Alex's Portfolio - ampshock.com

Date:8/26/2019
- Transparent Proxy Open Source Port called Squid on FreeBSD

Squid Proxy Port Version 4.8 for FreeBSD 12.0 using PF

The following document contains organized content for the procedure of setting up a Squid Proxy needed to implement baseline standard controls for CIPA:

SQUID TRANSPARENT PROXY ON FREEBSD
The date the procedure becomes effective: 8/24/2019

List of procedural steps:
Section 1.1 Installation of FreeBSD
Section 1.2 Network Setup
Section 1.3 Update Ports
Section 1.4 Install ca_root_nss
Section 1.5 Install & Configure dhcpd
Section 1.6 Install & Configure Squid
Section 1.7 Create HTTPS Certificate for Squid using OpenSSL
Section 1.8 PF setup
Section 1.9 Run Squid

PROCEDURE

1.1. Section 1.1

-----Installation of FreeBSD------

Installing FreeBSD involves a couple steps
which are described in detail at:
www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/
Some of the steps involve:

-Minimum Hardware Requirements
-Pre-Installation Tasks
-Starting the Installation
-Allocating Disk Space
-Committing to the Installation
-Post-Installation
-Troubleshooting

After FreeBSD is installed, Squid needs to have read access on /dev/pf
The following command will help you edit the correct file so Squid can function properly

vi /etc/devfs.conf

#add the following lines to the devfs.conf by entering insert mode - i on the keyboard

own pf root:squid

perm pf 0640

1.2. Section 1.2

---------Network setup---------

After freeBSD is installed the internet connections must be configured to download and installed Squid and the required dependencies this for this procedure The following command will help you edit the correct file so FreeBSD can access the internet:

vi /etc/rc.conf

#add the following lines to the rc.conf file by entering insert mode - i on the keyboard

wlans_iwm0=”wlan0”

ifconfig_em0=” inet 10.191.135.1 netmask 255.255.255.0”

ifconfig_wlan0=”WPA SYNCDHCP”

rtadvd_enable=”YES”

rtadvd_interfaces=”em0”

dhcpd_enable=”YES”

dhcpd_ifaces=”em0”

dhcpd_conf=”/usr/local/etc/dhcpd.conf”

gateway_enable=”YES”

#to save the preceding lines to the rc.conf file press the Shift key plus the Colon key and type the following command:

wq!

The following command will help you edit the correct file so FreeBSD can use the wireless interface to access the internet:

vi /etc/wpa_supplicant.conf

#add the following lines to the wpa_supplicant.conf file by entering insert mode - i on the keyboard

network={

ssid=”Upland”

proto=RSN

pairwise=CCMP TKIP

key_mgmt=WPA-PSK

psk=”password”

#to save the preceding lines to the wpa_supplicant.conf file press the Shift key plus the Colon key and type the following command:

wq!

#Option 2 add the following lines to the wpa_supplicant.conf file by entering insert mode - i on the keyboard

ctrl_interface=/var/run/wpa_supplicant

eapol_version=2

ap_scan=1

fast_reauth=1

Network{

ssid=”Upland”

scan_ssid=0

psk=”password”

priority=5

network={

	priority=0

	key_mgmt=WPA-PSK

#to save the preceding lines to the wpa_supplicant.conf file press the Shift key plus the Colon key and type the following command:

wq!

The following command will help you restart FreeBSD so you can use the wireless interface configuration to access the internet:

shutdown -r now

1.3 Section 1.3

---------Update ports-----------

The following command will help you update the FreeBSD ports collection so you can install the most recent version of squid and the other dependencies needed:

svnlite co svn://svn.freebsd.org/ports/head /usr/ports

1.4 Section 1.4

------------Install ca_root_nss---------

The “ca_root_nss” Port is needed for the Squid configuration file. The following command will help you navigate to the FreeBSD port called ca_root_nss:

cd /usr/ports/security/ca_root_nss

make install clean

1.5 Section 1.5

---------Install DHCPD 6.4.2 --------------

The following commands will help you navigate to the FreeBSD port called dhcpd so you can install it and other dependencies needed for this procedure:

cd /usr/ports/net/dhcpd

make install clean

The following command will help you edit the dhcpd configuration file:

vi /usr/local/etc/dhcpd.conf

#add the following lines to the dhcpd.conf file by entering insert mode - i on the keyboard

option domain-name “ampshock-router.com”;

option domain-name-servers 208.67.222.222, 209.244.0.3 ,156.154.70.1;

option subnet-mask 255.255.255.224;

default-lease-time 14400;

max-lease-time 86400;

subnet 10.191.135.0 netmask 255.255.255.0 {

	range 10.191.135.31 10.191.135.100;

options routers 10.191.135.1;

