Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 25 March 2019, 04:41:11 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
13891 Posts in 4224 Topics by 5902 Members
Latest Member: worldwidewebdev
Search:     Advanced search
Pages: 1 ... 6 7 8 9 [10]
 91 
 on: Thursday 19 July 2018, 06:36:47 pm 
Started by sagipael - Last post by sagipael
Hi,

I have VM of endian 2.4.1 (i know its old version - but i have a lot of VMs in this version..)


i tried to make curl command to specific website (from the efw shell) - but i received security error:
"Verify return code: 20 (unable to get local issuer certificate)"

i tried to add the crt of the Trusted root CA to /etc/ssl/certs/ca-bundle.crt
but its the same error.
tried to force to use the CA file with  curl -CAfile XXXX.crt
same error..


im also found - that i have the same issue in all websites i tried to reach with curl..

(i do not have this issue with newer version of EFW)


maybe someone can advise??

maybe someone knows how to update the openssl version?

Thanks.
Sagi

 92 
 on: Tuesday 17 July 2018, 07:37:55 pm 
Started by wart101 - Last post by wart101
If you have an RJ-11 con the wall most probably your internet connection is an xDSL connection and you need an XDSL router

Yup, i think they are just two different technologies, i thought maybe there was a chance that you could somehow connect directly to the Endian firewall, ill have to run it through a router first then the Endian it seems.

Thanks for the replay

 93 
 on: Monday 16 July 2018, 06:40:36 pm 
Started by wart101 - Last post by Dark-Vex
If you have an RJ-11 con the wall most probably your internet connection is an xDSL connection and you need an XDSL router

 94 
 on: Monday 16 July 2018, 06:37:58 pm 
Started by wgd - Last post by Dark-Vex
In the POP3 Proxy settings the option "Intercept SSL/TLS encrypted connections" is enabled or disabled?

 95 
 on: Monday 16 July 2018, 06:34:29 pm 
Started by beto2p - Last post by Dark-Vex
Hi, how many users do you have behind this system?

 96 
 on: Sunday 15 July 2018, 02:15:08 pm 
Started by wart101 - Last post by wart101
Having trouble getting a connection to my red zone, the outlet from my wall is RJ11 and obviously the network card is RJ45, i have a rj11 to rj45 cable but it doesn't register the connection, please help.

 97 
 on: Friday 13 July 2018, 12:01:10 am 
Started by beto2p - Last post by beto2p
Estou utilizando o Endian 3.2.5 com o Proxy Transparente HTTP + Webfilter.
Estava rodando tudo normalmente por vários meses.
Recentemente ativei o Proxy HTTPS, e após a ativação o consumo de memória do Squid ficou muito alto, chegando a travar o serviço umas duas vezes por dia. Quando reinicio o Squid o consumo volta ao normal, mas ele vai aumentando de forma crescente até chegar no limite do servidor.
Estou usando um servidor Itautec com Intel Xeon e 4GB de memória.
Mesmo fora do horário de uso da empresa onde somente alguns servidores ficam ligados o consumo de memória vai aumentado de forma crescente.
Já alterei as configurações do cache do Squid para valores bem baixos, já desativei os logs do Proxy e o clamAV, mas não resolveu.

Lembrando que o problema acorreu só após a ativação do proxy HTTPS.

Segue as configurações do squid.conf

Code:
shutdown_lifetime 1 seconds
icp_port 0

workers 1

# direct access - acls
acl to_proxy_port           port 8080 18080 18081
# proxy interfaces - acls
acl to_green_interface    dst 10.1.1.1

acl from_green          src "/etc/squid/acls/green_subnets.acl"
acl to_green            dst "/etc/squid/acls/green_subnets.acl"

tcp_outgoing_mark 0x20000000
tcp_preserve_outgoing_mark_mask 0x3fff8

#=== GREEN zone setting ===
#=== GREEN IP 10.1.1.1 ===
http_port 10.1.1.1:8080 ssl-bump cert=/var/efw/proxy/https_cert generate-host-certificates=on cipher=ALL:!ADH:!EXP:!eNULL:!aNULL:!SSLv2:!RC4:!LOW:!MD5:!DES options=NO_SSLv2,NO_SSLv3
http_port 10.1.1.1:18080 intercept
https_port 10.1.1.1:18081 intercept ssl-bump cert=/var/efw/proxy/https_cert generate-host-certificates=on cipher=ALL:!ADH:!EXP:!eNULL:!aNULL:!SSLv2:!RC4:!LOW:!MD5:!DES options=NO_SSLv2,NO_SSLv3


acl bypass_host_strict_check_acl ssl::server_name_regex .*
bypass_host_strict_check allow bypass_host_strict_check_acl
ssl_bump splice localhost
ssl_bump splice to_proxy_port
acl bypass_windows ssl::server_name "/etc/squid/acls/https_bypass_rules.acl"
ssl_bump splice bypass_windows
acl BrokenButTrustedServers dstdomain "/etc/squid/acls/https_bypass_dstdom_broken.acl"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
ssl_bump peek ssl_step1
ssl_bump bump all
acl https_proto proto https
always_direct allow https_proto
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_sign_hash sha256


