I am trying to develop a proxy server which will help clients to auto logged into my application without password by setting cookies on that session in proxy.
It means if user is using proxy to access that site then he will auto logged into that site using cookie set on that traffic.
I already installed & configured SQUID on centos 6.8 x64.
After setting everything & using
request_header_add Cookie name=value
in /etc/squid/squid.conf.
The cookie is set to all HTTP traffic but my application uses HTTPS.
So, i tried to setup OpenSSl, ssl-bump, and all the setup regarding SSL including ip tables
This is how my squid.conf looks like:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem
request_header_add Cookie name=value all
#always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error deny all
#sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB
sslcrtd_children 8 startup=1 idle=1
After researching more i also activate ip tables to forward packets to proxy for intercept.
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0 -j DNAT --to-destination 192.2xx.xx4.xx4:3128 --dport 80
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0 -j DNAT --to-destination 192.2xx.xx4.xx4:3129 --dport 443
Above configuration is working fine without any issue on HTTP traffic
But still the Cookie header is not added to "HTTPS" traffic.
My main motive is to logged into the application if anyone use this proxy without entering login details using cookie set into HTTPS header.
Can anyone help me to tell that this task can be done to setup cookie (Change header) on HTTPS traffic using SQUID or not.
If possible please help me to find out the error or what else i have to do.
Thanks in advance !
Related
My question is for general understanding and not for fixing an issue that I have.
I managed to run iptables -A OUTPUT -p tcp --dport 80 -j REJECT and block http requests. When I ran curl http://b.scorecardresearch.com/beacon.js I've got curl: (7) Failed to connect to b.scorecardresearch.com port 80: Connection refused
Then I deleted the OUTPUT rule and created an INPUT rule iptables -A INPUT -p tcp --dport 80 -j REJECT. I could then access curl http://b.scorecardresearch.com/beacon.js with no problems at all.
I understand why the outgoing request was not blocked but when I make an http request, doesn't the response return on the same port (80) and should be blocked by the INPUT REJECT of port 80?
When you create a TCP connection, the client port is random and different than the destination port (80 here). You can see that by running: netstat -pant in your terminal:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.41:39878 201.15.39.91:80 ESTABLISHED 2270/firefox
That's why blocking the incoming packets that target port 80 doesn't forbid you to reach HTTP servers. However, if you have an HTTP server, it won't be accessible anymore on port 80.
I have a proxy pass which redirects all BE service calls to the API-Gateway. For debugging one particular scenario, I want to proxy all urls with base path /abc to a netcat proxy which would dumplt the complete request on console.
ATM I am using following proxy pass:
ProxyPass /abc/ http://localhost:8089/apigateway/api/
Whereas I am listening on port 8089 as follow:
nc -p 8089 localhost 8080
But the nc connection is closing up within few seconds after i run the above mentioned command. Any idea what am I do wrong?
When I curl the url http://localhost/abc/messaage, I see 503 as response.
Following worked for me:
sudo nc -l localhost 8089 < abc.txt | tee -a in | nc localhost 8080 | tee -a out.html > def.txt
Listening on port 8089 (httpd forwards everything on 8089). nc then forwards the request to port 8080 (actual apigateway). In the middle it dumps the request and response in different files.
I want to make sure that the only network traffic on my linux CentOS server is my own.
All my server runs is a Tomcat instance with one servlet. This servlet takes a parameter, which is a URL to download. It will download from that url, and pass the contents back to the calling program through the usual http response.
I want to block all network traffic to this server except
1) Ability to ssh
2) Ability to download from host abc.xyz.com
3) Ability for server with IP 111.222.333.444 to download from me
Can someone please tell me the commands to do this in iptables? I tried finding this out myself but I was a bit out my depth with the lingo.
thanks
Configuring a firewall is simple, first of all select what ports you want to be open.
For example Webserver ports:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
For example SSH port:
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
In any way your server is able to download files from other server/hosts.
3) Ability for server with IP 111.222.333.444 to download from me
I suppose that must be port 80, (or any port where the server is downloading from) if your uploading files to your website.
After these steps you need to look if the firewall is configured right:
iptables -L -n
If it's looking good then you're able to save your iptables, and restart the service.
If there is any problem configureren your firewall, please let me know.
How can I set my Apache configuration to listen (and respond) all ports? I want to build something like port tester.
I know that I can edit apache2.conf and add following lines but adding 65535 of them is painful.
Listen 1
Listen 2
Listen 3
Is there any way to listen and respond to all ports?
Please advise
No, you can't within Apache itself but you could make it listen on one port and setup an iptable rule (if running *nix) to redirect a range of port to Apache's port.
That would be something like that:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1:65535 -j DNAT --to-destination apache_local_ip:80
I have setup the new version of haproxy but I need to disable TLS and the "notlsv1" keyword doesn't works.
In my actual configuration, I use stud to manage https sessions with these parameters:
-B 1000 -n 8 -b 127.0.0.1 8080 -f *,443 --ssl -c ALL --write-proxy
And I'm trying to replace him by the new haproxy version.
My configuration file:
global
log 127.0.0.1 local0 info
maxconn 32000
user haproxy
group haproxy
daemon
nbproc 1
stats socket /tmp/haproxy.sock
defaults
timeout connect 10000
timeout client 30000
timeout server 30000
listen ha_stats 0.0.0.0:8088
balance source
mode http
timeout client 30000ms
stats enable
stats uri /lb?stats
frontend https-requests
mode http
bind :80
bind :443 ssl crt ./haproxy.pem notlsv1
acl is_front hdr(host) -i front.mydomain.com
acl is_service hdr(host) -i service.mydomain.com
use_backend bkfront if is_front
use_backend bkservice if is_service
default_backend mydomain.com
backend mydomain.com
mode http
server mywebsite www.mydomain.com:80
backend bkfront
mode http
balance roundrobin
option httpchk GET / HTTP/1.1\r\nHost:\ front.mydomain.com
server web05 192.168.200.5:80 check
backend bkservice
mode http
balance roundrobin
option httpchk GET / HTTP/1.1\r\nHost:\ service.mydomain.com
server web01 192.168.200.1:80 check
The http and https sessions work very well with firefox but I have problems with chrome and Internet explorer. To solve them, with Stud I need to add --ssl.
Thanks,
SOLUTION:
Thanks to Willy for his help. Below I give the commands to solve this problem:
wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev12.tar.gz
wget http://haproxy.1wt.eu/download/1.5/src/snapshot/haproxy-1.5-dev12-patches-LATEST.tar.gz
tar xvzf haproxy-1.5-dev12.tar.gz
mv haproxy-1.5-dev12-patches-LATEST.tar.gz haproxy-1.5-dev12
cd haproxy-1.5-dev12/
tar xvzf haproxy-1.5-dev12-patches-LATEST.tar.gz
patch -p1 < haproxy-1.5-dev12-patches-20121009/*.diff
make TARGET=linux26 USE_OPENSSL=1
sudo make PREFIX=/opt/haproxy-ssl install
And replace:
bind :443 ssl crt ./haproxy.pem notlsv1
to:
bind :443 ssl crt ./haproxy.pem force-sslv3
This is because in OpenSSL, notlsv1 only disables TLSv1.0, not later versions ! If you need this, you'd better download the latest snapshot from the site and use "force-sslv3" instead of "notlsv1". It will force use of SSLv3 exclusively and do what you currently have with stud.