1.6 Section 1.6

---------Squid 4.8 setup--------------

The following commands will help you navigate to the FreeBSD port called Squid so you can install it and other dependencies needed for this procedure:

Please be sure to select the appropriate installation options for this Procedure by reading the instructions after the make install clean command:

cd /usr/ports/www/squid

Make install clean

Within the Squid installation options make sure to Select TP_PF for Transparent proxying with PF
Ok to install Pcre-8.43_2

The following commands will help you copy the Squid configuration file from a text file via USB to the FreeBSD box. You first need to have a USB with an appropriate file system on it. A file system that works on FreeBSD and MAC OSX is MS-DOS(FAT32). Most MAC computers will have a Disk Utility were you can reformat the USB if the file system does not work with this procedure. You need to create a temporary file on FreeBSD in the /mnt directory. Then you can mount the USB using a built in command. Depending on what the operating system names the USB when you plug it in the command for mounting the USB might vary. In this example the USB was mounted at da0 and the first sector for the USB was da0s1 which is used. You can then unmount the USB with the "umount command":

mkdir /mnt/usb

mount_msdosfs /dev/da0s1 /mnt/usb

cp /mnt/usb/squid.conf /usr/local/etc/squid/

umount /mnt/usb

The following command will help you edit the Squid configuration file:

vi /usr/local/etc/squid/squid.conf

#add the following lines to the squid.conf file by entering insert mode

shutdown_lifetime   	0 seconds

acl manager         	proto cache_object

acl localnet src 0.0.0.1-0.255.255.255

acl localnet src 10.0.0.0/8

acl port_443    	port 443

acl ports_80_443	port 80 443

acl CONNECT    	method CONNECT

acl good_sites dstdomain '/usr/local/etc/squid/squid_good'

acl bad_sites dstdomain '/usr/local/etc/squid/bad_d'

visible_hostname ampshock.router.com

http_access    	allow good_sites

http_access    	deny bad_sites

http_access    	allow localhost manager

http_access    	deny manager

http_access    	deny !ports_80_443

http_access    	deny CONNECT !port_443

http_access    	deny to_localhost

http_access    	allow localnet

http_access    	deny all

http_port 3128

http_port 3129 intercept

https_port    	3130 intercept ssl-bump generate-host-certificates=on cert=/usr/local/etc/squid/proxyCA.pem options=NO_SSL_v2

acl step1    	at_step SslBump1

ssl_bump    	peek step1

ssl_bump    	bump port_443

sslcrtd_program        	/usr/local/libexec/squid/security_file_certgen -s /usr/local/etc/squid/ssl_db -M 4MB

sslcrtd_children	8 startup=3 idle=1

cache_mem    	512 MB

cache_dir    	aufs /var/squid/cache 10000 16 256

coredump_dir        	/var/squid/cache

refresh_pattern    	-i (/cgi-bin/|\?)  0	0%	0

refresh_pattern    	.              	0   20% 4320

tls_outgoing_options	cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

tls_outgoing_options	cafile=/etc/ssl/cert.pem

tls_outgoing_options	options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

1.7 Section 1.7

-Create a HTTPS certificate for Squid using OpenSSL-

The following command will help you navigate to the Squid configuration directory:

cd /usr/local/etc/squid

The following command will help you create a new HTTPS certificate using OpenSSL:

Openssl req -new -newkey rsa:2048 -sha256 -days 1095 -nodes -x509 -extensions v3_ca -keyout proxyCA.pem -out proxyCA.pem

Type US
Michigan
City
Ampshock2
Network
Ampshock.router.com
Email@email.com

The following command will help you convert to a new public HTTPS certificate using OpenSSL:

Openssl x509 -in proxyCA.pem -out proxyCA.crt

The following command will help you navigate to a Squid supplementary directory for this procedure:

cd /usr/local/libexec/squid

The following command will help you run a Squid supplementary script which will create a directory needed for HTTPS for this procedure:

