How to debug squid ACLs

Posted in Operating Systems, Linux, Services, Tips on Wednesday, January 7, 2015 by

For tricky squid ACL troubleshooting situations, it is helpful to be able to see which access control entries a request matches and does not match. This information can be discovered easily using squid’s debugging facility.

Step 1: RTFM

check debug sections avaliable: http://wiki.squid-cache.org/KnowledgeBase/DebugSections

In this case, we can see that squid’s ACLs are managed by section 28.

Step 2: Make squid more chatty

Given the ACL section, we can tell squid to log more information about ACL traversal. We feed him the section (28) and the log level (3, or similar) in squid.conf (near the top usually).

Code:

debug_options 28,3

… and we tell the daemon to re-read the configuration: 

service squid reload

Step 3: Test and evaluate

Now check the logs:

tail -f /var/log/squid/cache.log

Note: realistically you probably don’t want to tail the logs, you are best to try your failing web site then open the log with ‘less’ etc and do a search for you website.

In this example my blocklist had downloaded some unfiltered characters and ended up with a zero (”0”) on a line by itself. (Why they ended up there is a different conversation)

2015/01/07 15:51:42.237| ACL::checklistMatches: checking 'zeus_block_list'
2015/01/07 15:51:42.237| aclRegexData::match: checking 'mt0.google.com'
2015/01/07 15:51:42.237| aclRegexData::match: looking for '24b5'
2015/01/07 15:51:42.237| aclRegexData::match: looking for '0'
2015/01/07 15:51:42.238| aclRegexData::match: match '0' found in 'mt0.google.com'
2015/01/07 15:51:42.238| ACL::ChecklistMatches: result for 'zeus_block_list' is 1

Removing the zero from the 

zeus_block_list

and reloading squid resolved the issue.

Note that true evaluations are represented by 1, while false evaluations are represented by 0.

Step 4: Post-troubleshooting cleanup

It is important to disable the debug_options when you are finished troubleshooting. They produce a copious amount of logging, and they can generally be a (disk space) liability when you aren’t using them.

To reverse the changes, simply comment out the debug_options line above, and reload squid.

Thanks to FreeBSD forums for the walk-through

Run MySQL in the foreground

Posted in Operating Systems, Unix, Linux, Windows, Services, MySql, Tips on Wednesday, December 3, 2014 by

Well actually it’s not in the foreground but to a log file, but if you tail / follow the logfile you could pretend it was the foreground :-)

mysqld_safe --log-error=/var/log/mysql.err

And perhaps you have imported a database for forensic investigation and you don’t know the database password, you can just skip the authentication:

mysqld_safe --skip-grant-tables --log-error=/var/log/mysql.err

SSH Forced commands from Web Page

Posted in Operating Systems, Linux, Security, Network, Tools, Services, Apache, Tips on Wednesday, July 2, 2014 by

Are you a paranoid nerd, who’s business requirements are very strict about IT security? No, well you may as well stop reading here.

Perhaps you have a business requirement to perform some random function on a server that only allows SSH access, but the rest of the business requires simple press button access to perform those functions?

Well with SSH force command wrappers, SSH keys and PHP you too can have simple click button access for the rest of the business!

Basically with a Linux apache server with PHP use the following code:
[Read More…]

Enable Apache’s inbuilt chroot functionality

Posted in Operating Systems, Linux, Fedora, Debian, Red Hat, Services, Apache, Tips on Monday, June 16, 2014 by

This works on all versions of Apache webserver greater than 2.2.10.
I’ll presume you have a current working version of Apache serving files from /var/www/

mkdir -p /chroot/var/ 

Required for PHP5 compatibility:

mkdir -p /chroot/var/lib/php5
chown root:www-data /chroot/var/lib/php5
chmod 770 /chroot/var/lib/php5
cp /etc/localtime /chroot/etc/localtime
cp -R /usr/share/zoneinfo /chroot/usr/share/zoneinfo
cp -R /usr/share/apache2 /chroot/usr/share/apache2 
mv /var/www /chroot/var/ 

To help with compatibility and user / sysadmin expectations

ln -s /chroot/var/www /var/www 

Enable Apache’s in-built chroot (Debian)

echo "ChrootDir /chroot" > /etc/apache2/conf.d/chroot 

Enable Apache’s in-built chroot (Redhat/CentOS/Fedora)

echo "ChrootDir /chroot" >> /etc/httpd/conf/httpd.conf 
semanage fcontext -a -t httpd_sys_content_t “/chroot/var/www(/.*)?”

service apache2 restart 

Now test your damn website! Logfiles are your friend for troubleshooting any bugs :-)

Squid ICAP Syntax with F-Secure Internet Gate Keeper (IGK)

Posted in Operating Systems, Linux, Network, Services on Wednesday, February 5, 2014 by

*** UPDATE September 2015 - This article has been updated with the correct syntax and confirmed working on Squid 3.3.8 ***

The doco for IGK is some what lacking for the ICAP settings but it does mention ” Refer to the documentation of the proxy for information on how to set it up”. That’s not very helpful so I contacted F-Secure technical support and asked them. This is the reply:

You will need to add these lines to Squid config file:

icap_enable on
icap_send_client_ip on
icap_service service_req reqmod_precache bypass=1 icap://[IP address of IGK]:1344/request
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0 icap://[IP address of IGK]:1344/response
adaptation_access service_resp allow all

Unfortunately that still doesn’t work for some unknown reason and I am only getting the error:

ErrPage: ERR_CANNOT_FORWARD

I don’t have anymore time to spend on this, I guess I’ll just use the F-Secure HTTP proxy as a parent proxy for squid.
Next Page »
« Previous Page