Squid - secure - installation
Hello, we are using a out of the box squid-proxy und now I want to make a new secure installation with the latest binaries, not running with root-permissions and in a chroot environment. I have to use Port 80 for http_port, but if I trust the squid.conf, there is a comment under cache_effective_user, that only root can start squid with http_port lower than 1024. So if anybody out there has a idea of how to make a work around that squid listens on Port 80 with normal user permissions is wellcome, the same as if you have expririence with chroot and installing squid.... Bye Axel
Landratsamt München Tel. ++49(089) 6221-2363 EDV und Organisation Fax. ++49(089) 6221-2424 Axel Leitner axel.leitner@lra-m.bayern.de Mariahilfplatz 17 http://www.landkreis-muenchen.de 81541 München
<
use ipchains/iptables to redirect. THis is covered int he squid docs under
making squid a transperent proxy.
Kurt Seifried, seifried@securityportal.com
PGP Key ID: 0xAD56E574 Fingerprint:
A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574
http://www.securityportal.com/
----- Original Message -----
From: "Leitner, Axel"
Landratsamt München Tel. ++49(089) 6221-2363 EDV und Organisation Fax. ++49(089) 6221-2424 Axel Leitner axel.leitner@lra-m.bayern.de Mariahilfplatz 17 http://www.landkreis-muenchen.de 81541 München
<
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
What about making squid a transparent https proxy? Any help on this? Best Regards, Joao Seabra CIAAC On Fri, 15 Jun 2001, Kurt Seifried wrote:
use ipchains/iptables to redirect. THis is covered int he squid docs under making squid a transperent proxy.
Kurt Seifried, seifried@securityportal.com PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.securityportal.com/
----- Original Message ----- From: "Leitner, Axel"
To: Sent: Friday, June 15, 2001 3:51 AM Subject: [suse-security] Squid - secure - installation Hello,
we are using a out of the box squid-proxy und now I want to make a new secure installation with the latest binaries, not running with root-permissions and in a chroot environment.
I have to use Port 80 for http_port, but if I trust the squid.conf, there is a comment under cache_effective_user, that only root can start squid with http_port lower than 1024.
So if anybody out there has a idea of how to make a work around that squid listens on Port 80 with normal user permissions is wellcome, the same as if you have expririence with chroot and installing squid....
Bye
Axel
Landratsamt M�nchen Tel. ++49(089) 6221-2363 EDV und Organisation Fax. ++49(089) 6221-2424 Axel Leitner axel.leitner@lra-m.bayern.de Mariahilfplatz 17 http://www.landkreis-muenchen.de 81541 M�nchen
<
> ---------------------------------------------------------------------------- ----
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
What about making squid a transparent https proxy? Any help on this?
Best Regards,
Joao Seabra CIAAC
Once more, with feeling: the squid faq covers this in excruciating detail. hint: squid.nlanr.org. Kurt Seifried, seifried@securityportal.com PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.securityportal.com/
** from the outer limits of space and time electrons arranged
themselves into a message from "Kurt Seifried"
squid.nlanr.org Netscape cannot find the address , blah blah blah ..
any other choices ???? <G> This seems like it just *might* be the answer to a maiden's prayer , if I could only make it work so "they" never even see anything except the web pages they are trying to load ... prehaps an occassional ftp >> that ought to be all they want , oh yeah email send and recieve ... Blondely j afterthought--- You know what they say about paradigms ... Shift happens.
If you typed +squid +nlanr into google... ok sigh. www.squid-cache.org.
P.S. you can obviously read, hint hint.
Kurt Seifried, seifried@securityportal.com
PGP Key ID: 0xAD56E574 Fingerprint:
A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574
http://www.securityportal.com/
----- Original Message -----
From:
squid.nlanr.org Netscape cannot find the address , blah blah blah ..
any other choices ???? <G> This seems like it just *might* be the answer to a maiden's prayer , if I could only make it work so "they" never even see anything except the web pages they are trying to load ... prehaps an occassional ftp >> that ought to be all they want , oh yeah email send and recieve ... Blondely j afterthought--- You know what they say about paradigms ... Shift happens. -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On 15-Jun-01 jfweber@eternal.net wrote:
** from the outer limits of space and time electrons arranged themselves into a message from "Kurt Seifried"
on Fri, 15 Jun 2001 12:54:07 -0600 Earth Standard Time squid.nlanr.org Netscape cannot find the address , blah blah blah ..
Try www.squid-cache.org/Doc/FAQ/FAQ.html .
any other choices ????
If you use an ISDN router or similar as a gateway where you can configure filter/NAT rules you may construct a rule which denies any requests to <ip-addr>:80 for any host except the proxy. This way, your users can not directly connect to any remote web/ftp servers and you don't have to set up transparent proxying.
<G> This seems like it just *might* be the answer to a maiden's prayer , if I could only make it work so "they" never even see anything except the web pages they are trying to load ... prehaps an occassional ftp >> that ought to be all they want , oh yeah email send and recieve ...
Transparent proxying definitely helps to prevent users from simply kicking proxy entries out of their browser configuration thus directly interfering with the big bad internet. It does not secure your squid proxy program (the demon itself) in any way, it just transparently redirects any traffic destined to port 80 to squid's port (usually 3128) and will *not* work properly if the proxy host is not the standard gateway of your network. To set it up is just plain simple. First, make sure your kernel configuration includes transparent proxying and firewalling. Next, set up ipchains to handle the redirection: ipchains -A input -p TCP -d 127.0.0.1/32 www -j ACCEPT ipchains -A input -p TCP -d 192.168.1.0/255.255.255.0 www -j ACCEPT ipchains -A input -p TCP -d 0/0 www -j REDIRECT 3128 Lines one and two accept requests to port 80 of both the (squid proxy-) localhost and your network (replace 192.168.1.0 with your network address), line three does the actual redirecting from any IP:80 to port 3128 of the proxy host (ipchains only does local port forwarding so you don't have to supply the IP of your proxy host). That's it. If it doesn't work, FAQ it ;))
Blondely
j [...]
---
Boris Lorenz
participants (5)
-
Boris Lorenz
-
jfweber@eternal.net
-
Joao Seabra
-
Kurt Seifried
-
Leitner, Axel