This document provides instructions for configuring SQUID 3.3 to act as an SSL bumping proxy on a Debian system. It describes how to generate a self-signed SSL certificate, edit the squid.conf file to enable SSL bumping and specify the certificate files, configure iptables rules to redirect HTTP and HTTPS traffic to the proxy ports, and provides an example configuration for filtering access to specific banking sites over HTTPS.
The following article is the best simplified steps that will help you install and configure LEMP stack. its written by one of the genius engineers or Rootgate.com
How To Deploy A Cloud Based Webserver in 5 minutes - LAMPMatt Dunlap
Simple tutorial showing how easy it is to deploy a cloud based webserver with apache, mysql and php in about 5 minutes. You can also watch the video for this slideshow at http://www.youtube.com/watch?v=3eqUZ6fzpOM
Simple webapps with nginx, uwsgi emperor and bottleJordi Soucheiron
Bottle is a small microframework that lets you build simple python webapps in a few minutes. This talk will explain how to build simple webapp from scratch and configure your system to deploy many other apps concurrently with a rock solid and scalable setup.
The following article is the best simplified steps that will help you install and configure LEMP stack. its written by one of the genius engineers or Rootgate.com
How To Deploy A Cloud Based Webserver in 5 minutes - LAMPMatt Dunlap
Simple tutorial showing how easy it is to deploy a cloud based webserver with apache, mysql and php in about 5 minutes. You can also watch the video for this slideshow at http://www.youtube.com/watch?v=3eqUZ6fzpOM
Simple webapps with nginx, uwsgi emperor and bottleJordi Soucheiron
Bottle is a small microframework that lets you build simple python webapps in a few minutes. This talk will explain how to build simple webapp from scratch and configure your system to deploy many other apps concurrently with a rock solid and scalable setup.
Capistrano is an open source tool for running scripts on multiple servers. It’s primary use is for easily deploying applications. While it was built specifically for deploying Rails apps, it’s pretty simple to customize it to deploy other types of applications.
capifony is a deployment recipes collection that works with both symfony and Symfony2 applications.
Unleash the power of AWS with this workshop that will teach you how to build your own functional web server that will handle 8 to 10 million hits a day.
Covering the ins and outs of what to do for a basic LEMP (Linux, NGINX, MySQL/MariaDB, Python/PHP/Perl) stack on a AWS micro we will build and configure a web ready server that you can use for everything from personal portfolio to projects and more.
Things you will need: A computer with macOS/Linux, or Windows with PuTTY, some command line experience (not overly necessary).
Using filesystem capabilities with rsyncHazel Smith
As presented at the FLOSS UK Unconference 2015.
Updated 2015-02-08: added details of caveats, primarily the fact that CAP_DAC_READ_SEARCH does exactly what it says on the tin, and covering precautions like ensuring that password authentication is *never* allowed for the backuphelper user.
Improving WordPress Performance with Xdebug and PHP ProfilingOtto Kekäläinen
Presentation given at WordCamp Europe 2017 in Paris 2017-06-16.
Xdebug is a tool for developers to gain insight into how PHP is executed. Using it for profiling is a very effective, fast and precise method to find bottlenecks in your WordPress site. In this talk I explain how to use it with Webgrind, how to find potential optimization targets, show examples of real cases when Xdebug helped fix a performance problem and also explain what Xdebug is not suitable for and what can be used instead. If you are not a developer, you’ll learn what Xdebug is capable of and when to ask a developer to use it.
This is an a-typical WordPress Security talk to say the least. It touches on many things, such as penetration testing, the advantages of content delivery networks (CDN) and much more, but it does not touch on WordPress or its backend.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
Capistrano is an open source tool for running scripts on multiple servers. It’s primary use is for easily deploying applications. While it was built specifically for deploying Rails apps, it’s pretty simple to customize it to deploy other types of applications.
capifony is a deployment recipes collection that works with both symfony and Symfony2 applications.
