Versions Compared

Old Version 3

changes.mady.by.user Dick Visser

Saved on

compared with

New Version Current

changes.mady.by.user Dick Visser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

 

 

Some of our systems have extra "security needs", and they are not allowed to initiate outgoing connections by default. This means that IP ACLs are used so that they can only reach neccessary services reach necessary services (SMTP gateway, DNS resolvers, NTP etc).

...

Because we do not need any caching, but only the access restriction part, I choose tinyproxy because it is very light weight and simple.

The only downside is that the tinyproxy that sits in Ubuntu 12.04 does not listen on It support both IPv4 and IPv6 at the same time (sad)

2013-01-04 Shame on me... I didn't test properly (sad) but the good news is that tinyproxy does work on both protocols (smile)

I assumed that this result:

root@proxy:~# netstat -tlnpvw | grep tinyproxy
tcp6 0 0 :::8888 :::* LISTEN 3946/tinyproxy

meant that it didn't listen on v4... but I was wrong. In summary:

 

:

Code Block
themeMidnight
languagebash
# This
Code Block
languagepowershell
Listen ::
#This will accept connections on IPv6, but also on IPv4: (IPv4-mapped IPv6 addresses are used:)
#CONNECT Jan 04 15:29:13 [23566]: Connect (file descriptor 6): host.terena.org [::ffff:192.87.30.2]
Listen 0.0.0.0Listen ::

# This will listen on IPv4 only
Listen 2001:610:148:dead::6660.0.0.0
# This will listen only on the specified IPv6 address. Not nice, but workable.
Listen 2001:610:148:dead::666

 

Whitelist

I configured tinyproxy to block everything, except a list of domains, by using this configuration:

Code Block
FilterDefaultDeny Yes
Filter "/etc/whitelist"
FilterExtended On

Don't just add domains to the list, because it will be interpreted as regular expressions.

So if you add microsoft.com, the domain roguedomain-microsoft.com will also be accepted.

My list looks like this:

 

Take care when building the white list. While the following entry might look OK and will work OK at first sight:

microsoft.com

It is interpreted as a regular expression, so roguedomain-not-owned-bymicrosoft.com will also be accepted.

I wanted a regex to allow:

  • domain.com
  • subdomain.domain.com
  • any.number.of.subdomains.domain.com

Some other sites:
  • s-microsoft.com as well, as this is used a lot in updates.
  • mstfncsi.com is a web site used by the Network Connectivity Status Indicator, Windows' network awareness tool (see http://blog.superuser.com/2011/05/16/windows-7-network-awareness/). 
  • Don't forget that systems might access CRLs or OCSP responders, which are hosted on thawte.com and public-trust.com.
Thus my whitelist look like this:
Code Block
^(.*\.|)microsoftupdate\.com$
^(.*\.|)msftncsi\.com$
^(ocsp|crt)(s-)?microsoft\.tcs\.terena\.org$
^(.*\.|)public-trust\.com$
^crl\.globalsign\.net$
^(.*\.|)windowsupdatesecunia\.com$
^(.*\.|)microsoftupdatethawte\.com$
^(.*\.|)secunia)(s-)?microsoft\.com$
^(.*\.|)vmwareusertrust\.com$
^ocsp\.comodoca\.com$
^(.*\.|)msftncsiverisign\.com$
^(.*\.|)public-trustvmware\.com$
^(.*\.|)windowsupdate\.com$
^(api|dellincca|downloads|ftp|)thawte\.com$www)\.dell\.com$
^www\.adobe\.com$
^update\.exactsoftware\.com$

This list is the initial list. By monitoring the log files you can adjust the list. This is an iterative process, it takes a while to establish a list that is 'right'.

 

Configuring operating systems and software to use the proxy

...

  1. The "Windows Update" start menu items opens up http://update.microsoft.com/windowsupdate/v6/default.aspx in an Internet Explorer browser window. In order for this to work through a proxy, go to Control Panel -> Internet Options. This will bring up the IE settings dialog, settings dialogue  go to Connections -> LAN settings, and fill in the stuff there.

  2. For automatic updates to work, go to Control Panel -> System -> Automatic Updates, and configure it to your needs (I usually let them install automatically because I don't have the time to look at all the updates, let alone test them. If an update screws up - though luck).
    The updates downloading is done by BITS, but this does not honour any of the stuff from Internet Options. Proxy settings for BITS are configured using the proxycfg command:

    Code Block
    C:\Documents and Settings\Administrator>proxycfg -p proxy.terena.org:8888
Microsoft (R) WinHTTP Default Proxy Configuration Tool
Copyright (c) Microsoft Corporation. All rights reserved.
Updated proxy settings
Current WinHTTP proxy settings under:
  HKEY_LOCAL_MACHINE\
    SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
      WinHttpSettings :
    Proxy Server(s) :  proxy.terena.org:8888
    Bypass List     :  (none)

      

...

Code Block
C:\Users\Administrator>netsh winhttp set proxy proxy6.terena.org:8888 "<local>"
Current WinHTTP proxy settings:
    Proxy Server(s) :  proxy6.terena.org:8888
    Bypass List     :  (none)

...

In the client version Windows Vista, 7, and 8 this works the same.

Monitoring

 

To keep an eye on any refused domain domains that your hosts might try to access that are not allowed, run this shell script every morning , after the log files have been rotated (7AM 7 AM on Ubuntu systems is goodfor instance): 

Code Block
languagebash
#!/bin/sh
# Filter PIDs that handled refused domains
TP_LOG="/var/log/tinyproxy/tinyproxy.log"
grep 'Proxying refused' "$TP_LOG" |
sed -r 's/.*(\[[0-9]+\]).*/\1/g' | sort | uniq |
while read pid
        do grep \\$pid "$TP_LOG"
done |
grep -B2 refused

Based on the results, you can add stuff to the white list, or investigate what it going on.