Web Proxy Overview

As we build out our services, we're finding that there's things that we're not clear on how they should best be provided and or documented. This is one of those things.

Proxy service

Purpose :

  • Secure external access to internet for HTTP/HTTPS, SMTP, SFTP
  • External vendor patch access

Configuration (Current):

  • 2 RHEL6 VMs without configuration management (uni00px.unity.ncsu.edu and uni01px.unity.ncsu.edu)
  • 16G disk 1G RAM
  • Load balanced through LVS
  • VIP is proxy.oit.ncsu.edu.

Delivers 3 services

  • Squid - squid proxy server
  • HTTP - Apache web server to deliver proxy.pac files
  • Stunnel - Secure SMTP gateway for firewalled hosts to access SMTP services

Squid:

  • Includes different permissions lists for clients based on source IP
  • Configuration files
  • /etc/squid/squid.conf
  • /etc/squit/whitelist (unused)
  • /etc/squid/whitelist-dui
  • /etc/squid/whitelist-pci
  • /etc/squid/whitelist-physec
  • /etc/squid/whitelist-sos
  • Service Port is 3128

Categories of whitelisted hosts

  • DC- Normal data center machines that cannot access the internet otherwise
  • SOS- Sensitive OS network for xp, and other out of date OSes
  • PHYSEC – physical security network
  • PCI- PCI CDE network (other connected systems can use the DC proxy servers if needed)
  • DUO- access to DUO for machines that just need DUO and nothing else external

Firewall allows inbound NCSU-nowirelessnoresnet so most things should not fail on the firewall inbound, but some subnets may have outbound rules that do not allow the proxy.

Logs uploaded to splunk at index=web sourcetype=squid

Log contents

The squid service is configure to NOT cache content, so all successful requests will appear as a TCP_MISS

  • TCP_MISS is a success. It means that it is allowed but it is not in cache because we turn caching off.
  • TCP_DENY is a failure Likely the network is not explicitly allowed in the squid.conf and whitelist files

Currently all configuration files are hand maintained except for the DC whitelist which is downloaded from mysql. The dc whitelist is currently broken due to bad duplication and a change in how squid works.

Changing configuration

  • Squid must be restarted yafter configuration file changes
  • Restart one server, verify it is in service, then restart the second server
  • LVS will send all requests to one system
  • Command line : /etc/init.d/squid restart

HTTP (Apache):

  • Apache web server delivering the proxy_PAC files.
  • Config file in /etc/http/conf/httpd.conf
  • Port 80 is allowed
  • Doc directory is /var/www/html/ for proxy pac files.
  • Proxy pac file “Duo.pac” only allows duo.
  • All the others are identical, allow proxy for anything off campus but nothing in on-campus networks.

    DUO.pac, OffCampus.pac, proxy.pac, PROXY.pac, PROXY.PAC

STUNNEL: SMTP forwarder

  • Forwards the email requests to google auth smtp (port 587)
  • Config is /etc/stunnel/stunnel.conf
  • Logs are in splunk index=os, sourcetype=stunnel-2
  • The session_id is extracted and will let you track the connections separately.

Proxy server future:

  • Need 2 pairs of RHEL7 machines
    • one pair for PCI ( not needed until p2p PCI devices support proxy)
    • one pair for everything else
  • The machines are keeping up pretty well maybe could use more RAM. (16+G disk, 2G RAM)
  • Must be in configuration management
  • The PCI pair must be in the PCI environment
  • Is the final PCI environment ready?

Need to test running:

  • squid both packages are distributed with redhat.
  • May need to run socks proxy
  • Run stunnel for SMTP proxy

Sysnews squid configuration app will be modified to track all the permission lists.

Detail Configuration files (current) : /etc/squid/squid.conf /etc/squid/whitelist /etc/squid/whitelist-duo /etc/squid/whitelist-pci /etc/squid/whitelist-physec /etc/squid/whitelist-sos

John created a nice puppet conf at https://github.ncsu.edu/pcipuppet/role_pci_proxy. This is about 90% correct. The whitelist file should really come out of a database not a puppet repo

Tags: fullsupport
Edit me