Unleash the power of AWS with this workshop that will teach you how to build your own functional web server that will handle 8 to 10 million hits a day.
Covering the ins and outs of what to do for a basic LEMP (Linux, NGINX, MySQL/MariaDB, Python/PHP/Perl) stack on a AWS micro we will build and configure a web ready server that you can use for everything from personal portfolio to projects and more.
Things you will need: A computer with macOS/Linux, or Windows with PuTTY, some command line experience (not overly necessary).
Using filesystem capabilities with rsyncHazel Smith
As presented at the FLOSS UK Unconference 2015.
Updated 2015-02-08: added details of caveats, primarily the fact that CAP_DAC_READ_SEARCH does exactly what it says on the tin, and covering precautions like ensuring that password authentication is *never* allowed for the backuphelper user.
Improving WordPress Performance with Xdebug and PHP ProfilingOtto Kekäläinen
Presentation given at WordCamp Europe 2017 in Paris 2017-06-16.
Xdebug is a tool for developers to gain insight into how PHP is executed. Using it for profiling is a very effective, fast and precise method to find bottlenecks in your WordPress site. In this talk I explain how to use it with Webgrind, how to find potential optimization targets, show examples of real cases when Xdebug helped fix a performance problem and also explain what Xdebug is not suitable for and what can be used instead. If you are not a developer, you’ll learn what Xdebug is capable of and when to ask a developer to use it.
This is an a-typical WordPress Security talk to say the least. It touches on many things, such as penetration testing, the advantages of content delivery networks (CDN) and much more, but it does not touch on WordPress or its backend.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
The layout of the presentation:
* Secure Socket Layer (SSL), how it works?
* Installation of the Apache 2.2.14 on a Linux machine
* Enabling of SSL module on Apache
* Certificate generation commands
* Testing
One-Man Ops with Puppet & Friends.
If you're getting started in Amazon AWS here's 7 tools that will help you be successful, a few tips to make your life easier and some common pitfalls to avoid.
A gateway server is a server through which the computers in a LAN access the Internet. This is
usually done through NAT. It should also provide firewall protection for the LAN and it can also serve
as a DNS and DHCPD server for the LAN. Some years ago I have been involved in a project for building gateway servers like this, using
slackware on old PCs. In this article I will try to explain the things that I have done on this project and
how I did them.
Code testing and Continuous Integration are just the first step in a source code to production process. Combined with infrastructure-as-code tools such as Puppet the whole process can be automated, and tested!
NGINX Can Do That? Test Drive Your Config File!Jeff Anderson
I have had countless conversations with developers, projects managers, and even executives that end up being about nginx and what it can do. Usually, the phrase "nginx can do that?" comes up. More often than not, the answer is YES. What happens though, is the nginx config file can get unwieldy. How can we assert that it will behave how it needs to over time? How can we avoid introducing inadvertent regressions?
Securing Prometheus exporters using HashiCorp VaultBram Vogelaar
Things like Infrastructure as Code, Service Discovery and Config Management can and have helped us to quickly build and rebuild infrastructure but we haven't nearly spend enough time to train our self to review, monitor and respond to outages. Does our platform degrade in a graceful way or what does a high cpu load really mean? What can we learn from level 1 outages to be able to run our platforms more reliably.
This talk will focus on on creating a secure prometheus exporter ecosystem using HashiCorp Vault where we can we be sure that we are not leaking any business metrics from our observability stack. After which we ll investigate how to automatically rotate the certificates we created to do so.
