NFS(Network File System)

Server Configuration :
[root@ns1 ~]# mkdir /nfsserver
[root@ns1 ~]# vim /etc/exports
/nfsserver    192.168.50.18/24(rw,sync)
[root@ns1 ~]# /etc/init.d/portmap restart
Stopping portmap:                                          [  OK  ]
Starting portmap:                                           [  OK  ]
[root@ns1 ~]# /etc/init.d/nfs restart
Shutting down NFS mountd:                                  [  OK  ]
Shutting down NFS daemon:                                  [  OK  ]
Shutting down NFS quotas:                                   [  OK  ]
Shutting down NFS services:                                 [  OK  ]
Starting NFS services:                                          [  OK  ]
Starting NFS quotas:                                            [  OK  ]
Starting NFS daemon:                                          [  OK  ]
Starting NFS mountd:                                           [  OK  ] 
[root@localhost /]# chmod 777 nfsserver/

Client Configuration:
[root@ns2 ~]# mkdir /nfsclient
[root@ns2 ~]# mount -t nfs 192.168.50.18:/nfsserver /nfsclient
[root@mail nfsclient]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda6              15G  3.2G   11G  24% /
tmpfs                 124M     0  124M   0% /dev/shm
/dev/hda8             471M   11M  437M   3% /usertest
192.168.50.18:/nfsserver
                       26G  4.6G   20G  19% /nfsclient
 
[root@mail nfsclient]# showmount -e 192.168.50.18
Export list for 192.168.50.18:
/nfsserver 192.168.50.18/24

Linux Web Server

[root@ns1 /]# yum install httpd* -y
[root@ns1 /]# vim /var/www/html/index.html
This is my web server
[root@ns1 /]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                              [  OK  ]

[root@ns1 /]# vim /var/named/chroot/var/named/tsbd.fz 
 www             IN CNAME        ns1.tsbd.com.
[root@ns1 home]# /etc/init.d/named restart
Stopping named: .                                          [  OK  ]
Starting named:                                             [  OK  ]
[root@ns1 /]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                             [  OK  ]


[root@ns1 ~]# cd /var/www/html/
[root@ns1 html]# ls
index.html  squint
[root@ns1 html]# mkdir tsbd
[root@ns1 html]# ls
tsbd  index.html  squint
[root@ns1 html]# cd tsbd/
[root@ns1 cric]# vim index.html
Test Server
[root@ns1 cric]# vim /etc/httpd/conf/httpd.conf
NameVirtualHost 192.168.50.20:80 
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name. 
<VirtualHost www.tsbd.com:80>
    ServerAdmin webmaster@www.tsbd.com
    DocumentRoot /var/www/html/tsbd
    ServerName www.tsbd.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
[root@ns1 html]# vim /var/named/chroot/var/named/tsbd.fz 
 www             IN CNAME        ns1.tsbd.com.


 
[root@ns1 ~]# vim /var/named/chroot/etc/named.conf
zone "chsaiful.com" IN {
        type master;
        file "chsaiful.fz";
        allow-update { none; };
};
[root@ns1 ~]# cp /var/named/chroot/var/named/abcd.fz chsaiful.fz

[root@ns1 html]# cd /var/www/html/
[root@ns1 html]# ls
index.html  squint  tsbd
[root@ns1 html]# mkdir chsaiful
[root@ns1 html]# ls
chsaiful  index.html  squint  tsbd
[root@ns1 html]# cd chsaiful/
[root@ns1 chsaiful]# vim index.html
HELLO THIS IS VIRTUAL HOSTING
[root@ns1 cric]# vim /etc/httpd/conf/httpd.conf
NameVirtualHost 192.168.50.20:80
<VirtualHost www.chsaiful.com:80>
    ServerAdmin webmaster@ns1.chsaiful.com
    DocumentRoot /var/www/html/chsaiful
    ServerName www.chsaiful.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>

[root@ns1 home]# /etc/init.d/named restart
Stopping named: .                                          [  OK  ]
Starting named:                                             [  OK  ]
[root@ns1 /]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                             [  OK  ]
  
webmail         IN CNAME      mail.abcd.com.
20        IN      PTR     mail.abcd.com.




