
Click OK.
5. Add a filesystem resource
*
Highlight the previously created LVM resource (or the IP resource if step #4 was skipped).
*
Click Attach a new Private Resource to the Selection.
*
Select File System from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Choose the File System Type.
*
Enter the Mount Point, such as /var/lib/mysql.
*
Enter the Device path. If step 4 was followed then this should match the device that was entered, such as /dev/mysqlvg/datalv.
*
Optionally enter any mount Options that should be used.
*
Optionally choose to Force unmount the filesystem, Reboot the host node if unmount fails, and/or Check the file system before mounting.
*
Click OK.
NOTE A MySQL resource can be created in one of two ways. Follow only one of 6a or 6b:
6a. Add a MySQL resource
*
Highlight the previously created filesystem resource.
*
Click Attach a new Private Resource to the selection.
*
Select MySQL Server from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the path to the Config File, such as /etc/my.cnf.
*
Enter a Listen Address. In most situations this should match the IP address that was created as a resource in step #3.
*
Optionally enter any Options that should be passed to the mysqld daemon.
*
Optionally enter a Shutdown Wait in seconds. This determines the length of time that rgmanager will wait while stopping the resource before determining something has gone wrong and throwing an error.
*
Click OK.
6b. Add a script resource
*
Highlight the previously created filesystem resource.
*
Click Attach a new Private Resource to the selection.
*
Select Script from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the path for the File that will be used as the script, such as /etc/init.d/mysqld.
*
Click OK.
7. In the Service Management dialog, click Close.
8. To save the changes to the local configuration file, choose File => Save.
9. To propagate the changes to the rest of the cluster and allow for the service to be started, click Send to Cluster.
Service Configuration Examples
Red Hat Enterprise Linux
A service example from /etc/cluster.xml for Red Hat Enterprise Linux 3 is as follows:
Red Hat Enterprise Linux
The following is a service example from /etc/cluster/cluster.conf for Red Hat Enterprise Linux 4 or 5 using the rgmanager MySQL resource agent:
or alternatively using a script resource:
Apache Clustering HA
1.
Select the Services tab and click New. The Service properties dialog box is displayed.
a. Give the service a name (for example, httpd).
b. Choose httpd-domain from the Failover Domain list.
c. Specify a value in the Check Interval field.
d. Specify /etc/rc.d/init.d/httpd in the User Script field.
e. Click OK.
a. Choose Add Device and click OK. The Device properties dialog box is displayed.
b. Enter the device special file name in the Device Special File field (for example,
/dev/hda7).
c. Enter the mount point in the Mount Point field (for example, /var/www/html/).
d. Choose ext3 from the FS Type list.
e. Enter rw in the Options field.
f. Ensure that Force Unmount is checked, and click OK.
2.
Select the httpd service on the Services tab and click Add Child. The Add Device or Service IP Address dialog box is displayed.
a. Choose Add Service IP Address and click OK. The Service IP Address properties dialog box is displayed.
b. In the IP Address field, specify an IP address, which the cluster infrastructure binds to the network interface on the cluster system that runs the httpd service (for example, 192.168.26.10).
c. Specify a netmask of None in the Netmask field.
d. In the Broadcast field, specify an IP address of None for broadcasting on the cluster subnet.
e. Click OK.
3.
Ensure that the httpd service is still selected in the Services tab and click Add Child. The Add Device or Service IP Address dialog box is displayed.
4.
Choose File => Save to save your changes.
5.
To start the Apache HTTP Server within the Cluster Status Tool, highlight the service and click Enable.
1. Log in to the Conga web interface
*
Go to https://
*
Click the cluster tab.
*
Choose the cluster to configure.
2. Add a service
*
In the navigation bar on the left, choose Services => Add A Service.
*
Enter a descriptive Name for the service.
*
Choose whether to Automatically start this service and/or Run exclusive
*
Choose a Failover Domain.
*
Choose a Recovery Policy.
*
Optionally enter the maximum number of restarts and the restart counter timeout.
3. Add an IP Resource
*
Click Add a resource to this service.
*
Under Add a new local resource, choose IP Address.
*
Enter the IP Address that clients will use to access the MySQL database.
*
Choose whether to monitor the link for failures or not.
4. Add an LVM Resource
NOTE: This step is only required if HA-LVM is in use. If LVM will not be used at all or if clvmd is running in this cluster, then an LVM resource is not needed.
*
Under the previously created IP resource, click Add a child.
*
Under Add a new local resource, choose LVM.
*
Enter a descriptive name for the resource.
