ssabbath
April 15, 2021, 2:07am
1
NethServer Version: 7.9.2009Module: Proxy
Everytime i enable proxy in this Nethserver, clients cant access TSPlus(RDP) aplications.
Its wierd, i take off all the filters, and still blocks it…
The only thing i get from the squid\access.log is this, and its not even the IP i want to reach…
[Wed Apr 14 23:05:31 2021] 240169 192.168.4.250 TAG_NONE/200 0 CONNECT 172.217.172.195:443 - HIER_NONE/- -clientservices.googleapis.com:443 - ORIGINAL_DST/172.217.172.195 -http://104.209.240.56/cgi-bin/hb.exe ? - ORIGINAL_DST/104.209.240.56 text/html
i tried bypass also.
Never used that before… Well… will leave it without proxy for now…
edit, removed some static ip´s
m.traeumner
April 16, 2021, 12:32pm
2
Hi @ssabbath ,
# Safe ports
acl SSL_ports port 443
acl SSL_ports port 980 # httpd-admin (server-manager)
acl SSL_ports port 9090 # Cockpit Web UI
acl SSL_ports port 22 # SFTP
acl Safe_ports port 80 # http
acl safe_ports port 22 # SFTP
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 980 # httpd-admin (server-manager)
acl CONNECT method CONNECT
1 Like
ssabbath
April 16, 2021, 12:46pm
3
Cool! Where do i put this?!
I tried some rules on the firewall, but it doesn’t make sense, it doesn’t block outgoing connections.
oh, just found out, it is squid.conf, will try that later when people are not working!
Thanks a bunch…
m.traeumner
April 16, 2021, 12:54pm
4
You have to create a file 20acl_00_ports at
/etc/e-smith/templates-custom/etc/squid/squid.conf
Copy the template content from mine and change the SFTP-Port with your RDP-Port
expand-template /etc/squid/squid.conf
I would prefer to restart squid after this operation
systemctl restart squid
More informations about templates you can find at the developer manual:https://docs.nethserver.org/projects/nethserver-devel/en/latest/templates.html
2 Likes
ssabbath
April 16, 2021, 1:06pm
5
The answer is { 40 + 2 }
Lol! That developer manual is awesome!
I think i get why i need to use templates, since everytime i restart squid it will overwrite any changes i do to squid.conf myself… is that correct thinking?
I had that experience with other .conf files its nice to know there is a way! Thanks a bunch!
EDIT:
That template manual made my day, my nethserver experience just expanded a lot now…
if i edit
/etc/e-smith/templates/etc/squid/squid.conf/20acl_00_ports
will do the same effect right?
DUUUUUUUUUUUDEEE thats so mind opening! ahahah
4 Likes
ssabbath
April 16, 2021, 11:10pm
6
Still that wierd TCP_MISS/200 when i try to connect with proxy enabled :-/
192.168.4.21 is the station i am trying to connect… ganna figure this out.
m.traeumner
April 17, 2021, 6:36am
7
Yes this is right.
No, these templates could be overwritten by an update. Of course you can copy a template from there to templates-custom and customize it at templates-custom.
Did you add
acl SSL_ports port 22 # SFTPand
acl safe_ports port 22 # SFTPof course with your remote port?
What type of proxy do you use, transparent or manual?
1 Like
m.traeumner
April 19, 2021, 7:33am
8
Could you also post your config here? The ports and the connect method are important.
1 Like
ssabbath
April 19, 2021, 12:16pm
9
Hello! Thanks for the reply!
Yes i did add 3389 ports and for the sake of testing i added 1-65535 also in both, and it did not work either.
I do use transparent SSL, maybe i will have to use manual in this network if that is the case.
These company ERP uses TSPlus(Its some sort/variant of RDP)
Thats a oversimplified drawing, but i guess you can understand that… its wierd, i would surely made that more simple with OVPN, but i dont have those powers… yet
This is what i did:
and inside of it:
Safe ports
acl SSL_ports port 443
Oh Btw, i tried port 3389 (RDP), and i just read this:https://docs.terminalserviceplus.com/tsplus/server-management
In TS Plus you can change default port of RDP, will have to ask people what por is
Confirmed… they still use 3389 (RDP) port to give acess to it.
I was thinking of changing this in squid.conf just to test it out:
Deny requests to certain unsafe ports
http_access deny !Safe_ports
Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
I would comment in it
1 Like
ssabbath
April 19, 2021, 11:14pm
10
I got it working…
I Installed the “old server manager”, just becouse i was more familiar with it… then i saw samething that caught my eye…
I added both servers i needed to be accessible from my green network there… and voilá… it worked…
Btw, why not add them in the new interface… well i tried before and nada:
So… Why? I have no idea!
but @m.traeumner your tips made a huge diference in how i approach nethserver now. Thanks again!
1 Like
m.traeumner
April 20, 2021, 6:59am
11
You have to create a firewall object like you did at the old interface and work with the Proxy Bypass section.
Sorry I had forgotten, that I had to do this too.
1 Like
ssabbath
April 20, 2021, 11:11am
12
Oh, i had both IP´s in there “destination”… and still didnt work… its a wierd! I Agree. No need to be sorry, you tried to help and i learned a lot!
1 Like
m.traeumner
April 20, 2021, 11:48am
13
@dev_team
1 Like
giacomo
April 21, 2021, 7:01am
14
I really do not remember the whole flow.@davide_marini can help here.
2 Likes
ssabbath
April 22, 2021, 11:49am
15
I have no idea, but i tried to bypass it, i think that was my first move, since that i made some changes with templates and all, ganna study it harder to see why… maybe undo some steps and get the real reason why its working.
The behavior under cockpit or under the old server-manager is exactly the same, so it should work flawlessy on cockpit too.
1 Like
ssabbath
April 26, 2021, 11:43am
17
Still in study process, need sometime to get to this again… but i will
all that matters its fully working now! 