--- /dev/null
+//The SETUID wrapper.
+
+#include <unistd.h>
+#include <stdio.h>
+
+###ACCESS_PL;
+###ACCESS_PL_ERRLOG;
+
+int main(int argc, char *argv[], char *envp[])
+{
+ freopen(ACCESS_PL_ERRLOG,"at",stderr);
+ return execve(ACCESS_PL,argv,envp);
+}
-#!/usr/bin/perl
+###PERL;
-use constant ACCESS_PATH => '/yplom/data/proxy/access/';
-use constant TIMEOUT_UNLOCK => 90;
-use constant TIMEOUT_INACT => 15;
+###ACCESS_PATH;
+###TIMEOUT_UNLOCK;
+###TIMEOUT_INACT;
$|=1;
$timeout_unlock = TIMEOUT_UNLOCK*60;
+++ /dev/null
-//The SETUID wrapper.
-
-#include <unistd.h>
-#include <stdio.h>
-
-#define ACCESS_PATH "/yplom/bin/proxy/access.pl"
-#define ACCESS_LOG "/yplom/log/proxy/access-stderr.log"
-
-int main(int argc, char *argv[], char *envp[])
-{
- freopen(ACCESS_LOG,"at",stderr);
- return execve(ACCESS_PATH,argv,envp);
-}
--- /dev/null
+################################################################################
+#copy this to your Apache2 configuration,
+#remember to make the server listen on these ports:
+###LISTEN_HTTP;
+####LISTEN_HTTPS;
+
+###VIRTUAL_HOST_HTTP;
+###SERVER_ADMIN;
+###SERVER_NAME_HTTP;
+###DOCUMENT_ROOT;
+###CGI_ALIAS;
+
+ ErrorLog ${APACHE_LOG_DIR}/err-proxy.log
+ LogLevel warn
+ CustomLog ${APACHE_LOG_DIR}/proxy.log combined
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+###VIRTUAL_HOST_HTTPS;
+###SERVER_ADMIN;
+###SERVER_NAME_HTTPS;
+###DOCUMENT_ROOT;
+###CGI_ALIAS;
+
+ SSLEngine on
+ SSLCertificateFile /etc/apache2/ssl/botm.crt
+ SSLCertificateKeyFile /etc/apache2/ssl/botm.key
+
+ #SSLOptions +StdEnvVars
+
+ ErrorLog ${APACHE_LOG_DIR}/err-proxyssl.log
+ LogLevel warn
+ CustomLog ${APACHE_LOG_DIR}/proxyssl.log combined
+</VirtualHost>
+</IfModule>
+
+################################################################################
+#copy this to your Squid configuration.
+
+###HTTP_PORT_SSL;
+
+acl allowed_ports port 80
+acl allowed_ports port 443
+
+###EXTERNAL_ACL;
+
+acl CONNECT method CONNECT
+acl unlocked external unlocked-check
+###UNLOCK_DOMAIN_ACL;
+
+http_access deny !allowed_ports
+http_access allow unlockdomain
+http_access deny !unlocked
+http_access allow CONNECT
+http_access deny all
+
+coredump_dir /var/spool/squid
+
+###EXTERNAL_REWRITE;
+
+################################################################################
+#Copy this to your crontab:
+###RM_ACCESS_CRONTAB;
--- /dev/null
+#!/usr/bin/perl
+
+unless ($ARGV[0]) {
+ print STDERR "Configfile missing.\n";
+ exit 1;
+}
+
+unless (open $configfile, "<", $ARGV[0]) {
+ print STDERR "Cannot open configfile\n";
+ exit 2;
+}
+
+while ($line = <$configfile>) {
+ $line =~ s/[\r\n]//g;
+ $line =~ s/#.*$//;
+ if ($line =~ /^ *([a-zA-Z0-9_]+) *= *(.*)$/){
+ $name=$1;
+ $value=$2;