*
Fill in the Volume Group Name and Logical Volume Name.
5. Add a filesystem resource
*
Under the previously created LVM resource (or the IP resource if step 4 was skipped), click Add a child.
*
Under Add a new local resource, select File System.
*
Enter a a descriptive Name for the resource.
*
Choose the File system type.
*
Enter a Mount point, such as /var/lib/mysql.
*
Enter the Device path. If step 4 was followed then this should match the device that was entered, such as /dev/mysqlvg/datalv.
*
Enter any mount Options to use.
*
Optionally choose to Force unmount the filesystem, Reboot the host node if unmount fails, and/or Check the file system before mounting.
NOTE A MySQL resource can be created in one of two ways. Follow only one of 6a or 6b:
6a. Add a MySQL resource
*
Under the above filesystem resource, click Add a child.
*
Under Add a new local resource, select MySQL.
*
Enter a descriptive Name for the resource.
*
Enter the path to the Config File, such as /etc/my.cnf. See the above section on Configuring MySQL to Use Shared Storage for details.
*
Enter a Listen Address. In most situations this should match the IP address that was created as a resource in step #3.
*
Optionally enter any Options that should be passed to the mysqld daemon.
*
Optionally enter a Shutdown Wait in seconds. This determines the length of time that rgmanager will wait while stopping the resource before determining something has gone wrong and throwing an error.
6b. Add a script resource
*
Under the above filesystem resource, click Add a child.
*
Under Add a new local resource, select Script.
*
Enter a descriptive name for the resource.
*
Enter the Full path to script file, such as /etc/init.d/mysqld.
7. Save the service
*
Click Submit at the bottom of the page
Creating a service in Red Hat Enterprise Linux 4 and 5 using system-config-cluster
1. Open the system-config-cluster tool by running
# system-config-cluster
in a terminal.
2. Create a Service
*
In the Cluster Configuration tab, highlight the Services group.
*
Click the Create a Service button on the right side.
*
Enter a descriptive Name for the service.
*
Choose whether to Autostart This Service and/or Run Exclusive.
*
Select a Failover Domain in the upper right corner.
*
Select a Recovery Policy.
3. Add an IP resource
*
Click the Create a new resource for this service button.
*
Select IP Adress from the drop-down menu.
*
Enter the IP address that clients will connect to the MySQL service on.
*
Choose whether to monitor the link for failures or not.
*
Click OK.
4. Add an LVM resource
NOTE: This step is only required if HA-LVM is in use. If LVM will not be used at all or if clvmd is running in this cluster, then an LVM resource is not needed.
*
Highlight the previously created IP resource.
*
Click Attach a new Private Resource to the Selection.
*
Select LVM from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the Volume Group Name and Logical Volume Name.
*
Click OK.
5. Add a filesystem resource
*
Highlight the previously created LVM resource (or the IP resource if step #4 was skipped).
*
Click Attach a new Private Resource to the Selection.
*
Select File System from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Choose the File System Type.
*
Enter the Mount Point, such as /var/lib/mysql.
*
Enter the Device path. If step 4 was followed then this should match the device that was entered, such as /dev/mysqlvg/datalv.
*
Optionally enter any mount Options that should be used.
*
Optionally choose to Force unmount the filesystem, Reboot the host node if unmount fails, and/or Check the file system before mounting.
*
Click OK.
NOTE A MySQL resource can be created in one of two ways. Follow only one of 6a or 6b:
6a. Add a MySQL resource
*
Highlight the previously created filesystem resource.
*
Click Attach a new Private Resource to the selection.
*
Select MySQL Server from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the path to the Config File, such as /etc/my.cnf.
*
Enter a Listen Address. In most situations this should match the IP address that was created as a resource in step #3.
*
Optionally enter any Options that should be passed to the mysqld daemon.
*
Optionally enter a Shutdown Wait in seconds. This determines the length of time that rgmanager will wait while stopping the resource before determining something has gone wrong and throwing an error.
*
Click OK.
6b. Add a script resource
*
Highlight the previously created filesystem resource.
*
Click Attach a new Private Resource to the selection.
*
Select Script from the drop-down menu.
*
Enter a descriptive Name for the resource.
*
Enter the path for the File that will be used as the script, such as /etc/init.d/mysqld.
*
Click OK.
7. In the Service Management dialog, click Close.
8. To save the changes to the local configuration file, choose File => Save.
9. To propagate the changes to the rest of the cluster and allow for the service to be started, click Send to Cluster.
Service Configuration Examples
Red Hat Enterprise Linux
A service example from /etc/cluster.xml for Red Hat Enterprise Linux 3 is as follows:
Red Hat Enterprise Linux
The following is a service example from /etc/cluster/cluster.conf for Red Hat Enterprise Linux 4 or 5 using the rgmanager MySQL resource agent:
or alternatively using a script resource:
Apache Clustering HA
1.
