How to block flash videos using Squid proxy Server

One popular example is to block flash video, used by sites such as Youtube.
The MIME type for such content is "video/x-flv". Creating an ACL to block this is easy.

First, create an ACL which matches the MIME type in question:

acl deny_rep_mime_flashvideo rep_mime_type video/x-flv

Then create a HTTP Reply ACL which denies any replies with that MIME type:

http_reply_access deny deny_rep_mime_flashvideo

This has been verified to block Youtube flash video content.

If the content is blocked the following similar line will be seen in access.log:

1282485682.146    903 127.0.0.1 TCP_DENIED_REPLY/403 3143 GET http://tc.v15.cache3.c.youtube.com/videoplayback? - DIRECT/208.117.252.163 text/html

And on browser, you can see ...

HowTo Allow windows updates through squid

Add the following to your squid.conf, It 'MUST' be added near the top before any ACL that require authentication.

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com

http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet

The above config is also useful for other automatic update sites such as Anti-Virus vendors, just add their domains to the acl.

Block mp3, mpg, mpeg, exe files using Squid proxy server

First open squid.conf file /etc/squid/squid.conf:

# vi /etc/squid/squid.conf

Now add following lines to your squid ACL section:

acl blockfiles urlpath_regex “/etc/squid/multimedia.files.acl”

Now create the the file

# vi /etc/squid/multimedia.files.acl

\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$

Save and close the file and Restart Squid:

# /etc/init.d/squid restart

HowTo Clean and Re-build Squid cache

First, Check you squid.conf file
and locate the location of you cache directory, you should have line starting with "cache_dir"

1) Shutdown your squid server
squid -k shutdown

2) Remove the cache directory
rm -r /squid/cache/*

3) Re-Create the squid cache directory
squid -z

4) Start the squid

squid configuration : ACL's based on MAC address

There are many times that client are having dynamic ip address (assigned by DHCP server) and in this cases it's hard to set any rules on bases of ip address as, you would not know what ip address the client machine be getting, in such case we could use mac based ACL's to set up any rules on that particular machine.

 # vi /etc/squid/squid.conf 

Look for acl section and append ACL as follows:

acl mac1 arp 00:11:22:70:44:90 

acl mac2 arp 00:11:22:33:44:55 

http_access allow mac1 

http_access allow mac2 

http_access deny all 

Save and close the file.

Restart squid server:

# /etc/init.d/squid restart

Squid Password Authentication Using NCSA

You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file.

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it’s universally readable.

# touch /etc/squid/squid_passwd
# chmod o+r /etc/squid/squid_passwd

2) Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called nikesh:

# htpasswd /etc/squid/squid_passwd nikeshNew
password:Re-type new password:
Adding password for user nikesh

3) Find your ncsa_auth file using the locate/find command. (different distro stores this file at different locations)

# locate ncsa_auth/usr/lib/squid/ncsa_auth

4) Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here’s a simple user authentication example; the order of the statements is important:

## Add this to the auth_param section of squid.conf

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

# Add this to the bottom of the ACL section of squid.conf
acl ncsa_users proxy_auth REQUIRED

# Add this at the top of the http_access section of squid.conf
http_access allow ncsa_users

Remember to restart Squid for the changes to take effect.

cachemgr (Cache Manager) configuration for Squid

The cache manager (cachemgr.cgi) is a CGI utility comes with squid for displaying statistics about the squid process as it runs. The cache manager is a convenient way to manage the cache and view statistics without logging into the server

To make this configuration you need a webserver (Apache) running and configured.

1) Try to locate your cachemgr.cgi file which comes with the squid package, this can be done using rpm -ql command (different distro stores this file at different location), here you can also use locate/find command.

# rpm -ql squid | grep cachemgr.cgi
/usr/share/doc/packages/squid/scripts/cachemgr.cgi
/usr/share/man/man8/cachemgr.cgi.8.gz

In this case my cachemgr.cgi is in /usr/share/doc/packages/squid/scripts/ directory

2) Copy cachemgr.cgi file to your configure script alias (/var/www/cgi-bin) directory of you Apache

3) Open squid.conf file and insert following two parameters at the end of the file

cache_mgr nikesh@domain.com
cachemgr_passwd your_Password all

4) Restart your squid and open your browser and type
http://localhost/cgi-bin/cachemgr.cgi
you should see something like … , provide a configure e-mail and password (mentioned above)

Squid Password Authentication Using PAM

We’ll be using the pam_auth module. This will allow anyone who has a shell account to also be able to use the Squid server. 

Search for the auth_param section in the config and add these lines:

auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Next search for this line and uncomment it:

acl password proxy_auth REQUIRED

Now create a pam module called /etc/pam.d/squid that contains:

auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so

Restart the squid and you are done.