+ $value =~ s/ *$//;
+ $set{$name}=$value;
+ }
+}
+close ($configfile);
+
+$def{'UNLOCK_LOG'} = "use constant UNLOCK_LOG => '".$set{'log_path'}."unlock.log';";
+$def{'DATA_PATH'} = "use constant DATA_PATH => '".$set{'data_path'}."';";
+$def{'PASS_PATH'} = "use constant PASS_PATH => '".$set{'data_path'}."pass/';";
+$def{'ACCESS_PATH'} = "use constant ACCESS_PATH => '".$set{'data_path'}."access/';";
+$def{'UNLOCK_PROXY_URL'} = "use constant UNLOCK_PROXY_URL => 'http://".$set{'unlock_domain'}.$set{'unlock_path'}."';";
+$def{'UNLOCK_PROXY_URL_S'}= "use constant UNLOCK_PROXY_URL_S => 'https://".$set{'unlock_domain'}.$set{'unlock_path'}."';";
+$def{'UNLOCK_PROXY_HOST'} = "use constant UNLOCK_PROXY_HOST => qr/".$set{'unlock_domain_regex'}."/;";
+$def{'UNLOCK_PROXY_PATH'} = "use constant UNLOCK_PROXY_PATH => qr/".$set{'unlock_path_regex'}."/;";
+$def{'TIMEOUT_UNLOCK'} = "use constant TIMEOUT_UNLOCK => ".$set{'timeout_unlock'}.";";
+$def{'TIMEOUT_INACT'} = "use constant TIMEOUT_INACT => ".$set{'timeout_inact'}.";";
+$def{'REWRITE_URL'} = "use constant REWRITE_URL => '".$set{'https_proxy_domain'}.":".$set{'https_proxy_port'}."';";
+
+$def{'PATH'} = "\$ENV{'PATH'} = '".$set{'path'}."';";
+
+$def{'PERL'} = "#!".$set{'perl'};
+
+$def{'PROXY_PL'} = '#define PROXY_PL "'.$set{'bin_path'}.'proxy.pl"';
+$def{'PROXY_PL_ERRLOG'} = '#define PROXY_PL_ERRLOG "'.$set{'log_path'}.'proxy-stderr.log"';
+$def{'ACCESS_PL'} = '#define ACCESS_PL "'.$set{'bin_path'}.'access.pl"';
+$def{'ACCESS_PL_ERRLOG'} = '#define ACCESS_PL_ERRLOG "'.$set{'log_path'}.'access-stderr.log"';
+
+$def{'VIRTUAL_HOST_HTTP'} = '<VirtualHost _default_:'.$set{'http_proxy_port'}.'>';
+$def{'VIRTUAL_HOST_HTTPS'}= '<VirtualHost _default_:'.$set{'https_proxy_port'}.'>';
+$def{'SERVER_ADMIN'} = "\tServerAdmin ".$set{'server_admin'};
+$def{'SERVER_NAME_HTTP'} = "\tServerName ".$set{'http_proxy_domain'};
+$def{'SERVER_NAME_HTTPS'} = "\tServerName ".$set{'https_proxy_domain'};
+$def{'DOCUMENT_ROOT'} = "\tDocumentRoot ".$set{'www_path'};
+$def{'CGI_ALIAS'} = "\tScriptAliasMatch (.*) ".$set{'bin_path'}.'proxy$1';
+$def{'SSL_CERT'} = "\tSSLCertificateFile ".$set{'ssl_cert'};
+$def{'SSL_KEY'} = "\tSSLCertificateKEYFile ".$set{'ssl_key'};
+$def{'CUSTOM_LOG_HTTP'} = "\tCustomLog ".$set{'log_path'}.'http.log combined';
+$def{'ERROR_LOG_HTTP'} = "\tErrorLog ".$set{'log_path'}.'http-err.log';
+$def{'CUSTOM_LOG_HTTPS'} = "\tCustomLog ".$set{'log_path'}.'https.log combined';
+$def{'ERROR_LOG_HTTPS'} = "\tErrorLog ".$set{'log_path'}.'https-err.log';
+$def{'LISTEN_HTTP'} = '# Listen '.$set{'http_proxy_port'};
+$def{'LISTEN_HTTPS'} = '# Listen '.$set{'https_proxy_port'};
+
+$def{'HTTP_PORT_SSL'} = 'http_port '.$set{'ssl_proxy_port'};