NameVirtualHost 192.168.50.20:80 

<VirtualHost 192.168.50.20:80>
    ServerAdmin webmaster@mail.abcd.com
    DocumentRoot /usr/share/squirrelmail
    ServerName 192.168.50.20
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>




Webserver PC :
 [root@mail chsaiful]# vim /etc/resolv.conf


 nameserver 192.168.50.20
[root@mail chsaiful]# cd /var/www/html/
[root@mail html]# ll
total 16
drwxr-xr-x 2 root root 4096 Dec  6 01:42 chsaiful
-rw-r--r-- 1 root root  189 Nov 21 12:27 robots.txt
drwxr-xr-x 2 root root 4096 Dec  6 00:42 tsmominul
drwxr-xr-x 2 root root 4096 Dec  6 00:44 tsrajan
[root@ns1 cric]# vim /etc/httpd/conf/httpd.conf
NameVirtualHost 192.168.50.30:80
<VirtualHost www.tsmominul.com:80>
    ServerAdmin webmaster@www.tsmominul.com
    DocumentRoot /var/www/html/tsmominul
    ServerName www.tsmominul.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>


<VirtualHost www.tsrajan.com:80>
    ServerAdmin webmaster@www.tsrajan.com
    DocumentRoot /var/www/html/tsrajan
    ServerName www.tsrajan.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
[root@mail chsaiful]# /etc/init.d/httpd restart

DNS Server Configuration for both webserver :
zone "tsmominul.com" IN {
        type master;
        file "tsmominul.fz";
        allow-update { none; };
};
zone "tsrajan.com" IN {
        type master;
        file "tsrajan.fz";
        allow-update { none; };
};
[root@ns1 named]# cp abcd.fz tsmominul.fz
[root@ns1 named]# cp abcd.fz tsrajan.fz
[root@ns1 named]# chgrp named tsmominul.fz
[root@ns1 named]# chgrp named tsrajan.fz
[root@ns1 named]# vim /var/named/chroot/var/named/abcd.fz
www                      IN A          192.168.50.30
www                      IN A          192.168.50.30
[root@ns1 named]# vim /var/named/chroot/var/named/abcd.rz

30        IN      PTR     www.tsmominul.com.
30        IN      PTR     www.tsrajan.com.
[root@ns1 named]# /etc/init.d/named restart







Mail Server Configuration(Sendmail+Dovecot+Squirrelmail)

Sendmail: On the Internet, sendmail is the most popular UNIX-based implementation of the Simple Mail Transfer Protocol (SMTP) for transmitting e-mail.Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet.

Dovecot : is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind. Developed by Timo Sirainen, Dovecot was first released in July 2002. Dovecot primarily aims to be a lightweight, fast and easy to set up open source mailserver.

SquirrelMail :is an Open Source project that provides both a web-based email application and an IMAP proxy server.It is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.  

Configuration :
At first we check sendmail package is already installed or not. And also need to disable all other MTA if exist
[root@ns1 ~]# rpm -qa | grep postfix*
[root@ns1 ~]# rpm -qa | grep sendmail*

Sendmail Server Configuration:
[root@dns1 ~]# yum install sendmail* -y
[root@dns1 ~]# yum install m4* -y
[root@dns1 ~]# yum install dovecot* -y