Configure Squid to use other Proxy (cache)

If you want Squid to be part of a hierarchy of proxies or want Squid to fetch content from another proxy

cache_peer proxy.isp.com parent 8080 0 no-query no-digest ever_direct allow all

For Multiple parent

cache_peer proxy.isp1.com parent 8080 0 no-query no-digest default

cache_peer proxy.isp2.com parent 8080 0 no-query no-digest

Multiple parents with weight:

cache_peer proxy.isp1.com parent 8080 0 no-query no-digest weight=1 

cache_peer proxy.isp2.com parent 8080 0 no-query no-digest weight=2

Multiple parents with round-robin:

cache_peer proxy.isp1.com parent 8080 round-robin no-query

cache_peer proxy.isp2.com parent 8080 round-robin no-query

cache_peer proxy.isp3.com parent 8080 round-robin no-query

In above examples proxy.isp1.com, proxy.isp2.com and proxy.isp2.com are other cache servers

HowTo do Transparent proxy with Squid

Modify or add following to squid configuration file (/etc/squid/squid.conf):

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

acl lan src 192.168.1.1 192.168.2.0/24

http_access allow localhost

http_access allow lan

Added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :

[eth0 connected to internet and eth1 connected to local lan]

iptables -t nat -A PREROUTING -i eth1 -p tcp –-dport 80 -j DNAT –to 192.168.1.1:3128

iptables -t nat -A PREROUTING -i eth0 -p tcp –-dport 80 -j REDIRECT –-to-port 3128

Forward Squid traffic to secure tunnel (SSH)

When Squid is installed and running, it uses port 3128 by default. 

You should test it manually by setting your HTTP proxy to the server that runs Squid. 

For instance, in Firefox to go Tools -> Options -> Advanced -> Network -> Settings and enter the IP address or host of the Squid proxy (e.g. 192.168.0.100) and 3128 for the port. 

Try to load any web page. If you see an access denied error, check out the http_access configuration in the squid configuration file.

Once Squid is all set and ready to go, you need to forward your connection to it over SSH. 

 

To set the tunnel up on your Windows 

download Plink, a command-line version of Putty SSH client, 

and run this command:

plink.exe -batch -N -l UserName -pw Password -L 3128:localhost:3128 SSH_Server

On Unix-based systems, simply run this command:

ssh -L 3128:localhost:3128 SSH_Server -f -N

Finally, tell your browser to use the SSH tunnel as a proxy. Basically you need to change the host to localhost and the port number to 3128 (See below).

Setting up squid proxy server on Ubuntu

Install Squid
Open up the terminal and type the following command to install squid:
sudo apt-get install squid

Squid Configuration
Open the squid.conf file for editing using command:
gksudo gedit /etc/squid/squid.conf

Find the http_port tag, By default it reads
# http_port 3128

This is the default port that Squid will listen on for requests. If you want to change it, uncomment the line and set the correct port. If you want Squid to listen only on one specific NIC, you can also change the IP address – for example : 192.168.1.5:3128

Next, find the http_access section Uncomment these 2 lines:
acl our_networks src 192.168.1.0/24 192.168.2.0/24
http_access allow our_networks

NOTE: You'll need to change 192.168.1.0/24 to match your network. Unless you have a second subnet you can delete 192.168.2.0/24

With above change, the basic squid configuration is done, you can now start/stop the squid server using command: sudo /etc/init.d/squid start|restart|stop

Configuring squid Clients
To configure any application including a web browser to use squid, modify the proxy setting with the IP address of the squid server and the port number that you have specified in the squid configuration file 

(default 3128).

Below example showing the Firefox configuration for using squid proxy server running on ip address 192.168.1.2 and port 3128.

How to mount samba share on Linux client

Samba can be used to allow connectivity between Linux and Windows. Samba can be used to share printers, share directories, connect to an windows domain, and many other useful features.

In order to mount your samba share to your Linux client open up the /etc/fstab file and insert the following line into this file

//172.19.12.137/Music /mnt/samba cifs credentials=/etc/accessfile 0 0

Now create a new file: /etc/accessfile with following contents

username=Suhail
password=some_password

Save the above file and restart your Linux client (or type command mount -a),
after restart you should now able to access the share content from the samba server
under /mnt/samba directory.

This is preferred over having passwords in plaintext in a shared file, such as /etc/fstab. Be sure to protect any credentials file properly and also note that there should not be any extra space in this file.

It there are any space in this credentials file you might get the following error on trying to mount the file system

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

How to Convert smbpasswd to tdbsam on Samba

The latest release of Samba offers many new features including new password database backends not previously available. Samba version 3.0.0 fully supports all databases used in previous versions of Samba. However, although supported, many backends may not be suitable for production use.

The tdbsam backend provides an ideal database back-end for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. The tdbsam back-end includes all of the smbpasswd database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003-based systems.

The tdbsam backend is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns.

