bpmcdevitt/proxy_centos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

init commit. lets test!

Browse source
This commit is contained in:
Brendan McDevitt 2022-02-11 19:41:01 -06:00
parent 102765d0da
commit ffbeb3e620
6 changed files with 229 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
README.md
View file

@ -1,3 +1,14 @@
# proxy_centos
This project will setup multiple ip addresses that are assigned to a base CentOS 7 system. We are using OVH as our Cloud Provider in this project. We are using Squid as the proxy in this project.
This project will setup multiple ip addresses that are assigned to a base CentOS 7 system. We are using OVH as our Cloud Provider in this project. We are using Squid as the proxy in this project.
### Step 1:
Create a text file with one ip address per line and place it in the `./proxy_centos/bin/` directory. This file is essential and required for the bootstrap process to work.
### Step 2:
Run bootstrap.sh
`./bootstrap.sh`
This will do the following:
- Install squid proxy
- Create a new ifcfg-eth0:{index} for every ip address in ./ips.txt
- Append directives to squid.conf that for adding new ips as listeners.

13
bin/add_ip_to_squid_conf.sh Executable file
View file

@ -0,0 +1,13 @@
#!/usr/bin/env bash
# this script will add a new ip address to squid config.
IP="$1"
PORT="$2"
cat << EOF
http_port $IP:$PORT name=$PORT
acl tasty$PORT myportname $PORT src 0.0.0.0/0
http_access allow tasty$PORT
tcp_outgoing_address $IP tasty:$PORT
EOF

29
bin/bootstrap.sh Executable file
View file

@ -0,0 +1,29 @@
#!/usr/bin/env bash
# this is the bootstrap script that will do the following:
# 1. add ip addresses to a centos 7 system
# 2. install a squid proxy with basic auth username/pass
# 3. append ip addresses as listeners for each ip added.
# step 1: install squid
sh install_squid.sh
network_script_dir='/etc/sysconfig/network-scripts'
squid_conf_dir='/etc/squid/squid.conf'
count=0
ip_file="./ips.txt"
squid_port=3128
[[ -f $ip_file ]] || echo "IP address file: $ip_file does not exist. Please create a file in the `pwd` with the names ips.txt. One IP per line."
while IFS= read -r ip
do
# increment our index for eth0:{index} and our squid port per ip that we have.
((count=count+1))
((squid_port=squid_port+1))
./ifcfg-eth0-template.sh "$ip" "$count" > "${network_script_dir}/ifcfg-eth0:${count}"
./add_ips_to_squid_conf.sh "$ip" "$squid_port" >> $squid_conf_dir
done < "$ip_file"
# restart squid after
sudo systemctl restart squid

16
bin/ifcfg-eth0-template.sh Executable file
View file

@ -0,0 +1,16 @@
#!/usr/bin/env bash
# this script will build a network config file on a CentOS 7 system.
# it is expected to already have a /etc/sysconfig/network-scripts/ifcfg-eth0 file created
# this is additional ip creation for 1 nic.
IP=$1
ID=$2
cat << EOF
BOOTPROTO=static
DEVICE=eth0:$ID
IPADDR=$IP
NETMASK=255.255.255.255
BROADCAST=$IP
ONBOOT=yes
EOF

46
bin/install_squid.sh Normal file
View file

@ -0,0 +1,46 @@
#!/usr/bin/env bash
# update yum
sudo yum update -y
# install and enable squid proxy
# install httpd-tools so we can use htpasswd when setting up authentication
sudo yum -y install squid
sudo yum -y install httpd-tools
# copy the proxy auth config file
cp ./configs/squid-proxy-basic-auth.conf /etc/squid/squid.conf
proxy_username="admin"
proxy_password="ballsofsteel"
# create htpasswd user
htpasswd -b -c /etc/squid/passwd $proxy_username $proxy_password
sudo systemctl start squid
sudo systemctl enable squid
sudo systemctl status squid
# give us ifconfig and vim
sudo yum install net-tools vim -y
ip_address=$(ip address show | grep 'inet ' | sed -e 's/^.*inet //' -e 's/\/.*$//' | tail -1)
port='3128'
cat << SQUID
^ Proxy Info:
/ \ ---------------------------------
\ / http info: http://$ip_address:$port
| | ---------------------------------
| | Username: $proxy_username
| 0 | Password: $proxy_password
// ||\\ ---------------------------------
(( // ||
\\)) \\
//|| ))
( )) //
// ((
SQUID

113
conf/squid-proxy-basic-auth.conf Normal file
View file

@ -0,0 +1,113 @@
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#
# THIS ALLOWS INTERNET LISTENING
acl localnet src 0.0.0.0/0 # the entire internet
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# for auth
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
# acl for auth
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
###### ADD NEW IP INFO BELOW HERE #######
# LOOK AT THE EXAMPLES
#
## Add new ips and ports here. increment each port by 1 per ip.
## http_port ip1:3129 name=3129
## http_port ip2:3130 name=3130
## http_port ip3:3131 name=3131
## http_port ip4:3132 name=3132
## http_port ip5:3133 name=3133
## http_port ip6:3134 name=3134
## http_port ip7:3135 name=3135
## http_port ip8:3138 name=3138
## http_port ip9:3139 name=3139
## http_port ip10:3140 name=3140
## http_port ip11:3141 name=3141
#
# SETUP ACL AND TCP_OUTGOING_CONNECTION TO CORRECT IPS:
# EXAMPLE BELOW:
# NOTE: 0.0.0.0/0 listens to the entire internet. toggle this to control which ips can access.
# you can also control the http_access allow/deny to do this if you want to quickly deny access fast.
#
# acl tasty3129 myportname 3129 src 0.0.0.0/0
# http_access allow tasty3129
# tcp_outgoing_address ip_address tasty3129