[root@dns1 ~]# vim /etc/mail/sendmail.mc 
Edit /etc/mail/sendmail.mc , search for DAEMON_OPTIONS and add comments :  
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl Search for LOCAL_DOMAIN and add DNS name :  LOCAL_DOMAIN(`tsdatabd.com')dnl
Mail relay approve or reject , in sendmail.mc we need to find for blacklist then UN -comment this line
FEATURE(`blacklist_recipients')dnl    
[root@dns1 ~]# vim /etc/mail/access
Connect:192.168.50.0/24                 RELAY
Connect:mail.tsbd.com                   RELAY
Connect:tsbd.com                          RELAY
[root@dns1 ~]#makemap hash /etc/mail/access.db  <  /etc/mail/access 
One should modify sendmail macro configuration file: /etc/mail/sendmail.mc and then generate sendmail.cf with m4 macro processor: m4. /etc/mail/sendmail.mc ...   
m4 /etc/mail/sendmail.mc  > /etc/mail/sendmail.cf 
If any error occurred like /etc/mail/sendmail.mc:10: m4: cannot open `/usr/share/sendmail-cf/m4/cf.m4': No such file or directory
[root@localhost named]# yum install sendmail-cf* -y
[root@localhost named]# m4 /etc/mail/sendmail.mc  > /etc/mail/sendmail.cf
Edit the file named  “/etc/mail/local-host-names” and add the following ( machine ip address for
example my ip is 192.168.50.20)   
[root@dns1 ~]# vim /etc/mail/local-host-names
192.168.50.19
mail.tsdatabd.com
tsdatabd.com 
[root@dns1 ~]# vim /etc/aliases 
support:        rajan,saiful,krahman,probal,support,mominul
[root@dns1 ~]# newaliases
/etc/aliases: 76 aliases, longest 43 bytes, 798 bytes total

[root@dns1 ~]#chkconfig sendmail on
[root@dns1 ~]# /etc/init.d/sendmail restart
Shutting down sm-client:                                    [  OK  ]
Shutting down sendmail:                                    [  OK  ]
Starting sendmail:                                              [  OK  ]
Starting sm-client:                                              [  OK  ]
[root@ns1 ~]# useradd -s /sbin/nologin krahman
[root@ns1 ~]# passwd krahman
Changing password for user krahman.
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@ns1 ~]# useradd -s /sbin/nologin rajan
[root@ns1 ~]# passwd rajan
Changing password for user rajan.
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
 
[root@dns1 ~]# telnet mail.tsbd.com 25
mail.tsbd.com/25: Name or service not known
[root@ns1 ~]# telnet 192.168.50.20 25
Trying 192.168.50.20...
Connected to ns1.tsbd.com (192.168.50.20).
Escape character is '^]'.
220 ns1.tsbd.com ESMTP Sendmail 8.13.8/8.13.8; Mon, 28 Nov 2011 20:12:59 +0600
mail from:krahman@tsbd.com
250 2.1.0 krahman@tsbd.com... Sender ok
rcpt to:rajan@tsbd.com
250 2.1.5 rajan@tsbd.com... Recipient ok
data
354 Enter mail, end with "." on a line by itself
subject:test mail
This is the test mail from krahman
hello rajan how r u ?
.
250 2.0.0 pASECxJb024741 Message accepted for delivery
quit
221 2.0.0 ns1.tsbd.com closing connection
Connection closed by foreign host.
 
[root@ns1 ~]# vim /etc/dovecot.conf
protocols = imap imaps pop3 pop3s
login_greeting = welcome to tsbd
[root@ns1 ~]# chkconfig dovecot on
[root@ns1 ~]# /etc/init.d/dovecot restart
Stopping Dovecot Imap:                                     [FAILED]
Starting Dovecot Imap:                                       [  OK  ]
[root@ns1 ~]# telnet 192.168.50.20 110
Trying 192.168.50.20...
Connected to ns1.tsbd.com (192.168.50.20).
Escape character is '^]'.
+OK welcome to tsbd
user rajan
+OK
pass 123456
+OK Logged in.
list
+OK 3 messages:
1 484
2 436
3 504
.

retr 3
+OK 504 octets
Return-Path: <krahman@tsbd.com>
Received: from ns1.tsbd.com (ns1.tsbd.com [192.168.50.20])
        by ns1.tsbd.com (8.13.8/8.13.8) with SMTP id pASECxJb024741
        for rajan@tsbd.com; Mon, 28 Nov 2011 20:14:01 +0600
Date: Mon, 28 Nov 2011 20:12:59 +0600
From: krahman@tsbd.com
Message-Id: <201111281414.pASECxJb024741@ns1.tsbd.com>
X-Authentication-Warning: ns1.tsbd.com: ns1.tsbd.com [192.168.50.20] didn't use HELO protocol
subject: test mail

