Introduction

This lab will cover:

Create a firewall to force all traffic through a proxy
Creating a caching proxy
Filtering sites by address
Filtering sites by content
NAT routing via row servers
Create an NGINX reverse proxy

Steps

Both: Do a regular NetBSD Install
Both: Set a strong root password
Both: Set static ips (that will presist through reboots) in the 10.100.ROW@0.0/24 subnet (ie, 10.100.60.x)
Router: Enable IPFilter
Router: Enable NAT and IP forwarding
Router: Enable ipmon with logging to /var/log/ipmon (see man ipmon and /etc/defaults/rc.conf for the default syntax)
Router: Set firewall to default block
Router: Install the minimum rules to allow your clients to use:
- DNS from 142.222.125.20 and 21
- FTP on 10.100.1.150
- SSH on csunix
- HTTP/HTTPS to the internet ONLY via the proxy
Router: Install and configure squid
- edit the /usr/local/squid/etc/squid.conf
- Create the squid cache directory by running squid -z
- setup newsyslog to rotate the squid log files daily or when they exceed 250kb, be sure to tell squid to rotate (squid -k rotate)
- Use port 3128. Hard-code the interface IP address on the dual-homed machine.
- Allow access only from 10.100.ROW#0.0/24 and localhost
- Block access to *.msn.com
- Pick a website, and block its advertisements (via regex, using an external file)
- Create a custom error page for the blocked advertisements, store it in /usr/local/squid/etc/errors/
Router: do 'ps auxww', notice what user squid runs as, and how many processes there are
Workstation: Install lynx with SSL support
Workstation: Edit /usr/local/etc/lynx.cfg and make the lynx on your local workstation use the proxy
Workstation: Setup your windows workstations with static ips in the 10.100.ROW#0.0/24 subnet
Workstation: Show me that you can HTTP to anywhere only via the proxy, and test that HTTPS also works
Bonus: configure a TRANSPARENT proxy, using "rdr" rules for ipnat
Router: untar pkgsrc
Router: install apache22 from pkgsrc
Router: configure apache to listen on port 1080 instead of 80
Router: install nxing, serve static files, proxy CGI requests to apache

Commands:

        Note that squid drops privileges to the nobody user after it is started.
        
        Since this is true, 'nobody' needs writeable access to the var directory,
        so make that change. 
        
        chown nobody /usr/local/squid/var
        chown nobody /usr/local/squid/var/logs
        
        ------------------

        Some ACL's

            acl foo src 10.100.1.0/24
            http_access allow foo
            http_access deny all
             
            acl block dstdomain .foo.com
            http_access deny block
            
            acl ads url_regex "/usr/local/squid/etc/ads.txt"
            deny_info error_mesg.html ads 
            http_access deny ads

Questions:

What is the command to make squid reload its configuration files?

What user does the squid proxy run as when it drops its privledges

Write out the line from newsyslog.conf for rotating the squid logs?

Why must CGI-BIN requests be proxies, instead of served directly by nginx?

Why can't you use a Transparent or Interception proxy for SSL?

Last updated: 2008-03-24
Updated by: Allan Jude

Written by: Allan Jude (2008)