+$def{'EXTERNAL_ACL'} = 'external_acl_type unlocked-check ttl=15 negative_ttl=0 %SRC '.$set{'bin_path'}.'access';
+$def{'EXTERNAL_REWRITE'} = 'url_rewrite_program '.$set{'bin_path'}.'rewrite';
+$def{'UNLOCK_DOMAIN_ACL'} = 'acl unlockdomain dstdomain '.$set{'unlock_domain'};
+$def{'RM_ACCESS_CRONTAB'} = $set{'rm_access_crontab'}.' '.$set{'rm'}.' '.$set{'data_path'}.'access/*';
+
+$def{'CC'} = 'CC='.$set{'gcc'};
+$def{'CF'} = 'CF='.$set{'c_flags'};
+$def{'PL'} = 'PL='.$set{'perl'};
+$def{'MV'} = 'MV='.$set{'mv'};
+$def{'CP'} = 'CM='.$set{'cp'};
+$def{'RM'} = 'RM='.$set{'rm'};
+$def{'OD'} = 'OD='.$set{'bin_path'};
+$def{'CM'} = 'CM='.$set{'chmod'};
+
+
+
+
+while ($line = <STDIN>) {
+ $line =~ s/[\r\n]//g;
+ if ($line =~ /###([a-zA-Z0-9_]+);/) {
+ print "$def{$1}\n";
+ }
+ else {
+ print "$line\n";
+ }
+}
+
+
+
+
\ No newline at end of file
--- /dev/null
+#!/bin/sh
+
+set -x
+perl configure.pl settings <makefile.1.mak >makefile
+make
+rm makefile
+++ /dev/null
-CC=gcc
-#CC2=g++
-CF=-g -Wall
-#LF=-lIL
-LF2=-lcgi
-
-OD=/yplom/bin/proxy
-
-all: moveout copyout
-
-moveout: proxy rewrite access setuid exec
- mv proxy access rewrite $(OD)
-
-copyout: proxy.pl access.pl setuid exec
- cp proxy.pl access.pl $(OD)
-
-setuid: proxy access
- chmod u+s proxy access
-
-exec: rewrite access.pl proxy.pl proxy
- chmod +x rewrite access.pl proxy.pl proxy
-
-proxy: proxy.c
- $(CC) $(CF) -o proxy proxy.c
-
-rewrite: rewrite.pl
- cp rewrite.pl rewrite
-
-access: access.c
- $(CC) $(CF) -o access access.c
--- /dev/null
+###CC;
+###CF;
+###PL;
+###CP;
+###MV;
+###RM;
+###CM;
+###OD;
+
+all: moveout copyout remove config.txt
+
+
+moveout: proxy proxy.pl rewrite access access.pl setuid exec
+ $(MV) proxy proxy.pl access access.pl rewrite $(OD)
+
+copyout: setuid exec
+# $(CP) access.pl $(OD)
+
+setuid: proxy access
+ $(CM) u+s proxy access
+
+exec: rewrite access.pl proxy.pl
+ $(CM) +x rewrite access.pl proxy.pl
+
+remove: proxy proxy.c access access.c copyout moveout setuid exec
+ $(RM) proxy.c access.c
+
+
+
+proxy.pl: proxy.1.pl configure.pl settings
+ $(PL) configure.pl settings <proxy.1.pl >proxy.pl
+
+proxy.c: proxy.1.c configure.pl settings
+ $(PL) configure.pl settings <proxy.1.c >proxy.c
+
+proxy: proxy.c
+ $(CC) $(CF) -o proxy proxy.c
+
+rewrite: rewrite.1.pl configure.pl settings
+ $(PL) configure.pl settings <rewrite.1.pl >rewrite
+
+access.pl: access.1.pl configure.pl settings
+ $(PL) configure.pl settings <access.1.pl >access.pl
+
+access.c: access.1.c configure.pl settings
+ $(PL) configure.pl settings <access.1.c >access.c
+
+access: access.c
+ $(CC) $(CF) -o access access.c
+
+
+config.txt: config.1.txt configure.pl settings
+ $(PL) configure.pl settings <config.1.txt >config.txt
--- /dev/null
+//The SETUID wrapper.