This is the test mail from krahman
hello rajan how r u ?
.
retr 2
+OK 436 octets
Return-Path: <krahman@tsbd.com>
Received: from ns1.tsbd.com (ns1.tsbd.com [192.168.50.20])
        by ns1.tsbd.com (8.13.8/8.13.8) with SMTP id pASE8uw8024573
        for rajan@tsbd.com; Mon, 28 Nov 2011 20:09:57 +0600
Date: Mon, 28 Nov 2011 20:08:56 +0600
From: krahman@tsbd.com
Message-Id: <201111281409.pASE8uw8024573@ns1.tsbd.com>
X-Authentication-Warning: ns1.tsbd.com: ns1.tsbd.com [192.168.50.20] didn't use HELO protocol

test mail
.
retr 1
+OK 484 octets
Return-Path: <krahman@tsbd.com>
Received: from ns1.tsbd.com (ns1.tsbd.com [192.168.50.20])
        by ns1.tsbd.com (8.13.8/8.13.8) with SMTP id pASDl2F7023801
        for rajan@tsbd.com; Mon, 28 Nov 2011 19:48:59 +0600
Date: Mon, 28 Nov 2011 19:47:02 +0600
From: krahman@tsbd.com
Message-Id: <201111281348.pASDl2F7023801@ns1.tsbd.com>
X-Authentication-Warning: ns1.tsbd.com: ns1.tsbd.com [192.168.50.20] didn't use HELO protocol

This is the test mail from krahman
hello rajan how r u ?
.
dele 2
+OK Marked to be deleted.
list
+OK 2 messages:
1 484
3 504

[root@ns1 ~]# yum install squirrelmail* -y
[root@ns1 ~]# yum install php* -y
[root@ns1 ~]# yum install httpd* -y
[root@ns1 ~]# chkconfig httpd on
[root@ns1 ~]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                              [  OK  ]
[root@ns1 ~]# cd /usr/share/squirrelmail/config/
[root@ns1 config]# ls
config_default.php  config_local.php  config.php  conf.pl  index.php
[root@ns1 config]# ./conf.pl
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color off
S   Save data
Q   Quit
Command >> 1
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Organization Preferences
1.  Organization Name      : SquirrelMail
2.  Organization Logo      : ../images/sm_logo.png
3.  Org. Logo Width/Height : (308/111)
4.  Organization Title     : SquirrelMail $version
5.  Signout Page           :
6.  Top Frame              : _top
7.  Provider link          : http://www.squirrelmail.org/
8.  Provider name          : SquirrelMail
R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit
Command >> 1
X-Net Ltd
S
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Organization Preferences
1.  Organization Name      : X-Net Ltd
2.  Organization Logo      : ../images/sm_logo.png
3.  Org. Logo Width/Height : (308/111)
4.  Organization Title     : SquirrelMail $version
5.  Signout Page           :
6.  Top Frame              : _top
7.  Provider link          : http://www.squirrelmail.org/
8.  Provider name          : SquirrelMail
R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit
[root@ns1 ~]# cd /usr/share/squirrelmail/images/here pase the logo
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Organization Preferences
1.  Organization Name      : X-Net Ltd
2.  Organization Logo      : ../images/sm_logo.png
3.  Org. Logo Width/Height : (308/111)
4.  Organization Title     : SquirrelMail $version
5.  Signout Page           :
6.  Top Frame              : _top
7.  Provider link          : http://www.squirrelmail.org/
8.  Provider name          : SquirrelMail
R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit
Command >> 2
 
Your organization's logo is an image that will be displayed at
different times throughout SquirrelMail.
Please be aware of the following:
  - Relative URLs are relative to the config dir
    to use the default logo, use ../images/sm_logo.png
  - To specify a logo defined outside the SquirrelMail source tree
    use the absolute URL the webserver would use to include the file
    e.g. http://www.example.com/images/mylogo.gif or /images/mylogo.jpg

