SSL encryption between parent and child squid proxy

February 22, 2011 · Posted in Linux, Projects · 1 Comment 

I use squid proxy server for a long time. Recently, I had to forward several requests to a child proxy but these requests must be sent encrypted. Using a VPN connection between the two proxies was my first thought. However, adding one more tunnel to that server would make the whole network configuration really nasty so I had to think of an alternative solution. That was  SSL.

First a little background info

How does SSL work:

In SSL client-server authentication we use x.509 certificates. Ok but what is that? Think of an actual certificate. It is pretty much the same thing except it is digital and includes information related to the specific host. For example, a x509 certificate includes the signature algorithm, the version, the validity period, the subject name, the subject’s public key and some other information as well. Why do we need it? Simple. Take a look on the following illustration.

So what is going on here?

The client sends a “hello” message to the server containing some preferences such as supported ciphers and a random value A. The server replies with a “hello” message containing the chosen cipher, his certificate and another random value B.  The server also requests the client’s certificate. The client verifies the certificate of the server ( we won’t ) and generates a master key based on his private key and the random value B. Then it uses the server’s public key ( embedded on the server’s certificate that he received before ) to encrypt the master key which forwards it to server. At this point a shared secret key has been established between the server and the client. They will use this key + the A,B randoms respectively to computer the MAC and encryption keys. Finally, the client will use the chosen cipher ( as selected by server in the first step ) to encrypt the upcoming packages.

How does this apply to our case:

Imagine that the parent squid proxy is the client and the child is the server. This is because the parent (client) contacts the child (server) to send the packages in the first place. I assume you have a working squid configuration on both ends

Generate certificates:

This applies to both hosts

Create the private key:

openssl genrsa  -out server.key 4096

Create certificate:

openssl req -new -x509 -key server.key -out server.crt -days 365

Now you should have two working certificates ( lets assume parent.crt and child.crt ) for your squid hosts.

Child configuration:

The child proxy must be configured to listen to an https port along with this new certificates

https_port 4443 cert=/etc/squid/child.crt key=/etc/squid/child.key \
 sslflags=NO_DEFAULT_CA

Parent Configuration

The parent proxy should be configured as follows:

cache_peer remote.proxy.example.com parent 4443 4443 ssl \
sslcert=/etc/squid/parent.crt \
sslkey=/etc/squid/parent.key sslflags=DONT_VERIFY_PEER

You are done :)


Tags: , , ,

Moodle: Open-source e-learning platform

September 24, 2009 · Posted in Projects · 3 Comments 

And yes, I am still here :)

Military service is really cool so far :) . Lets hope it will stay this way. Photos can be found here.

Anyway, recently I was assigned to a new project. I am supposed to setup an e-learning platform on a windows XP system.

Because I am really short of time I needed a quick and reliable solution.

So the first step was to download wampserver in order to have a fully operating hosting service on the current machine.

The most crusial issue was to choose the correct e-learning platform.  Having done my research for three days, I ended up using moodle .  It is really cool, with an extremely handy administrating panel, many many misc options about courses, categories, users etc. Pluse there is a huge users’ community all over the Inet.
I strongly suggested it if you need to setup up a similar platform in the future.

If you think that there is a better solution for my problem, please feel free to write it down :)

See you again soon!!

Tags: , ,

Pysmssend-1.40 is out!

February 17, 2009 · Posted in Projects · Comment 

Due to limited free time it took me  a while to release a new version of pysmsend . This is a critical bugfix version since it solves many connectivity issues . Furthermore, due to betamax site changes, the previous version is not so cooperative with them anymore. So I would strongly suggest to update to 1.40 version. Gentoo users should be able to install this package directly from portage tree ( app-misc/pysmssend ).

Pysmssend homepage

Tags: ,

Pysmssend-1.38

November 1, 2008 · Posted in Programming, Projects · 2 Comments 

Its out. Many many bug fixes. I hope you will enjoy it as much as the previous version

1) Improved control for message report
2) Tray icon has been re-written
3) Added voipcheap support
4) Added -v option when running Gui. Verbose output
5) Fix feedback when sending a message.
6) Remember Me checkbox is now by default checked.
7) Check for updates when the program starts.
8 ) Compatibility fixed for both kde3+kde4 kaddressbook. Needs more testing though

http://pysmssend.sourceforge.net

Tags: ,

Pysmssend 1.37 released

August 29, 2008 · Posted in Programming, Projects · Comment 

Pysmssend is out

I ve done several chages so you might notice several bugs ( i havent though :P )

CHANGELOG

**1.37

1) Added JustVoip support
2) Small bugfixes
3) Updated for python2.5 support

**1.36
Major fixes in this version

Since betamax change the way users login to their site I had to re-write most of the code so you should except some problems

So the changes are

1) Betamax accounts do not need to login anymore. You just fill all the info (username,password,number,text) and then click the Send button
2) Because of the that ,credits left module wont be available (for now) for betamax sites
3) Some code cleanup
4) Fixed install script
5) Donate tab on About menu

Tags: ,

Next Page »

GreekBloggers.com
Patras Wireless Metropolitan Network
Planet Hellug
iloog
forum hellug