Squid as a reverse proxy howto

The setup :

We run a virtualization server on a server in a datacenter (for example Proxmox VE), we only have 1 public IP available.
We run web servers on 2 different virtual machines inside that VM host. We want both web servers to be accessible through the public IP on port 80.

We will use the Squid Proxy to act as a “reverse proxy” (http://en.wikipedia.org/wiki/Reverse_proxy).
Squid will relay the requests to the destination depending on the hostname requested.

The machines :

Virtualization server (VM host)/Squid server : Public IP 10.20.30.40 – bridged LAN IP 172.16.5.97/255.255.0.0
VM1 : bridged LAN IP 172.16.100.25/255.255.0.0 – Hostname example.org
VM2 : bridged LAN IP 172.16.100.122/255.255.0.0 – Hostname example.net

On your client computer (optional if you already have domains) :

Edit /etc/hosts and add :

10.20.30.40 example.org
10.20.30.40 example.net

On VM1 and VM2 :

apt-get install lighttpd (or whatever web server you like)

Edit /var/www/index.ligtthpd.html and replace the content of the file by “VM1″ on VM1 and “VM2″ on VM2.

On the VM host :

If Apache listens on port tcp/80, disable it by editing /etc/apache2/ports.conf and removing or commenting “Listen 80″.

Install Squid :

apt-get install squid

Edit /etc/squid/squid.conf and find the http_port section, and add “http_port 80 vhost vport” :

http_port 3128
http_port 80 vhost vport

Then add the following section :

cache_peer 172.16.100.25 parent 80 0 no-query originserver name=server1
cache_peer_domain server1 example.org
cache_peer 172.16.100.122 parent 80 0 no-query originserver name=server2
cache_peer_domain server2 example.net

And then add the following ACL for our domains :

acl valid_domains dstdomain .example.org
acl valid_domains dstdomain .example.net

Allow requests to our domains by adding “http_access allow valid_domains” just before the “deny all” rule (at the end of ACL’s) :

http_access allow valid_domains
http_access deny all

Restart Squid :

/etc/init.d/squid restart

Back on your computer :

Make a request on example.net or .org, you should either see VM1 or VM2 displayed in your browser depending on the hostname requested.

Squid 2.6 : transparent proxy

I was explaining in this article how to enable the transparent proxy feature under Squid 2.5.

The following options required for transparent proxy are no longer available under Squid 2.6 :

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

The new option under Squid 2.6 is the much simpler :

http_port 8080 transparent

You just need to append “transparent” to the http_port option line.

If you upgrade to Squid 2.6 and don’t update your config file you should get the following in the logs :

messages:Oct 27 13:02:08 x squid: parseConfigFile: line 51 unrecognized: 'httpd_accel_host virtual'
messages:Oct 27 13:02:08 x squid: parseConfigFile: line 52 unrecognized: 'httpd_accel_port 80'
messages:Oct 27 13:02:08 x squid: parseConfigFile: line 53 unrecognized: 'httpd_accel_with_proxy on'
messages:Oct 27 13:02:08 x squid: parseConfigFile: line 54 unrecognized: 'httpd_accel_uses_host_header on'

Squid cache manager error : socket: (13) Permission denied

If you get the error

socket: (13) Permission denied

while trying to connect to the cache manager of Squid using cachemgr.cgi, it probably means SElinux is enabled and is preventing cgi files from making TCP connections.

Quick and dirty fix : disabling SElinux

Edit /etc/sysconfig/selinux

Change the value SELINUX to “disabled”

Clean fix : make a rule in SElinux to allow the connection

I don’t know much about SElinux yet, so if someone feels like pointing me to the right direction or submitting something, it is welcomed :)

Blocking Internet Explorer with the Squid Web proxy

This is my own way of blocking Internet Explorer :

/etc/squid/squid.conf :

<code>### We want to block IE, but some sites (grr) are only working under IE
### so we put up a list of safe URL for Internet Explorer in the following file
acl safe_url_for_IE            url_regex -i            "/etc/squid/ACL/safe_url"

### The ACL for the IE user-agent
acl internet_explorer browser MSIE

### The world
acl all         src 0.0.0.0/0.0.0.0

### Our network
acl intranet        src 192.168.1.0/24

### Let's say we still want a machine in the network to use IE 
### (like a guest users not having an alternative web browser installed)
### I'm personally allowing IE for the dynamic DHCP clients at work
acl ie_allowed       src 192.168.1.100/32

### First, we are allowing the IE-machine here
http_access allow ie_allowed internet_explorer

### Secondly, we are denying Internet Explorer, 
### except for the "safe URL" list that is still allowed.
http_access deny internet_explorer !safe_url_for_IE

