Tag Archives: squid

Red Hat Certification – RHCE – Course Outline


In case you saw my previous posts I’ve been prepping for a RHCE course the last couple of weeks.

Here are the posts based on the objectives:

Odds are quite high that I’ve missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.

I’m taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.

This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.

I’ll go through the ones I find more interesting below:

Network Resource Access Controls

-Internet Protocol and Routing

OK, well this is quite obvious, some commands:

ip addr
ip route
route add
netstat -rn


-IPv6: Dynamic Interface Configuration
-IPv6: StaticInterface Configuration
-IPv6: Routing Configuration

You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig

Some settings can also go into /etc/sysconfig/network


Netfilter Overview
-Rules: General Considerations
Connection Tracking
-Network Address Translation (NAT)
-IPv6 and ip6tables


Web Services

-Squid Web Proxy Cache

On client check what IP you get:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

On server install and setup squid:

yum install squid
vi /etc/squid/squid.conf
#add this line in the right place:
acl localnet src
#allow port 3128 TCP in the firewall (use very strict access here)
service squid start

On client:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.

E-mail Services

-Simple Mail Transport Protocol
-Sendmail SMTP Restrictions
-Sendmail Operation


Securing Data

-The Need For Encryption

-Symmetric Encryption

Symmetric uses a secret/password to encrypt and decrypt a message.
You can use GnuPG (cli command is ‘gpg’) to encrypt and decrypt a file symmetrically. Arguments:

–symmetric/-c == symmetric cipher (CAST5 by default)
–force-mdc == if you don’t have this you’ll get “message was not integrity protected”

There are many more things you can specify.

echo "awesome secret message" > /tmp/file
gpg --symmetric --force-mdc /tmp/file
#(enter password)
#this creates a /tmp/file.gpg
#beware that /tmp/file still exists
#to decrypt:
gpg --decrypt /tmp/file.gpg
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
awesome secret message


-Asymmetric Encryption

Uses a key-pair. A public key and a private key.
A message encrypted with the public key can only be decrypted with the private key.
A message encrypted with the private key can only be decrypted with the public key.

GnuPG can let you handle this.

Login with a user called ‘labber’:

gpg --gen-key
# in this interactive dialog enter username: labber, e-mail and password
# this doesn't always work, might take _long_time_, eventually I just tried on another machine
echo "secret message" > /tmp/file
gpg -e -r labber /tmp/file
# enter password
gpg --decrypt /tmp/file
# enter password

To export the public key in ASCII format you can:

gpg --armor --output "key.txt" --export "labber"

However, how to encrypt a file with somebody else’s public key?

-Public Key Infrastructures – PKI

Consists of:

  • CA – certificate authority – issues and verifies digital certiciates
  • RA – registration authoriy – verifies user identity requesting info from the CA
  • central directory – used to store and index keys

-Digital Certificates

A certificate has user details and the public key.

Account Management

-Account Management
-Account Information (Name Service)
Name Service Switch (NSS)
Pluggable Authentication Modules (PAM)
-PAM Operation
-Utilities and Authentication



Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.

For example you can have PAM connect to an ldap-server.

CLI: authconfig



HEPIX Spring 2011 – Day 5

What day it is can be told by all the suitcases around the room.

Version Control

An overview of the version control used in CERN. Quite cool, they’re not using Git yet but they are moving away from CVS to SVN (subversion) which is not updated anymore. Apparently hard to migrate.

They use DNS load balancing

  • Browse code / logging, revisions, branches: WEBSVN – on the fly tar creation.
  • TRAC – web SVN browsing tool plus: ticketing system, wiki, plug-ins.
  • SVNPlot – generate SVN statsw. No need to checkout source code (svnstats do ‘co’).

Mercurial was also suggested at the side of Git (which is founded by Linus Torvalds).

Cern – VM – FS

Cern-VM-FS (CVMFS) looked very promising. The last one is not intended at the moment for images but more for sending applications around. It uses Squid proxy server and looked really excellent. Gives you a mount point like /cvmfs/ and under there you have the softwares.


Requirements needed to set it up:

  • Rpms: cvmfs, -init-scripts, -keys, -auto-setup (for tier-3 sites does some system configs), fuse, fuse-libs, autofs
  • squid cache – you need to have one. Ideally two or more for resilience. Configured (at least) to accept traffic from your site to one or more cvmfs repository servers. You could use existing frontier-squids.