./security_file_certgen -c -s /usr/local/etc/squid/ssl_db -M 4MB

The following command will help you navigate to the directory the security_file_certgen script just created for this procedure:

cd /usr/local/etc/squid

The following commands will help squid be able to read the directory that the security_file_certgen script just created for this procedure:

chown -R squid:squid ssl_db

chmod -R 700 ssl_db

The following code will help squid be able to allow specific URL's that the squid.conf script contains using Regular Expressions or REGEX. place this line inside the squid.conf near the access control list section or ACL and make sure to allow the use of this ACL. This following code will allow a website such as "www.google.com/a/wccnet.edu/ServiceLogin" but it will not match all of "google.com":

acl wccnet url_regex .*wccnet.*

http_access  allow  wccnet

1.8. Section 1.8

-----------PF setup------------

The following command will help you edit the correct file so FreeBSD can start PF and find the PF configuration file when the computer is rebooted:

vi /etc/rc.conf

#add the following lines to the rc.conf by entering insert mode - i on the keyboard

pf_enable=”YES”

pf_rules=”/etc/pf.conf”

pf_program=”/sbin/pfctl”

pf_flags=””

pflog_enable=”YES”

pflog_logfile=”/var/log/pflog”

The following command will help you edit the correct file so FreeBSD can redirect HTTP and HTTPS packets to the correct port and interface so that Squid can act as a Proxy to the internet:

vi /etc/pf.conf

#add the following lines to the pf.conf by entering insert mode - i on the keyboard

ext_if="wlan0"

int_if="em0"

icmp_types = "echoreq"

ports="{53,443,3130,3129,3128,80}"

ports_udp="{53}"

set block-policy return

set loginterface $ext_if

set skip on lo0

scrub in all

nat on $ext_if inet from $int_if:network to any -> ($ext_if)

rdr pass inet proto tcp from 10.191.135.0/24 to any port 80 -> 10.191.135.1 port 3129

rdr pass inet proto tcp from 10.191.135.0/24 to any port 443 -> 10.191.135.1 port 3130

block in

pass quick on lo0 all

pass in quick on $int_if

pass in quick on $ext_if

pass out keep state

# allow local squid connections

pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state

# allow access to www

pass in on $int_if inet proto tcp from any to any port www keep state

# allow ping

pass in inet proto icmp all icmp-type $icmp_types keep state

# allow all trafic from internal network to internal interface

pass in on $int_if inet proto tcp from $int_if:network to any port $ports keep state

pass out on $int_if inet proto tcp from any to $int_if:network port $ports keep state

pass in on $int_if inet proto udp from $int_if:network to any port $ports_udp

pass out on $int_if inet proto udp from $int_if:network to any port $ports_udp

# allow all trafic out via external interface

pass out on $ext_if inet proto tcp from any to any port $ports modulate state flags S/SA

pass out on $ext_if proto udp from any to any port $ports_udp keep state

###pass in on $ext_if inet proto gre to $ext_if keep state

1.9 Section 1.9

-------Run squid------

The following command will help Squid to create the required child dependencies needed for running Proxy to the internet:

squid -z

Ctrl + c

The following command will start the squid Proxy to the internet:

squid

STANDARD

This procedure relates to the FCC CIPA regulation

FORMS
ToDO: A List any form numbers and names and their location if there are any
needed to conduct this procedure.

PROCEDURE HISTORY
Version 1.2 Effective 8/26/2019
Version 1.1 Effective 8/24/2019
Version 1.0 Effective 8/14/2019

INFORMATION AND ASSISTANCE

Contact the website owner for further information regarding this procedure.

APPROVED

Alex Peplinski [Director of Upland Information Security Policies] 8/14/2019

KEYWORDS

ToDO: Indicate any cross references, aliases, phrases, or terms that
describe the procedure. Define all acronyms, abbreviations.

1.4 Section 1.4

------Install and update openssl------

The following command will help you navigate to the FreeBSD port called OpenSSL so you can install the most recent version of OpenSSL and the other dependencies needed:

cd /usr/ports/security/openssl

Uncheck docs and manpages
Select ok for Perl5-5.26.2

ASSOCIATED RESOURCES

This standard is augmented by…

The following command will help you view the process id of Squid
if you need to stop and restart squid:
vi /var/run/squid/squid.pid # you then need to kill the process number of the number displayed inside the squid.pid
kill 12345

The following command will help you view the any errors during the starting of Squid
if you are having any errors or problems:
vi /var/log/squid/access.log And
vi /var/log/squid/cache.log

The following commands will help restart PF and apply a configuration file type the
pfctl -d pfctl -e ; pfctl -f /etc/pf.conf

The following command may help you to see which ports Squid is listening on
ps -aux

To delete the ports within the freeBSD and Update all the ports type the following command:
rm -rf /etc/ports

Various files can be changed inside the squid directory to display custom messages upon different kinds of alerts such as an access denied result
vi /usr/local/etc/squid/errors/en/ERR_ACCESS_DENIED

