The following script will get the listening port of a dynamic instance name on Microsoft SQL Server
Continue reading “PowerShell: SQL Server Dynamic Port Instance”
Author MysticRyuujin
Generating Ethereum Accounts and Addresses
Generate a new Private Key and associated Public Address
Continue reading “Generating Ethereum Accounts and Addresses”
Ethereum: Always on Geth Node on Ubuntu 16.04
The following script will install the Ethereum client “Geth” and configure it to run as a daemon/service running in the background using Supervisor. It has been upgraded to include instructions to upgrade supervisor to 3.3.3 (or whatever is newer) because the Ubuntu package sucks and has bugs.
Continue reading “Ethereum: Always on Geth Node on Ubuntu 16.04”
Cisco ASA and Squid WCCP on Ubuntu
In order to use WCCP with Squid it must be built to support WCCP. Unfortunatly the default apt-get install squid(3) doesn’t support WCCP out of the box so it has to be BUILT FROM SOURCE
Assuming you’ve built Squid with WCCP support (using my guide or not) the following is how to get WCCP working between a Cisco ASA and Squid on Ubuntu.
There is a huge gotcha with the Cisco ASA, it only supports GRE and the Clients and Squid have to be in the same subnet…You can get around this by using multiple dynamic instances but for most of my audience I think this isn’t a problem. If I get requests for instructions on that perhaps I’ll look into it?
Here are the variables I’m working with:
LAN: 192.168.10.0/24
ASA LAN IP Address: 192.168.10.1
SQUID eth0 IP Address: 192.168.10.80
#1. Configure the ASA:
CLI:
access-list WCCP_SERVERS extended permit ip host 192.168.10.80 any access-list LAN_WCCP_REDIRECT extended permit tcp 192.168.10.0 255.255.255.0 any eq www wccp web-cache redirect-list LAN_WCCP_Redirect group-list wccp_servers password ***** wccp interface LAN web-cache redirect in
Most guides will tell you that you need to deny the Squid LAN IP but that’s not true, the ASA will do it automagically.
#2. Configure Squid:
Add the following to /etc/squid/squid.conf:
http_port 3129 intercept wccp2_router 192.168.10.1 wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0 password=*****
Reconfigure squid to use the new config:
squid -k reconfigure
Now here’s an important part that almost all guide fail to mention. The ASA will pick a Router Identifier of it’s highest addressed interface once squid tries to connect to it for WCCP. You need go get that Router Identifier from the ASA:
show wccp
For our purposes let’s say that Router Identifier is 192.168.254.1
We need to create a script that will run when eth0 comes up and create the GRE interface and permits the WCCP traffic…so let’s create the following file:
vi /etc/network/if-up.d/wccp.sh
#!/bin/bash
if [ "$IFACE" == "eth0" ]; then
modprobe ip_gre
ip tunnel add wccp0 mode gre remote 192.168.254.1 local 192.168.10.80 dev eth0
ifconfig wccp0 192.168.10.80 netmask 255.255.255.255 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter
iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3129
fi
Notice that I use the Router ID and not the LAN IP for the remote tunnel IP.
Finally, we need to tell the system to run that script with eth0 comes up. So edit the interfaces file (/etc/network/interfaces) and include the following line under iface eth0 inet:
post-up /etc/network/if-up.d/wccp.sh
You should now be able to restart networking (or just reboot the system) and it should be working.
Install Squid 3.5 from Source on Ubuntu 16.04
The following assumes a fresh install of Ubuntu 16.04.01 LTS.
First I’m going to modify the sources.list file of apt to allow downloading of sources in order to build dependencies for squid automatically.
sed -i 's/# deb-src/deb-src/g' /etc/apt/sources.list
Now I’m going to fully update the OS:
apt-get update apt-get -y dist-upgrade reboot
Next I would normally install the Hyper-V tools because my SQUID is going to be on a Hyper-V VM, but if you’re not using Hyper-V you can skip this:
apt-get -y install --install-recommends linux-virtual-lts-xenial linux-tools-virtual-lts-xenial linux-cloud-tools-virtual-lts-xenial
Now build the squid dependencies:
apt-get build-dep squid
At the time of this writing the latest stable version is 3.5.24 so download it:
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.24.tar.gz
extract it:
tar -xzf squid-3.5.24.tar.gz cd squid-3.5.24
Now we need to configure it and build it…in my case I wanted to add support for WCCP, which is why I needed to build from source…below is the default configuration options for squid if you just used apt-get install squid, modify it if you need/want:
./configure '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'
In my case I was perfectly happy with the Ubuntu defaults so I just added ‘–enable-wccpv2’ to that list of configuration options in order to support WCCP.
Now you can make and install it:
make make install
You can also optionally install the pinger:
make install-pinger
Now that Squid is installed you need to set some permissions:
chown -R proxy:proxy /etc/squid /var/log/squid
Those are the minimum permissions to set, however, if you plan on using caching also include your cache folder location.
Now in order to get Squid to start at boot do this:
cp ./tools/systemd/squid.service /etc/systemd/system/ systemctl enable squid
I suggest restarting the system at this point and verify everything comes up nicely.