### Now, after the restrictions, we are allowing our network.
http_access allow intranet

### And finally blocking the rest of the world.
http_access deny all</code>

The safe URL ACL file (/etc/squid/ACL/safe_url) looks like this :

http://.*.site1.be/.*

http://.*.site2.be/.*

http://.*.site3.be/.*

If you have any useful tips or rules, please share ! :)

Block MSN and other messengers on your network

1. Iptables

This is my iptables config stored under /etc/sysconfig/iptables :
(eth0 = WAN interface, eth1 = LAN interface)

You’ll notice 192.168.1.16 is allowed to connect to any services

You’ll also notice that the default stance for output traffic is ACCEPT.
You can of course set it to DROP and only accept what you specifically define.

<code>*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Basic protections against syn floods and other stuff
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Block MSN
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j DROP
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j LOG --log-prefix "MESSENGER MSN &gt; "
-I FORWARD -s 192.168.1.16 -p tcp -m tcp --dport 1863 -j ACCEPT

# Block AIM/ICQ
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG --log-prefix "MESSENGER ICQ/AIM &gt; "
-I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT

# Block Yahoo IM
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG --log-prefix "MESSENGER YIM &gt; "
-I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT

# Allowing anything else
-A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT</code>

As soon as the MSN client is not able to connect to the server on port tcp 1863, it’ll try to connect using port tcp 80, which is probably allowed :

Web activity upon connection :
1.10 gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.2422
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.1885
1.10 207.46.25.15/gateway/gateway.dll?Action=poll&SessionID=1047611159.24447
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.7573

2. More firewall rules or Squid web proxy

Now you have two choices :

- making an ACL blocking the microsoft IP ranges… if new ranges are made available, MSN clients would be able to connect again.. this is not an ideal stance, unless you enjoy tracking the IP of MSN servers.

- blocking Internet Explorer (and MSN which uses the Internet Explorer engine) in your web proxy : you’ll need to run a transparent web proxy (Squid does the job pretty well) to block Internet Explorer, so MSN won’t be able to connect to port 80… See here for a short howto

Of course, you’d need something like Firefox installed on your client PC’s if you decide to block IE… you can always make an ACL in Squid allowing safe websites under Internet Explorer… This is not a bad stance as IE is known to have many unfixed security flaws.

Edit june 2007 : I'm blocking the Internet Explorer User Agent which apparently blocks the MSN client as well, but I noticed this page mentions the user agent for MSN is "MSMSGS". Please let me know if the described solution does not work for you.

I’ve not put much efforts into blocking AIM/ICQ/YIM since 99 % of people use MSN in Belgium
The MSN blocking is working well for me, I’m not sure about the other IM’s (the IP ranges can change from times to times)

3. Additional notes

It is reported at many places that the following squid rules are working.. I have tried them and they do NOT work for me.. If they do for you, let me know :)
acl mi_intranet src 192.168.1.0/255.255.255.0
acl msn req_mime_type -i ^application/x-msn-messenger
http_access deny mi_intranet msn
http_access allow mi_intranet

This is a working Squid ACL blocking a bunch of web messenger :
http://.*e-messenger.net/.*

http://193.238.160.*

http://.*meebo.com/.*

http://.*messenger.msn.com/.*

http://.*clientless.net/.*

http://.*wbmsn.net/.*

http://.*msn2go.com/.*

http://64.92.173.*

http://.*iloveim.com/.*

http://info.sytes.net/.*

http://chatenabled.mail.google.com/.*

Block viruses and protect yourself from spammers by blocking port 25 under Linux + iptables (just like ISP’s do !)

Find out viruses on your network and prevent spammers from abusing your wireless network ! With simple iptables rulesets…

OK, let’s calm down, this needs a bit of explanation before proceeding.

ISP’s usually block port 25 :
Unlike many ISP’s, mine doesn’t ! They still allow customers to send emails directly through and to any SMTP servers (tcp/25).

The goal in blocking port 25 is to block viruses from spreading around by sending emails using their own SMTP daemon.
At work, by just reading our email server logs, I know which ISP’s aren’t blocking port TCP/25 (damn Wanadoo and Road Runner).

If your ISP blocks port TCP/25, you need to send emails through their own (usually overwhelmed) SMTP server.

Worst case scenario :
Let’s say someone breaks into my wireless network with a linux laptop (pretty unlikely with WPA2 security but who knows :) ), the attacker would be able to send as much spam as one would like using a local sendmail or postfix server.

To fill that breach, we need to block port tcp/25 for wireless clients.

Continue reading