[../images/sm_logo.png]: ../images/xnet.jpg
S
Organization Preferences
1.  Organization Name      : X-Net Ltd
2.  Organization Logo      : ../images/xnet.jpg
3.  Org. Logo Width/Height : (308/111)
4.  Organization Title     : SquirrelMail $version
5.  Signout Page           :
6.  Top Frame              : _top
7.  Provider link          : http://www.squirrelmail.org/
8.  Provider name          : SquirrelMail
R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit   

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages
D.  Set pre-defined settings for specific IMAP servers
C   Turn color off
S   Save data
Q   Quit


General
-------
1.  Domain                 : localhost
2.  Invert Time            : false
3.  Sendmail or SMTP       : Sendmail
A.  Update IMAP Settings   : localhost:143 (uw)
B.  Change Sendmail Config : /usr/sbin/sendmail
R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit
 
Server Settings

General
-------
1.  Domain                 : tsbd.com
2.  Invert Time            : false
3.  Sendmail or SMTP       : Sendmail
A.  Update IMAP Settings   : localhost:143 (uw)
B.  Change Sendmail Config : /usr/sbin/sendmail
R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit

Squirrelmail default aliacing:

[root@localhost etc]# vim /etc/httpd/conf.d/squirrelmail.conf 
Alias /webmail /usr/share/squirrelmail

In browser “ http://192.168.50.20/webmail



Here we provide host entry for our mail server : If we provide host record then we can use our mail server with domain name

  
[root@ns1 home]# vim /var/named/chroot/var/named/gix.fz
                   IN NS           ns1.gix.com.
                   IN NS           ns2.gix.com.
                   IN A            192.168.50.18
ns1             IN A            192.168.50.18
ns2             IN A            192.168.50.21
mail            IN A            192.168.50.18


[root@ns1 home]# vim /var/named/chroot/var/named/gix.rz


           IN      NS        ns1.gix.com.
           IN      NS        ns2.gix.com.
18       IN      PTR      ns1.gix.com.
21       IN      PTR     ns2.gix.com. 
100      IN      PTR     mail.gix.com.


[root@ns1 home]# /etc/init.d/named restart
Stopping named: .                                          [  OK  ]
Starting named:                                              [  OK  ]
[root@ns1 home]# /etc/init.d/httpd restart
Stopping httpd:                                             [  OK  ]
Starting httpd:                                               [  OK  ]


In browser"http://mail.tsbd.com/webmail"




Here we provide MX record for our mail server : If we provide MX record then our mail server will route our mail to all other mail server in the world

[root@ns1 home]# vim /var/named/chroot/var/named/gix.fz


                IN NS           ns1.gix.com.
                IN MX 10        mail.gix.com.
                IN NS           ns2.gix.com.
                IN A            192.168.50.18
ns1             IN A            192.168.50.18
ns2             IN A            192.168.50.21
mail            IN A            192.168.50.18

[root@ns1 home]# vim /var/named/chroot/var/named/gix.rz


          IN      NS         ns1.gix.com.
          IN      MX 10   mail.gix.com.
          IN      NS        ns2.gix.com.
18     IN      PTR      ns1.gix.com.
21     IN      PTR      ns2.gix.com.
100   IN      PTR      mail.gix.com.

iptables for mail port 25 & 110 

Then we  edit /etc/sysconfig/iptables file,  as we are using smtp  then we just need to open 25 port  
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 25 -j ACCEPT 
Restart iptables 

Then we do following to edit firewall as we are using pop3 then we just need to open 110 port 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 110 -j ACCEPT 
Restart iptables
 

Linux Domain Hosting Configuration

[root@localhost named]# vim /var/named/chroot/etc/named.conf
options{ directory "/var/named"; };
zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};
zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};

zone "gix.com" IN {
        type master;
        file tsbd.fz";
        allow-update { none; };
};

zone "50.168.192.in-addr.arpa" IN {
        type master;
        file "tsbd.rz";
        allow-update { none; };
};

zone "chsaiful.com" IN {
        type master;
        file "chsaiful.fz";
        allow-update { none; };
};

[root@dns1 ~]# cp /var/named/chroot/var/named/tsbd.fz chsaiful.fz
[root@dns1 ~]# chgrp named /var/named/chroot/var/named/chsaiful.fz