dns_v4_first on

cache_effective_user squid

pid_filename /var/run/squid.pid

cache_mem 100 MB

cache_dir rock /var/spool/squid 2000 max-size=1048576

error_directory /usr/share/squid/errors/en

icon_directory /usr/share/squid/icons

max_filedesc 100415

server_persistent_connections off
half_closed_clients off
buffered_logs on

# START LOG
cache_log /dev/null
cache_access_log /dev/null
cache_store_log none

log_mime_hdrs off
# END LOG

# FORWARD IP ADDRESS
forwarded_for delete

# START AUTHENTICATION
# METHOD is NCSA
auth_param basic program /usr/lib/squid/basic_ncsa_auth /var/efw/proxy/ncsausers
auth_param basic children 20
auth_param basic realm Proxy Server
auth_param basic credentialsttl 60 minutes
   
acl for_auth_users proxy_auth REQUIRED
# END AUTHENTICATION

# network - acls
acl from_all                src all
acl to_all                  dst all

acl from_localhost          src 127.0.0.1/32
acl to_localhost            dst 127.0.0.1/32
acl CONNECT                 method CONNECT

acl to_http_port            port 80
acl to_https_port           port 10443

# allowed ports - acls
acl allowed_ports       port "/etc/squid/acls/ports.acl"
acl allowed_sslports    port "/etc/squid/acls/sslports.acl"


acl from_rule0 arp "/etc/squid/acls/src_rule0.acl"
acl within_timeframe_rule0 time MTWHFAS 00:00-24:00
acl from_rule1 arp "/etc/squid/acls/src_rule1.acl"
acl within_timeframe_rule1 time MTWHFAS 00:00-24:00
acl within_timeframe_rule2 time MTWHFAS 00:00-24:00

# caching settings
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .            0 20% 4320

cache deny      from_localhost
cache deny      CONNECT
cache allow     from_all

# http access to cachemanager
acl cachemanageracl proto cache_object
http_access allow cachemanageracl from_localhost
http_access deny cachemanageracl

# snmp access settings
snmp_port 3401
acl snmppublic snmp_community public
snmp_access allow snmppublic from_localhost
snmp_access deny from_all

# http access to squid
http_access deny    to_localhost
http_access allow   from_localhost
http_access allow   from_green to_green_interface to_http_port
http_access allow   from_green to_green_interface to_https_port
http_access allow   CONNECT from_green to_green_interface to_https_port
http_access deny    to_green_interface to_https_port
http_access deny    to_green_interface to_proxy_port

http_access deny    !allowed_ports !allowed_sslports
http_access deny    CONNECT !allowed_sslports

http_access allow from_rule0  within_timeframe_rule0   
http_access allow from_rule1  within_timeframe_rule1   
http_access allow   within_timeframe_rule2   
http_access deny    from_all

# http reply access rules
http_reply_access allow from_localhost
http_reply_access allow from_rule0  within_timeframe_rule0   
http_reply_access allow from_rule1  within_timeframe_rule1   
http_reply_access allow   within_timeframe_rule2   
http_reply_access deny from_all

# max/min object size
maximum_object_size 1024 KB
minimum_object_size 0 KB

visible_hostname efw01.copal.local

# begin custom.tmpl
# end custom.tmpl

icap_enable on
icap_service_revival_delay 30
icap_service_failure_limit -1
icap_preview_enable on
icap_preview_size    128
icap_send_client_ip  on
icap_send_client_username  on

include /etc/squid/squid.conf.d/*.conf

adaptation_access service_cf_req deny cachemanageracl

# icap contentfilter access control
# rule 0 - none
adaptation_access service_cf_req deny from_rule0  within_timeframe_rule0   
# rule 1 - bloqueio_parcial
adaptation_access service_cf_req allow !CONNECT from_rule1  within_timeframe_rule1   
adaptation_access service_cf_req allow CONNECT ssl_step2 from_rule1  within_timeframe_rule1   
adaptation_meta X-Profile profilebloqueio_parcial from_rule1  within_timeframe_rule1   
# rule 2 - bloqueio_paginas
adaptation_access service_cf_req allow !CONNECT   within_timeframe_rule2   
adaptation_access service_cf_req allow CONNECT ssl_step2   within_timeframe_rule2   
adaptation_meta X-Profile profilebloqueio_paginas   within_timeframe_rule2   
# default deny - only allow defined traffic
adaptation_access service_cf_req deny all



 98 
 on: Tuesday 10 July 2018, 02:12:58 am 
Started by albert_herts - Last post by albert_herts
Buenos días,  una pregunta,  ¿como se puede asociar una IP a la MAC Adress de la tarjeta de los clientes (que no sea por DHCP), y así solo permitir la navegación a las MAC REGISTRADAS??   Y        ¿así cuando el cliente cambie la ip manualmente no pueda navegar.? 

 99 
 on: Thursday 28 June 2018, 01:52:00 am 
Started by alme5 - Last post by Dark-Vex
Hi,

you need a reverse proxy, which Endian doesn't have, if can setup a reverse proxy with nginx for example and then you should modify the DNAT/Port Forward to point to the reverse proxy system

 100 
 on: Monday 25 June 2018, 06:21:15 pm 
Started by alme5 - Last post by alme5
Hello this is my scenario:

DMZ has two servers the w w w  hosted at 10.10.1.5 and mail hosted at 10.10.1.10.
I would like to be able to be forwarder to the proper server when from outside (RED) I go to w w w. domain  and mail. domain
Both servers are behind one public IP configured as RED on the endian firewall and I cannot add another IP. This is easy to do when ports are different (Port forwarding/ Destination NAT) however in my case both ports are the same on both servers (80 and 443). Is there a way to do NAT forwarding based on the requested subdomain?

I hope you will be able to understand my scenario and help me with a solution.

Br

Pages: 1 ... 6 7 8 9 [10]
Page created in 0.081 seconds with 15 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com