The %U can be changed to %u to show more information about which IP address is
not allowed to be accessed

The following is a suggested list of approved domain names that may be
added to the squid_good file inside the Squid directory

.ewashtenaw.org
.civicplus.com
.washtenaw.org
.accounts.google.com
.ampshock.com
.annarborvineyard.org
.bsdnow.tv
.evaluationkit.com
.gravatar.com
.instructure.com
.cultivateypsi.com
.delta.com
.docs.google.com
.drive.google.com
.duo.com
.emich.edu
.serialssolutions.com
.umich.edu
.library.books.24x7.com
.mail.google.com
.pay.google.com
.wallet.google.com
.duosecurity.com
.freebsd.org
.exlibrisgroup.com
.biblehub.com
.biblehub.org
.canvaslms.com
.cloudfront.net
.googleapis.com
.google-analytics.com
.gstatic.com
.play.google.com
.clients2.google.com
.hangouts.google.com
.apis.google.com
.notifications.google.com
.googleusercontent.com
.client-channel.google.com
.clients4.google.com
.0.client-channel.google.com
.inscloudgate.net
.contacts.google.com
.plus.google.com
.myaccount.google.com
.google.com/a/emich.edu/acs
.google.com/a
.google.com/a/emich.edu
.google.com/a/emich.edu/ServiceLogin
.perlmonks.org
.pm.org
.python.org
.planobiblechapel.org
.siteground.com
.stackoverflow.com
.wallet.google.com
.christianminge.com
.deadseascrolls.org.il
.deadseascrolls.org
.deadseascrolls.li
.cisco.com
.juniper.com
.perlsphear.net
.perl.org
.theladders.com
.linkedin.com
.theride.org
.eccs280.org
.amtrak.com
.perl.com
.amazonaws.com
.addthis.com
.crazyegg.com
.instructuremedia.com
.siteground.com
.sgcpanel.com
.nowinteract.com
.connect.facebook.net
.optimizely.com
.googletagmanager.com
.braintreegateway.com
.klaviyo.com
.wurfl.io
.privy.com
.hotjar.com
.ads-twitter.com
.googleleadservices
.fonts.net
.static.ada.support.com
.sharethis.com
.adsrvr.org
.t.co
.support
.friendbuy.com
.redditstatic.com
.taboola.com
.nexac.com
.privymktg.com
.bat.bing.com
.consensu.org
.impactradius-event.com
.yimg.com
.zendesk.com
.adxcel-ec2.com
.analytics.yahoo.com
.payments.google.com
.ntp.org
.sheets.google.com
.o142.com
.l.google.com
.googleusercontent.com
.lh3.google.com
.lh2.l.google.com
.client-channel.google.com
.clients6.google.com
.mozgcp.net
.michaels.com
.joann.shoplocal.com
.joann.com
.j.nn.im
.incapdns.net
.edgekey.net
.akamaiedge.net
.support
.netdna-cdn.com
.fastly.net
.fbcdn.net
.cloudflare.net
.section.io
.msedge.net
.adxcel-ec2.com
.a-msedge.net
.yahoodns.net
.gammacdn.net
.iotacdn.net
.fonts.net
.zdassets.com
.w3schools.com
.w3.org
.scribens.com
.instructure.com
.mysql.com
.oracle.com
.docs.oracle.com
.microsoft.com
.spatialkey.com
.freshports.org
.gnu.org
.cmake.org
.github.com
.mysqlrelease.com
.i-cio.com
.mozilla.org
.1e100.net
.aadl.org
.visualstudio.com
.piazza.com
.github.io
.airshipgenesis.com
.ups.com
.squid-cache.org
.opendns.com

Stuff being worked on

More blog posts and Blog orginization

Plans for the future

Upload more artwork and music.
Make Donating avaible.
Upload Pictures

Alex Peplinski's Blog

1.1. Section 1.1

-----Installation of FreeBSD------

1.2. Section 1.2

---------Network setup---------

1.3 Section 1.3

---------Update ports-----------

1.4 Section 1.4

------------Install ca_root_nss---------

1.5 Section 1.5

---------Install DHCPD 6.4.2 --------------

1.6 Section 1.6

---------Squid 4.8 setup--------------

1.7 Section 1.7

-Create a HTTPS certificate for Squid using OpenSSL-

1.8. Section 1.8

-----------PF setup------------

1.9 Section 1.9

-------Run squid------

STANDARD

1.4 Section 1.4

------Install and update openssl------

Stuff being worked on

Plans for the future