[root@ns1 html]# cd /var/www/html/
[root@ns1 html]# ls
index.html  squint  tsbd
[root@ns1 html]# mkdir chsaiful
[root@ns1 html]# ls
chsaiful  index.html  squint  tsbd
[root@ns1 html]# cd chsaiful/
[root@ns1 chsaiful]# vim index.html
HELLO THIS IS VIRTUAL HOSTING
[root@ns1 cric]# vim /etc/httpd/conf/httpd.conf 
NameVirtualHost 192.168.50.20:80
<VirtualHost www.chsaiful.com:80>
    ServerAdmin webmaster@ns1.chsaiful.com
    DocumentRoot /var/www/html/chsaiful
    ServerName www.chsaiful.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>

[root@ns1 home]# /etc/init.d/named restart
Stopping named: .                                           [  OK  ]
Starting named:                                                [  OK  ]
[root@ns1 /]# /etc/init.d/httpd restart
Stopping httpd:                                                 [  OK  ]
Starting httpd:                                                    [  OK  ]

Proxy Server Configuration Linux

[root@localhost ~]# yum install squid* -y

To start, stop, and restart squid after booting use the service command: 
[root@bigboy tmp]# service squid start
[root@bigboy tmp]# service squid stop
[root@bigboy tmp]# service squid restart


[root@localhost ~]# vim /etc/squid/squid.conf 
The http_port is the port number on the local server that Squid binds itself to and listens for incoming requests, its default port is 3128 but can be changed if needed (8080 is also a common cache port). Which ever port is used here, it will need to be set in all the workstations that will attach to and use the proxy

http_port 8080 
we can say when swap utilization want to cross 95% of total swap utilization, then swap automatically delete up to 90% . Automatically will be continuing
cache_swap_low 90
cache_swap_high 95
Objects larger than this size will NOT be saved on disk. The value is specified in kilobytes, and the default is 4 MB. If you wish to get a high BYTES hit ratio, you should probably increase this (one 32 MB object hit counts for 3200 10 KB hits). If you wish to increase speed more than your want to save bandwidth, you should leave this low. During the initial downloading of a file, the downloading time seems to be a normal one, but if you download the same file again, the time it takes for download will be very minimum. This indicates that, the file comes from the Cache.
 maximum_object_size 2000 KB
Objects smaller than this size will NOT be saved on disk.  The value is specified in kilobytes, and the default is 0 KB,  which means there is no minimum.
minimum_object_size 0 KB

 
 cache_mem 256 MB
Objects greater than the size specified in this tag will not be kept in the memory cache. This should be set high enough to keep objects accessed frequently in memory to improve performance at the same time low enough to keep larger objects from hoarding
 maximum_object_size_in_memory 16 KB
The cache_dir tag specifies the location where the cache will reside in the filesystem. ufs identifies the storage format for the cache. The "256" specifies the maximum allowable size of the cache (in MB), and should be adjusted to suit your needs. The 32 and 1024 specify the number1 of directories contained inside the first and second level cache store.
cache_dir ufs /var/spool/squid/cache 250 32 1024
The following tags specify the standard log file locations.
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

 cache_effective_user squid

cache_effective_group squid


[root@mail ~]# vim /etc/squid/squid.conf
acl support src 192.168.100.0/24 192.168.50.0/24

http_access allow support

Password Authentication Using NCSA :

You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd program that comes installed with Apache to create your passwords. Here is how it's done:

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it's universally readable. 
[root@bigboy tmp]# touch /etc/squid/squid_users
[root@bigboy tmp]# chmod o+r /etc/squid/squid_users
2) Use the htpasswd program to add users to the password file.
 [root@mail ~]# htpasswd /etc/squid/squid_users saiful
New password:
Re-type new password:
Adding password for user saiful
[root@mail ~]# htpasswd /etc/squid/squid_users rajan
New password:
Re-type new password:
Adding password for user rajan 
3) Find your ncsa_auth file using the locate command.

