This post is meant to be the sequel of the one I wrote one month ago about CentOS as router, transparent proxy, and much more. A big chunk of the precedent article is on how configure squid and squidGuard to act as a transparent proxy with URLs filtering capabilities. But there’s a problem with that: nowadays many sites (f4c3b00k.c0m just to name the most annoying one) are HTTPS. With HTTP one can really easily intercept a packet and read the payload (which contains the URL) but with HTTPS this is not possible anymore since the payload is encrypted. The only way to be able to read the payload of an HTTPS packet is doing a man-in-the-middle attack with a fake certificate, but that’s not advisable and you really don’t wanna do it. If, like in my case, we are not interested in what the users are doing but we just want them to not be able to access some sites/services/whatever ipset (combined with iptables) are the right tools for the job. iptables is a pretty powerful tool, the only real issue is that it doesn’t scale pretty well if the number of the rules is very big, and this is not a good thing since we probably want to blacklist thousands of IPs. And here comes ipset: with it it’s possible to manage huge blacklists without iptables slowing down. …

As usual, long story short: I’ve to setup a firewall to log traffic, block some stuff and do some other things. – epel repo is required – The system is made of a single CentOS machine with 2 physical network adapters: eth0, connected to WAN, static IP address 192.168.0.3 eth1, connected to LAN, static IP address 10.0.0.1/24 .:. Network adapters configuration WAN network adapter: [root@CentOS ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" BOOTPROTO="none" HWADDR="**:**:**:**:**:**" IPADDR=192.168.0.3 NETMASK=255.255.255.0 GATEWAY=192.168.0.1 DNS=192.168.0.1 IPV6INIT="yes" IPV6_AUTOCONF="yes" NM_CONTROLLED="yes" ONBOOT="yes" TYPE="Ethernet" UUID="***" LAN network adapter: …

Given that SSL and TLS, especially v1.0, suffer from serious security issues (e.g. https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS) I thought it would be a good idea to use the latest and more secure version of it: v1.2. On CentOS 6.4 the openssl version included is quite old and doesn’t support TLS v1.1 and 1.2. So, first of all we have to install the latest version 1.0.1e, it can be done compiling from sources or by adding a third party repository; I chose the latter. …

One of the things I was planning to do but never did is installing nginx as reverse proxy in front of Apache. nginx is present in the epel repos for CentOS, so the installation process is just a matter of: yum install nginx mysql mysql-server phpmyadmin httpd wget -q -O - http://www.atomicorp.com/installers/atomic | sh yum install mod_rpaf mkdir /etc/nginx/v.hosts vi /etc/nginx/nginx.con http { include v.hosts/*.conf; include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; charset utf-8; keepalive_timeout 65; server_tokens off; sendfile on; tcp_nopush on; tcp_nodelay off; # Default Server Block to catch undefined host names # server { # listen 80; # server_name _; # root /usr/share/nginx/html; # index index.html index.htm; } } /usr/sbin/nginx -t server { listen 80; server_name uwot.eu; access_log off; error_log off; location / { proxy_pass http://127.0.0.1:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_redirect off; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; client_max_body_size 10m; client_body_buffer_size 128k; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; } } sudo /usr/sbin/nginx -t service nginx restart

Yesterday’s night I installed a test machine to play with KVM and some other stuff, obviously the OS of choice is the trusty CentOS. I did a pretty minimal net-install but decided to install gnome desktop environment anyway because why not, not that it will be of much use, but still. Anyway, since the machine is an headless server it’s mandatory to be able to control it remotely, like the past 2 or 3 times, I installed XRDP expecting everything will be fine and working without any problem. And here is when I was wrong. It’s been quite a long time since the last time I installed XRDP somewhere, but I clearly remember it working flawless without any kind of manual configuration. I did the usual yum install xrdp, confirm the installation, bla bla bla, service xrdp start and both sesman and xrdp started with no problem. Then, when I went back to my workstation (Fedora 18 x64) and tried to connect to the server using Remmina Remote Desktop Client at first it seems to be working but once I typed user ID, password and press OK I got prompted the following error: …