+
+#include <unistd.h>
+#include <stdio.h>
+
+###PROXY_PL;
+###PROXY_PL_ERRLOG;
+
+int main(int argc, char *argv[], char *envp[])
+{
+ freopen(PROXY_PL_ERRLOG,"at",stderr);
+ return execve(PROXY_PL,argv,envp);
+}
-#!/usr/bin/perl
+###PERL;
use POSIX qw(strftime);
-use constant ACCESS_LOG => '/yplom/log/proxy/access.log';
-use constant DATA_PATH => '/yplom/data/proxy/';
-use constant PASS_PATH => '/yplom/data/proxy/pass/';
-use constant ACCESS_PATH => '/yplom/data/proxy/access/';
-use constant UNLOCK_PROXY_URL => 'http://yplom.bicyclesonthemoon.info/proxy/unlock';
-use constant UNLOCK_PROXY_URL_S => 'https://yplom.bicyclesonthemoon.info/proxy/unlock';
-use constant UNLOCK_PROXY_HOST => qr/^yplom\.bicyclesonthemoon\.info(:[0-9]*)?$/;
-use constant UNLOCK_PROXY_PATH => qr/^\/proxy\/unlock\/?$/;
-use constant TIMEOUT_UNLOCK => 90;
-use constant TIMEOUT_INACT => 15;
+###UNLOCK_LOG;
+###DATA_PATH;
+###PASS_PATH;
+###ACCESS_PATH;
+###UNLOCK_PROXY_URL;
+###UNLOCK_PROXY_URL_S;
+###UNLOCK_PROXY_HOST;
+###UNLOCK_PROXY_PATH;
+###TIMEOUT_UNLOCK;
+###TIMEOUT_INACT;
$accesstime = time();
$timeout_unlock = TIMEOUT_UNLOCK*60;
$timeout_inact = TIMEOUT_INACT*60;
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
-$ENV{'PATH'}='/usr/local/bin:/usr/bin:/bin';
+###PATH;
if (($ENV{'HTTP_HOST'} =~ UNLOCK_PROXY_HOST) and ($ENV{'PATH_INFO'} =~ UNLOCK_PROXY_PATH)){
unlock();
return unlockpage('Wrong username or password.',"Status: 403 Forbidden\n");
}
- open ($logfile, ">>", ACCESS_LOG) or return unlockpage("Couldn't log your action.","Status: 500 Internal Server Error\n");
- print $logfile strftime("%d.%m.%Y %H:%M:%S", gmtime($accesstime))." $ENV{'REMOTE_ADDR'} $CGI{'username'}\n";
+ open ($logfile, ">>", UNLOCK_LOG) or return unlockpage("Couldn't log your action.","Status: 500 Internal Server Error\n");
+ print $logfile strftime("%d.%m.%Y %H:%M:%S", gmtime($accesstime))." $IP $CGI{'username'}\n";
close($logfile);
$accesspath=ACCESS_PATH.$IP;
print 'action from your IP will be assumed to be your action. By submitting ';
print 'this form you agree to this.<br><br>';
print 'The proxy will be locked again: <ul>';
- print '<li>$timeout_unlock minutes after unlocking</li>';
- print '<li>after $timeoout_inact minutes of inactivity</li>';
+ print '<li>'.TIMEOUT_UNLOCK.' minutes after unlocking</li>';
+ print '<li>after '.TIMEOUT_INACT.' minutes of inactivity</li>';
+ print '<li>when the proxy removes its temporary files</li>';
print "</ul></body></html>\n";
}
print '<h1>Unlocked</h1>';
print "The proxy is now unlocked for IP $IP.<br><br>";
print 'The proxy will be locked again: <ul>';
- print '<li>$timeout_unlock minutes after unlocking</li>';
- print '<li>after $timeoout_inact minutes of inactivity</li>';
+ print '<li>'.TIMEOUT_UNLOCK.' minutes after unlocking</li>';
+ print '<li>after '.TIMEOUT_INACT.' minutes of inactivity</li>';
+ print '<li>when the proxy removes its temporary files</li>';
print "</ul></body></html>\n";
}
+++ /dev/null
-//The SETUID wrapper.
