From ffbeb3e62064009ff25fd44f35a9ab64ce608903 Mon Sep 17 00:00:00 2001 From: Brendan McDevitt Date: Fri, 11 Feb 2022 19:41:01 -0600 Subject: [PATCH] init commit. lets test! --- README.md | 13 +++- bin/add_ip_to_squid_conf.sh | 13 ++++ bin/bootstrap.sh | 29 ++++++++ bin/ifcfg-eth0-template.sh | 16 +++++ bin/install_squid.sh | 46 +++++++++++++ conf/squid-proxy-basic-auth.conf | 113 +++++++++++++++++++++++++++++++ 6 files changed, 229 insertions(+), 1 deletion(-) create mode 100755 bin/add_ip_to_squid_conf.sh create mode 100755 bin/bootstrap.sh create mode 100755 bin/ifcfg-eth0-template.sh create mode 100644 bin/install_squid.sh create mode 100644 conf/squid-proxy-basic-auth.conf diff --git a/README.md b/README.md index 25c60e0..ea2706e 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,14 @@ # proxy_centos -This project will setup multiple ip addresses that are assigned to a base CentOS 7 system. We are using OVH as our Cloud Provider in this project. We are using Squid as the proxy in this project. \ No newline at end of file +This project will setup multiple ip addresses that are assigned to a base CentOS 7 system. We are using OVH as our Cloud Provider in this project. We are using Squid as the proxy in this project. + +### Step 1: +Create a text file with one ip address per line and place it in the `./proxy_centos/bin/` directory. This file is essential and required for the bootstrap process to work. + +### Step 2: +Run bootstrap.sh +`./bootstrap.sh` +This will do the following: +- Install squid proxy +- Create a new ifcfg-eth0:{index} for every ip address in ./ips.txt +- Append directives to squid.conf that for adding new ips as listeners. diff --git a/bin/add_ip_to_squid_conf.sh b/bin/add_ip_to_squid_conf.sh new file mode 100755 index 0000000..3d1208c --- /dev/null +++ b/bin/add_ip_to_squid_conf.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +# this script will add a new ip address to squid config. + +IP="$1" +PORT="$2" + +cat << EOF +http_port $IP:$PORT name=$PORT + +acl tasty$PORT myportname $PORT src 0.0.0.0/0 +http_access allow tasty$PORT +tcp_outgoing_address $IP tasty:$PORT +EOF diff --git a/bin/bootstrap.sh b/bin/bootstrap.sh new file mode 100755 index 0000000..708f4cf --- /dev/null +++ b/bin/bootstrap.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash +# this is the bootstrap script that will do the following: +# 1. add ip addresses to a centos 7 system +# 2. install a squid proxy with basic auth username/pass +# 3. append ip addresses as listeners for each ip added. + +# step 1: install squid +sh install_squid.sh + +network_script_dir='/etc/sysconfig/network-scripts' +squid_conf_dir='/etc/squid/squid.conf' + +count=0 +ip_file="./ips.txt" +squid_port=3128 + +[[ -f $ip_file ]] || echo "IP address file: $ip_file does not exist. Please create a file in the `pwd` with the names ips.txt. One IP per line." + +while IFS= read -r ip +do + # increment our index for eth0:{index} and our squid port per ip that we have. + ((count=count+1)) + ((squid_port=squid_port+1)) + ./ifcfg-eth0-template.sh "$ip" "$count" > "${network_script_dir}/ifcfg-eth0:${count}" + ./add_ips_to_squid_conf.sh "$ip" "$squid_port" >> $squid_conf_dir + done < "$ip_file" + + # restart squid after + sudo systemctl restart squid diff --git a/bin/ifcfg-eth0-template.sh b/bin/ifcfg-eth0-template.sh new file mode 100755 index 0000000..b42c9cf --- /dev/null +++ b/bin/ifcfg-eth0-template.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +# this script will build a network config file on a CentOS 7 system. +# it is expected to already have a /etc/sysconfig/network-scripts/ifcfg-eth0 file created +# this is additional ip creation for 1 nic. + +IP=$1 +ID=$2 + +cat << EOF +BOOTPROTO=static +DEVICE=eth0:$ID +IPADDR=$IP +NETMASK=255.255.255.255 +BROADCAST=$IP +ONBOOT=yes +EOF diff --git a/bin/install_squid.sh b/bin/install_squid.sh new file mode 100644 index 0000000..9083a93 --- /dev/null +++ b/bin/install_squid.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash + +# update yum +sudo yum update -y + +# install and enable squid proxy +# install httpd-tools so we can use htpasswd when setting up authentication +sudo yum -y install squid +sudo yum -y install httpd-tools + +# copy the proxy auth config file +cp ./configs/squid-proxy-basic-auth.conf /etc/squid/squid.conf + +proxy_username="admin" +proxy_password="ballsofsteel" + +# create htpasswd user +htpasswd -b -c /etc/squid/passwd $proxy_username $proxy_password + +sudo systemctl start squid +sudo systemctl enable squid +sudo systemctl status squid + +# give us ifconfig and vim +sudo yum install net-tools vim -y + +ip_address=$(ip address show | grep 'inet ' | sed -e 's/^.*inet //' -e 's/\/.*$//' | tail -1) +port='3128' + +cat << SQUID + ^ Proxy Info: + / \ --------------------------------- + \ / http info: http://$ip_address:$port + | | --------------------------------- + | | Username: $proxy_username + | 0 | Password: $proxy_password + // ||\\ --------------------------------- + (( // || + \\)) \\ +//|| )) +( )) // + // (( + + +SQUID + diff --git a/conf/squid-proxy-basic-auth.conf b/conf/squid-proxy-basic-auth.conf new file mode 100644 index 0000000..77d5e82 --- /dev/null +++ b/conf/squid-proxy-basic-auth.conf @@ -0,0 +1,113 @@ +# +# Recommended minimum configuration: +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +# +# THIS ALLOWS INTERNET LISTENING +acl localnet src 0.0.0.0/0 # the entire internet +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/spool/squid 100 16 256 + +# Leave coredumps in the first cache dir +coredump_dir /var/spool/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +# for auth + +auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd +auth_param basic children 5 +auth_param basic realm Squid proxy-caching web server +auth_param basic credentialsttl 2 hours +auth_param basic casesensitive off + +# acl for auth +acl ncsa_users proxy_auth REQUIRED +http_access allow ncsa_users + +###### ADD NEW IP INFO BELOW HERE ####### +# LOOK AT THE EXAMPLES +# +## Add new ips and ports here. increment each port by 1 per ip. +## http_port ip1:3129 name=3129 +## http_port ip2:3130 name=3130 +## http_port ip3:3131 name=3131 +## http_port ip4:3132 name=3132 +## http_port ip5:3133 name=3133 +## http_port ip6:3134 name=3134 +## http_port ip7:3135 name=3135 +## http_port ip8:3138 name=3138 +## http_port ip9:3139 name=3139 +## http_port ip10:3140 name=3140 +## http_port ip11:3141 name=3141 +# +# SETUP ACL AND TCP_OUTGOING_CONNECTION TO CORRECT IPS: +# EXAMPLE BELOW: +# NOTE: 0.0.0.0/0 listens to the entire internet. toggle this to control which ips can access. +# you can also control the http_access allow/deny to do this if you want to quickly deny access fast. +# +# acl tasty3129 myportname 3129 src 0.0.0.0/0 +# http_access allow tasty3129 +# tcp_outgoing_address ip_address tasty3129