Hello.
I want to make Wifi-hotspot with authorization by SMS. I found an article on the Internet in which I try to work, but which I do not understand in subtle details.
Available: old computer under the server; workstation with which I write; TP-Link TL-WR720N router. I thought another modem to take to receive SMS, which MTS sells.
I installed an old computer in my home network and installed Ubuntu Server 16.04.6 LTS 32-bit on it. By default, I also installed SSH, for access from my other computer.
I changed file /etc/network/interfaces:
Code:
employee@wifi-server:/etc/squid$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
It changed only the addresses from 10.x.x.x to the addresses of my subnet 192.168.0.x. It is very possible that I made a mistake already at this step, since I do not understand which addresses here should be assigned.
Then I check ports sudo ss -lnptu | grep: 3128
# The loopback network interface
#auto lo
#iface lo inet loopback
# The primary network interface
#auto enp5s2
#iface enp5s2 inet dhcp
auto enp5s2
iface enp5s2 inet static
address 192.168.0.10
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.8.8.8
I installed the program as in the article:
Code:
apt-get install git fakeroot build-essential devscripts
apt-cache policy squid3
apt-get build-dep squid3
apt-get build-dep libecap2
apt-get install libssl-dev libgnutls28-dev
Next, I installed Squid from the repository version 3.6.12, because I did not want to suffer with the build of the source (I do not really understand this).
I did not correct the error as in the article (messages in the logs: SECURITY ALERT: Host header detected on local = ...: 443 remote = ...: *).
Output systemctl status -l squid:
Code:
employee@wifi-server:/etc/squid$ systemctl status -l squid
● squid.service - LSB: Squid HTTP Proxy version 3.x
Loaded: loaded (/etc/init.d/squid; bad; vendor preset: enabled)
Active: active (running) since Чт 2019-03-21 20:24:11 +05; 1h 22min ago
Docs: man:systemd-sysv-generator(8)
CGroup: /system.slice/squid.service
├─2938 /usr/sbin/squid -YC -f /etc/squid/squid.conf
├─2944 (squid-1) -YC -f /etc/squid/squid.conf
└─2945 (logfile-daemon) /var/log/squid/access.log
мар 21 20:24:10 wifi-server systemd[1]: Starting LSB: Squid HTTP Proxy version 3.x...
мар 21 20:24:10 wifi-server squid[2895]: * Starting Squid HTTP Proxy squid
мар 21 20:24:11 wifi-server squid[2895]: ...done.
мар 21 20:24:11 wifi-server systemd[1]: Started LSB: Squid HTTP Proxy version 3.x.
мар 21 20:24:11 wifi-server squid[2938]: Squid Parent: will start 1 kids
мар 21 20:24:11 wifi-server squid[2938]: Squid Parent: (squid-1) process 2944 started
мар 21 20:24:34 wifi-server systemd[1]: Started LSB: Squid HTTP Proxy version 3.x.
мар 21 20:43:11 wifi-server systemd[1]: Started LSB: Squid HTTP Proxy version 3.x.
мар 21 21:21:33 wifi-server systemd[1]: Started LSB: Squid HTTP Proxy version 3.x.
Created the configuration file /etc/squid/squid.conf:
Code:
employee@wifi-server:/etc/squid$ cat squid.conf
acl localnet src 192.168.0.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
dns_nameservers 10.66.66.1
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
#http_port 3128
#прозрачный порт указывается опцией intercept
http_port 192.168.0.10:3128 intercept options=NO_SSLv3:NO_SSLv2
#также нужно указать непрозрачный порт, ибо если захотите вручную указать адрес
#прокси в браузере, указав прозрачный порт, вы получите ошибку доступа, поэтому нужно
#указывать непрозрачный порт в браузере, если конечно такое желание будет, к тому же в логах #сыпятся ошибки о том, что непрохрачный порт не указан=)
http_port 192.168.0.10:3130 options=NO_SSLv3:NO_SSLv2
#и наконец, указываем HTTPS порт с нужными опциями
https_port 192.168.0.10:3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/squidCA.pem
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
#укажем правило со списком блокируемых ресурсов (в файле домены вида .domain.com)
acl blocked ssl::server_name "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
#терминируем соединение, если клиент заходит на запрещенный ресурс
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_dir aufs /var/spool/squid 2048 49 256
maximum_object_size 61440 KB
minimum_object_size 3 KB
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
#logfile_rotate 31
logfile_daemon /usr/lib/squid/log_db_daemon
access_log daemon:/127.0.0.1:3306/base/table/user/password squid
It changed only the addresses from 10.x.x.x to the addresses of my subnet 192.168.0.x. It is very possible that I made a mistake already at this step, since I do not understand which addresses here should be assigned.
Then I check ports sudo ss -lnptu | grep: 3128
The terminal does not output anything to the following commands:
Code:
sudo ss -lnptu | grep :3129
sudo ss -lnptu | grep :3130
Do I understand correctly that these ports are not open? Should they be open?
Dear forum users, I ask your criticism of my mistakes and explanations of how to fix it, since I do not understand everything in this operating system.
Is this equipment enough? Have I assigned the correct ports? Why are some ports closed? Was it necessary to correct the error SECURITY ALERT?
Or, please forward me to another place to ask this question.
Thank.
Bookmarks