Select the Services tab and click New. The Service properties dialog box is displayed.
a. Give the service a name (for example, httpd).
b. Choose httpd-domain from the Failover Domain list.
c. Specify a value in the Check Interval field.
d. Specify /etc/rc.d/init.d/httpd in the User Script field.
e. Click OK.
a. Choose Add Device and click OK. The Device properties dialog box is displayed.
b. Enter the device special file name in the Device Special File field (for example,
/dev/hda7).
c. Enter the mount point in the Mount Point field (for example, /var/www/html/).
d. Choose ext3 from the FS Type list.
e. Enter rw in the Options field.
f. Ensure that Force Unmount is checked, and click OK.
2.
Select the httpd service on the Services tab and click Add Child. The Add Device or Service IP Address dialog box is displayed.
a. Choose Add Service IP Address and click OK. The Service IP Address properties dialog box is displayed.
b. In the IP Address field, specify an IP address, which the cluster infrastructure binds to the network interface on the cluster system that runs the httpd service (for example, 192.168.26.10).
c. Specify a netmask of None in the Netmask field.
d. In the Broadcast field, specify an IP address of None for broadcasting on the cluster subnet.
e. Click OK.
3.
Ensure that the httpd service is still selected in the Services tab and click Add Child. The Add Device or Service IP Address dialog box is displayed.
4.
Choose File => Save to save your changes.
5.
To start the Apache HTTP Server within the Cluster Status Tool, highlight the service and click Enable.
Sunday, October 25, 2009
Squid Setup a transparent
My Server Setup:
i) Server: Xeon CPU system with 8 GB RAM .
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network)
iv) Red Hat Enterprise Linux 5.0
Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.
Server Configuration
* Step #1 : Squid configuration so that it will act as a transparent proxy
* Step #2 : Iptables configuration
o a) Configure system as router
o b) Forward all http requests to 3128 (DNAT)
* Step #3: Run scripts and start squid service
First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf
Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
Where,
* httpd_accel_host virtual: Squid as an httpd accelerator
* httpd_accel_port 80: 80 is port you want to act as a proxy
* httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
* httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
* acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
* http_access allow localhost: Squid access to LAN and localhost ACL only
* http_access allow lan: -- same as above --
Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
OR, try out sed
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
Iptables configuration
Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on
Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on
Desktop / Client computer configuration
Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.
How do I test my squid proxy is working correctly?
See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.
Problems and solutions
(a) Windows XP FTP Client
All Desktop client FTP session request ended with an error:
Illegal PORT command.
I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp
Please note that modprobe command is already added to a shell script (above).
(b) Port 443 redirection
I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, "Long answer: SSL is specifically designed to prevent "man in the middle" attacks, and setting up squid in such a way would be the same as such a "man in the middle" attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL".
Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.
(c) Squid Proxy authentication in a transparent mode
You cannot use Squid authentication with a transparently intercepting proxy.
i) Server: Xeon CPU system with 8 GB RAM .
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network)
iv) Red Hat Enterprise Linux 5.0
Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.
Server Configuration
* Step #1 : Squid configuration so that it will act as a transparent proxy
* Step #2 : Iptables configuration
o a) Configure system as router
o b) Forward all http requests to 3128 (DNAT)
* Step #3: Run scripts and start squid service
First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf
Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
Where,
* httpd_accel_host virtual: Squid as an httpd accelerator
* httpd_accel_port 80: 80 is port you want to act as a proxy
* httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
* httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
* acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
* http_access allow localhost: Squid access to LAN and localhost ACL only
* http_access allow lan: -- same as above --
Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
OR, try out sed
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
Iptables configuration
Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on
Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on
Desktop / Client computer configuration
Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.
How do I test my squid proxy is working correctly?
See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.
Problems and solutions
(a) Windows XP FTP Client
All Desktop client FTP session request ended with an error:
Illegal PORT command.
I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp
Please note that modprobe command is already added to a shell script (above).
(b) Port 443 redirection
I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, "Long answer: SSL is specifically designed to prevent "man in the middle" attacks, and setting up squid in such a way would be the same as such a "man in the middle" attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL".
Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.
(c) Squid Proxy authentication in a transparent mode
You cannot use Squid authentication with a transparently intercepting proxy.
Subscribe to:
Posts (Atom)