Convert smbpasswd to tdbsam: enter as root on the command line:

      pdbedit -i smbpasswd:/etc/samba/smbpasswd -e tdbsam:/etc/samba/passdb.tdb

      And ensure the global section of smb.conf has such an entry:

      passdb backend = tdbsam

Creating Recycle Bin for Samba storage

Samba is mainly used to share the files between Linux and windows and many times it happens that user deletes the file from the samba server and later wants to get back deleted files which is not possible with the default configuration of samba server.

The best option is to have a "Recycle bin" for every users on the samba server.
Here is an example of modifying the home directories of your users in samba configuration file

[homes]
comment = Home Directory
valid users = %S
browsable = no
guest ok = no
read only = no
vfs object = recycle
recycle:repository = RecycleBin
recycle:keeptree = yes
recycle:exclude = *.tmp, *.bak

The “vfs object” line calls in the plug-in that enables recycle bin capability.  On the other lines, you’re setting the name of the recycle bin directory, telling Samba to preserve the whole structure of any directories that a user may delete, and finally, telling it to not keep certain types of files.

Transfer Linux user to Samba users

To configure Samba on your Red Hat Linux system to use encrypted passwords, follow these steps:

1. Create a separate password file for Samba. To create one based on your existing /etc/passwd file, at a shell prompt, type the following command:

# cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

If the system uses NIS, type the following command:

# ypcat passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

The mksmbpasswd.sh script is installed in your /usr/bin directory with the samba package.

2. Change the permissions of the Samba password file so that only root has read and write permissions:

# chmod 600 /etc/samba/smbpasswd

3. The script does not copy user passwords to the new file, and a Samba user account is not active until a password is set for it. For higher security, it is recommended that the user's Samba password be different from the user's Red Hat Linux password. To set each Samba user's password, use the following command (replace username with each user's username):

# smbpasswd username

4. Encrypted passwords must be enabled in the Samba configuration file. In the file smb.conf, verify that the following lines are not commented out:

encrypt passwords = yes

smb passwd file = /etc/samba/smbpasswd

5. Make sure the smb service is started by typing the command service smb restart at a shell prompt.

Sync users' Samba passwords with their system passwords

The pam_smbpass PAM module can be used to sync users' Samba passwords with their system passwords when the passwd command is used. 

If a user invokes the passwd command, the password the uses to log in to the system as well as the password he must provide to connect to a Samba share are changed.

To enable this feature, add the following line to /etc/pam.d/system-auth 

below the pam_cracklib.so invocation:

password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass

Sync Samba and Unix password

The pam_smbpass PAM module can be used to sync users’ Samba passwords with their system passwords. 

If a user invokes the passwd command, the password he uses to log in to the system as well as the password he must provide to connect to a Samba share are changed.

To enable this feature, 

add the following line to /etc/pam.d/system-auth below the pam_cracklib.so invocation:

password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass

Samba Server As Primary Domain Controller

Server

a.Operating System :- Fedora-15

b.Samba Server :- Samba version 3.0.23c-2 (included in Fedora Dvd)

Computer Name:-server 

Comment :- Domain Controller

Domain Name :- rizvi.com

Domain admin Name :- root
Ip Address :- 192.168.0.10

Client

a.Operating System :- Windows Xp Sp2

Computer Name :- wxp
Domain Name :-     rizvi.com
Ip Address :- 192.168.0.20

Configuration

Server

1.  

vi /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain    localhost
192.168.0.10    server

2.

vi /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=server

3.

vi /etc/sysconfig/network-scripts/ifcfg-eth0

# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.0.255
HWADDR=00:0C:29:9E:C2:10
IPADDR=192.168.0.10
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes

4.

vi /etc/samba/smb.conf

[global]

workgroup = rizvi.com

netbios name = Server
server string = 

security = user
encrypt passwords = yes

domain logons = yes


local master =yes
os level = 65
preferred master = yes


domain master = yes

wins support = yes

[homes]
   comment = Home Directories
   browseable = no
   writeable = yes

5.

add a group for Clents in /etc/group by typing:-

 groupadd -r DomainClientComputers

Register in that group Machine name to be join  in /etc/passwd by typing:-

 useradd -r -g DomainClientComputers -d /dev/null -s /dev/null vxp$

Add Machine Nane in /etc/samba/smbpasswd

 smbpasswd -a -m vxp

6.
Add root as a domain admin purpose in  /etc/samba/smbpasswd

smbpasswd -a root

7.

adduser sohail

Add sohail as a client user in /etc/samba/smbpasswd

smbpasswd -a sohail

8.

service smb restart

9.
chkconfig smb on

Mount Samba share using fstab

To mount a Samba share when Linux system comes up after reboot

edit the /etc/fstab file and put entry as follows for your Windows/Samba share:

//ntserver/share /mnt/samba smbfs username=username,password=password 0 0

For example,
if you want to mount a share called //ntserver/docs then you need to write following entry in /etc/fstab file:

//192.168.0.1/share /mnt/samba smbfs username=sohail,password=passwd123 0 0

Using Samba As File Server in Linux with guest(Anonymous) login and read-write access

1. Create a folder for share purpose

    mkdir sharedrive

2.Give full access to that folder

   chmod 777 sharedrive

3.Edit smb conf file

 vi /etc/samba/smb.conf

[global]

# workgroup = NT-Domain-Name or Workgroup-Name

   workgroup = WORKGROUP

                                                                               

# server string is the equivalent of the NT Description

   server string = Samba Server

                                                                            

map to guest = bad user

                                                                              

encrypt passwords = yes

lanman auth = Yes

                                                                               

[Guest Share]

       comment = Guest access share

       path = /sharedrive

       guest ok = yes

       writeable = yes

       create mask = 777

4.Test smb.conf file

 testparm

5.Restart the service

service smb restart

6.chkconfig smb on

Setting Hostname(Computer Name) in Linux (RedHat)

Edit the following files with vi

1.

           /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1    localhost.localdomain localhost

192.168.0.20    sohail.bom.labs.net

2.

          /etc/sysconfig/network

NETWORKING=yes

HOSTNAME=sohail.bom.labs.net

Configure ipaddress in linux

1.edit the file with vi

vi/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.20
NETMASK=255.255.255.0
GATEWAY=192.168.0.1


2.To put Dns Server ip address
vi /etc/resolv.conf
nameserver=192.168.0.10

3.restart the network service
service network restart

How to install Linux / UNIX *.tar.gz tarball files

Tarballs are a group of files in one file. Tarball files have the extension .tar.gz, .tgz or .tar.bz2. Most open source software use tarballs to distribute programs/source codes.

# 1: Uncompress tarball

To uncompress them, execute the following command(s) depending on the extension:
$ tar zxf file.tar.gz
$ tar zxf file.tgz
$ tar jxf file.tar.bz2
$ tar jxf file.tbz2

Now change directory
$ ls
$ cd path-to-software/

# 2: Build and install software

Generally you need to type 3 commands as follows for building and compiling software:
# ./configure
# make
# make install

Where,

• ./configure will configure the software to ensure your system has the necessary functionality and libraries to successfully compile the package
• make will compile all the source files into executable binaries.
• Finally, make install will install the binaries and any supporting files into the appropriate locations.

# 3: Read INSTALL / README file

Each tarball comes with installation and build instructions. Open INSTALL or README file for more information:
$ vi INSTALL

How to replay YouTube video automatically

In the address bar, add the word "infinite" before the word "youtube".

This is the easiest way to put Youtube videos on loop.

When you are finished your address bar should be changed from:

Code:

http://www.youtube.com/watch?v=MrMNHwmd9Hc

To

Code:

http://www.infiniteyoutube.com/watch?v=MrMNHwmd9Hc

How to make an OS X Lion USB thumb drive

Here are three different ways to put Lion on a USB thumb drive. If you buy and install Lion from the App Store  it downloads all 3Gigabytes from the App Store, installs Lion, then deletes the installer!  So when you go to install it on another machine it needs another 3Gigabyte download! Here’s how to make a re-usable installer.

Option 1: Put a full bootable Lion installation on the USB Drive with a recovery partition.

What you need: an 8G thumb drive and OS X Lion from the App Store.

What you get: A USB stick you can boot off and repair your Lion installation from.

Download the Lion installer from Apple App Store. DO NOT INSTALL IT ONTO YOUR COMPUTER OR THE INSTALLER WILL DELETE ITSELF. MAKE A COPY OF THE INSTALLER.  If you have already installed it and it has deleted itself,  go back into the App store and click on ‘purchases’ and next to Lion it will say ‘Installed’. Now option-click on ‘purchases’ and ‘installed’ will change to ‘install’ so that you can re-download the installer.

Format your Thumbdrive using a GUID Partition Table, and ‘ Mac OS Extended (Journaled)’, then you can run the Lion installer and install Lion onto the thumb drive.

More info here: http://support.apple.com/kb/HT4718

Option 2: Create a Lion Recovery Disk.

You’ll only need a 4G USB Drive for this option.

How to Air Print to ANY printer from your iPod, iPad or iPhone

Apple has introduced a ‘print’ button onto iPads, iPhones and iPods to allow you to print directly to a printer from your iOS device. Unfortunately  you need a special AirPrint enabled printer. Thankfully there is a free application called ‘AirPrint Activator’ that allows you to print to any printer, here’s where to get it and how to use it.

AIRPRINT

On your iPhone at the bottom of some apps is a ‘share’ button. If you click this button you get a menu of different ways to share the content, one of these options is ‘print’ as shown below.

Share Button