-
-#include <unistd.h>
-#include <stdio.h>
-
-#define PROXY_PATH "/yplom/bin/proxy/proxy.pl"
-#define PROXY_LOG "/yplom/log/proxy/proxy-stderr.log"
-
-int main(int argc, char *argv[], char *envp[])
-{
- freopen(PROXY_LOG,"at",stderr);
- return execve(PROXY_PATH,argv,envp);
-}
--- /dev/null
+There will be more information later.
+
+Recommended situation is when the software and data directories belong to a
+dedicatad user account.
+
+data_path, tmp_path, log_path should only be accessible by this user.
+bin_path should be publicly accessible - the programs will be called from the
+server. Some will have the SETUID bit set.
+
+To compile/install:
+
+Log in to the user account that will own the proxy.
+(If not, you will have to change file ownerships later.)
+Edit the file 'settings' to have values relevant to your server.
+Create the directories defined there and set correct permissions and ownership.
+Run 'make.sh'. It will generate the programs and copy them to the correct
+location.
+It will also generate config.txt.
+Open this file and copy its fragments to your Apache2 config, Squid config and
+crontab.
+Restart Apache2 and Squid.
+
+To set an username/password:
+Create a file in data_path/pass. Username is filename.
+Inside the file should be one line with URL-encoded password.
-#!/usr/bin/perl
+###PERL;
-use constant REWRITE_URL => 'bicyclesonthemoon.info:59443';
+###REWRITE_URL;
$|=1;
--- /dev/null
+#all directory paths must end with '/' and must already exist.
+
+bin_path = /yplom/bin/proxy/ #Where the software will be located
+data_path = /yplom/data/proxy/ #where the proxy will remember data; subdir:
+ #access, pass, archive
+log_path = /yplom/log/proxy/ #where the proxy will remember data
+tmp_path = /yplom/tmp/proxy/ #for temporary fies
+www_path = /yplom/www/proxy/ #for the www server (unused)
+
+#the server must recognise these domains as itself (127.0.0.1)
+#http and ssl proxy ports must be accessible from outside
+http_proxy_domain = bicyclesonthemoon.info
+https_proxy_domain = bicyclesonthemoon.info
+ssl_proxy_domain = bicyclesonthemoon.info
+http_proxy_port = 59080
+https_proxy_port = 59443
+ssl_proxy_port = 59557
+server_admin = bicyclesonthemoon@chirpingmustard.info
+
+# No matter what key you use there will be ALWAYS an unavoidable certifficate
+# mismatch warning. Because the proxy does an equivalent to a MITM attack.
+ssl_key = /etc/apache2/ssl/botm.key
+ssl_cert = /etc/apache2/ssl/botm.crt
+
+#doesn't have to be a real domain
+unlock_domain = yplom.bicyclesonthemoon.info
+unlock_path = /proxy/unlock
+unlock_domain_regex = ^yplom\.bicyclesonthemoon\.info(:[0-9]*)?$
+unlock_path_regex = ^\/proxy\/unlock\/?$
+
+#Time in minutes
+timeout_unlock = 90
+timeout_inact = 15
+
+path = /usr/local/bin:/usr/bin:/bin
+perl = /usr/bin/perl
+chmod = /bin/chmod
+cp = /bin/cp
+mv = /bin/mv
+rm = /bin/rm
+gcc = /usr/bin/gcc
+c_flags = -g -Wall
+
+rm_access_crontab = 0 0 * * * #How often to remove leftover unlock info.
bicyclesonthemoon.info / projects / yplom / proxy / commitdiff