National Grid Service Cloud

A Brittish cloud.

Good for teaching with a VM – if a machine is messed up it can be reinstalled.

Scalability – ‘cloudbursting‘ – users make use of their local systems/clusters – until they are full – and then if they need to they can do extra work in the cloud. Scalability/cloudbursting is the key feature that users are looking for.

Easy way to test an application on a number of operating systems/platforms.

Two cases were not suitable. Intensive – with a lot of number crunching.

Good: you don’t have to worry about physical assembly or housing. They do have to install the servers and networking etc. Usually this is done by somebody else. Images are key to making this easier.

Bad: Eucalyptus stability – not so good. Bottlenecks: networking is important. More is required to the whole physical server when it’s running vms.

To put a 5GB vm on a machine you would need 10GB. 5 for the image and 5 for the actual machine.
Some were intending to develop the images locally on this cloud and then move it on to Amazon.

Previous Days:
Day 4
Day 3
Day 2
Day 1

Installing Squid 3.2 on CentOS 5.3

Giving this one a shot :) I will be compiling it myself as well.

Squid for those who do not know is a proxy server.
Proxys can be used for many things, but one great thing if you have a thinner connection to the Internet, you can use this to speed things up a bit. What it does is when you surf the web, the things you download are actually first downloaded to the proxy, and then your browser downloads it automagically from the proxy. If you afterwards browse to the same page the proxy should provide you with a cached copy and not re-download the whole page again.


It’s a good idea to not run any service as root.

  1. Download it from http://www.squid-cache.org/ there are many options to chose from. Stable, unstable, 3.2, 3.1 etc. I just took a recent developer build from the 3.2 chain – squid-
  2. Untar this somewhere, doesn’t matter where. Move directory and:

To get the program to install itself in a location where you have access, you need to specify that while running the configure check.

You do this with:

./configure –prefix=/home/user/bin/squid-install

or wherever you want to put it. I just put it directly in /home/user/squid-inst.

If that completes without errors next step is to: make; make install. This will compile and then install it in the directory you specified above. After that completes sucessfully you can delete/hide the directory. I hide it just in case I want to change something in the configure or whatever.

Then it’s time to configure!

Now proxy servers you need to put some kind of authentication on. Unless you want a hoard of unwanted visitors.

There are a gazillion of different settings in the squid.conf.documented.

Configuration is done via ~/squid-inst/etc/squid.conf

cache_dir ufs /usr/local/squid/cache 100 16 256
The value 100 denotes 100MB cache size. This can be adjusted to the required size.
http_port 3128
This is the port you will be connecting to. Make sure you do not set one that other services on the machine uses. Might be a good idea to use a non-standard as well, to prevent some from “stumbling” onto it and trying to brute-force it.

Starting squid

  1. create cache directories with ~/squid-inst/sbin/squid -z
  2. run it in debug ~/squid-inst/sbin/squid -NCd1

If everything is working fine, then your console displays: “Ready to serve requests”.

You can now surf to your http://host:port

However, you cannot use it as a cache yet.

You need to set up the http_access part. The ACL – access list.

This can be complicated.

See here for some examples of that: http://wiki.squid-cache.org/SquidFaq/SquidAcl

However, all you “need” is as below. First, find out your IP-address. Let’s say it’s for the fun of it. You can see what it is by surfing to www.ripe.net

add this somewhere on top near the other “acl” entries:

acl me src

Then a bit further down

http_access allow me

Now if you want to you can be more tight with the security, and you probably should.
The setting above means that everybody on that subnet can use your proxy server.
For example you might want to change it to only your IP – if you have a static one.

acl me src

If you change something in the configuration, you can do this to stop squid:

~/squid-inst/sbin/squid -k kill

~/squid-inst/sbin/squid &

is used to start it in a daemon mode (keeps running after you log off your shell).

There are other ways to set up password checks (used to be with .htpasswd) but I have no need for this today. I’ll have a look into it some other day :)
Also this proxy is transparent – meaning if you connect somewhere, people can see that you are indeed connecting through a proxy.

But first you need to set your browser to use the proxy, you do this under network settings.

Happy proxying!