Describes in detail the security architecture of Apache Cassandra. We discuss encryption at rest, encryption on the wire, authentication and authorization and securing JMX and management tools
Similar to Aeon mike guide transparent ssl filtering (20)
1. AEONMike Guide – SQUID 3.3 SSLBUMP under
Debian
#Michael Cabalin http://www.PH-LWUG.org
Pinoy Linux : http://www.facebook.com/groups/117595725078450/
#Install Debian OS
#apt-get install build-essential gcc make
#wget https://launchpad.net/squid/3.3/3.3.0.3/+download/squid-3.3.0.3.tar.gz
#tar xvf squid-3.3.0.3.tar.gz
#cd squid-3.3.0.3
./configure –enable-icap-client –enable-ssl
make
make install
Generate Self Sign
• self-signed certificate (pem format) generation :
openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout
your.company.com.pem -out your.company.com
• if needed, you can generate the certificate to import on browsers (to avoid the warnings about
the security breach) :
openssl x509 -in www.yourcompany.com.pem -outform DER -out
www.yourcompany.com.der
Onto the actual SQUID configuration. Edit the
/etc/squid.conf file to show the following:
always_direct allow all
ssl_bump allow all
http_port 192.9.200.32:3128 transparent
2. #the below should be placed on a single line
https_port 192.9.200.32:3129 transparent ssl-bump cert=/etc/squid/ssl_cert/
your.company.com.pem key=/etc/squid/ssl_cert/private/your.company.com.pem
Note you may need to change the “cert=” and the “key=” to point to the correct file in your
environment. Also of course you will need to change the IP address
The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator
mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the
proxy does not know which backend server to use to retrieve the file from, so this directive
instructs the proxy to ignore the accelerator mode. More details on this here:
The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator
mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the
proxy does not know which backend server to use to retrieve the file from, so this directive
instructs the proxy to ignore the accelerator mode. More details on this here:
http://www.squid-cache.org/Doc/config/always_direct/
The second directive (ssl_bump) instructs the proxy to allow all SSL connections, but this can be
modified to restirct access. You can also use the “sslproxy_cert_error” to deny access to sites
with invalid certificates. More details on this here:
http://wiki.squid-cache.org/Features/SslBump
Start squid and check for any errors. If no errors are reported, run:
netstat -nap | grep 3129
to make sure the proxy is up and running. Next, configure iptables to perform destination NAT,
basically to redirect the traffic to the proxy:
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination
192.9.200.32:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to-destination
192.9.200.32:3129
Last thing to be done was to either place the proxy physically in line with the traffic or to redirect
the traffic to the proxy using a router. Keep in mind that the proxy will change the source IP
address of the requests to it’s own IP. In other words, by default it does not reflect the client IP.
That was it in my case. I did try to implement something similar to the above but using explicit
mode. This was my squid.conf file, note only one port is needed for both HTTP and HTTPS
since HTTPS is tunneled over HTTP using the CONNECT method:
3. always_direct allow all
ssl_bump allow all
#the below should be placed on a single line
http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem
key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem
SSL Filtering example SQUID.Conf
• Squid configuration (squid.conf) :
I post here only important parts.
acl …
acl …
# you must have CONNECT acl
acl CONNECT method CONNECT
acl metrobank dstdomain www.metrobank.com.ph
acl securitybank dstdomain www.securitybank.com.ph
# maybe not in the future, but we need this :
always_direct allow all
# permissions sections (allow / deny)
http_access allow…
http_access allow…
4. http_access allow…
http_access deny …
http_access deny …
http_access deny …
# some sites need this :
sslproxy_cert_error allow metrobank
#sslproxy_flags DONT_VERIFY_PEER
# ssl_bump means that you want to intercept (MITM) this SSL connection
ssl_bump allow metrobank
ssl_bump allow securitybank
# and we don’t want to intercept others SSL sites :
ssl_bump deny all
# now, you can tell Squid you want to forbid theses HTTPS url :
…
http_access allow localnet
http_access allow localhost
http_access deny all
# tell Squid you want to intercept SSL
# /! SSL interception is not compatible with transparent proxy
# so DON’T write here ‘intercept’ (new name for ‘transparent’)
http_port 3128 ssl-bump cert=/path/to/your/self-
signed/cert/www.yourcompany.com.pem