[root@mail ~]# find / -name ncsa_auth
/usr/lib/squid/ncsa_auth
 
4) Edit squid.conf; specifically, you need to define the authentication 
program in squid.conf, which is in this case ncsa_auth. Next, create an 
ACL named ncsa_users with the REQUIRED keyword that forces Squid to use 
the NCSA auth_param method you defined previously. Finally, create an 
http_access entry that allows traffic that matches the ncsa_users ACL 
entry. Here's a simple user authentication example; the order of the 
statements is important:
[root@mail ~]# vim /etc/squid/squid.conf
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_users
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users 
 

Specifying Organisational Policies (Restricted web Sites) : 

procedure no 1:Single website block by using acl

[root@localhost ~]# vim /etc/squid/squid.conf  

acl bad dstdomain .yahoo.com 

http_access deny bad

procedure no 2 : Block multiple websites by using domain name 
[root@localhost bin]# touch /etc/squid/blocksites.txt
[root@localhost bin]# vim /etc/squid/blocksites.txt
facebook.com
google.com
youtube.com
gmail.com
[root@localhost ~]# vim /etc/squid/squid.conf  
acl block dstdomain "/etc/squid/blocksites.txt"
http_access deny block



procedure no 3 : Block websites by using string matching squid linux


[root@localhost ~]# touch /etc/squid/block.txt
[root@localhost ~]# vim /etc/squid/block.txt
facebook

google   
[root@localhost ~]# vim /etc/squid/squid.conf 
acl block url_regex -i "/etc/squid/block.txt"
http_access deny block



some example for string matching site block :
[root@localhost ~]# touch /etc/squid/block_advertisers.txt
[root@localhost ~]# touch /etc/squid/block_entertainment.txt
[root@localhost ~]# touch /etc/squid/block_porn.txt
[root@localhost ~]# touch /etc/squid/block_webmail.txt
[root@localhost ~]# vim /etc/squid/squid.conf 
acl block_advertisers   url_regex -i "/etc/squid/block_advertisers.txt"acl block_entertainment url_regex -i "/etc/squid/block_entertainment.txt"acl block_webmail       url_regex -i "/etc/squid/block_webmail.txt"acl block_porn          url_regex -i "/etc/squid/block_porn.txt"
http_access deny block_advertisers

http_access deny block_entertainment

http_access deny block_porn

http_access deny block_webmail
 
Restricting Web Access By Time :
Squid TIME acls cannot wrap from one day to the next, so to get from 4:30  in the afternoon until 8:00 the next morning, we have to actually specify one  acl for 4:30 to midnight and another acl for midnight to 8 in the morning.


 
Time of day, and day of week
            


                   Usage                   acl aclname time [day-abbreviations] [h1:m1-h2:m2]

day-abbreviations:

S - Sunday

M - Monday

T - Tuesday

W - Wednesday

H - Thursday

F - Friday

A - Saturday

h1:m1 must be less than h2:m2		                 

             
Example

acl ACLTIME time M 9:00-17:00

ACLTIME refers day of Monday from 9:00 to 17:00.
[root@localhost ~]# vim /etc/squid/squid.conf
acl deployment src 192.168.50.1-192.168.50.10
acl sales           src 192.168.50.11-192.168.50.19
acl noc             src 192.168.50.21-192.168.50.30
acl deployment_workhours time SMTWH    08:00-14:00
acl sales_workhours           time TWH         10:00-16:00
acl noc_workhours             time SMTWHFA 08:00-19:00
 
http_access allow deployment deployment_workhours
http_access deny deployment
http_access allow sales sales_workhours
http_access deny sales
http_access allow noc noc_workhours
http_access deny noc


Example 1 : To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24
acl ip_acl  src 192.168.2.0/24

acl time_acl  time MTWHF 9:00-17:00

http_access allow ip_acl time_acl

http_access deny all



To restrict multitime access control list for different users for different timing.



acl abc src 172.161.163.85

acl xyz src 172.161.163.86

acl asd src 172.161.163.87

acl morning time 06:00-11:00

acl lunch time 14:00-14:30

acl evening time 16:25-23:59



Access Controls
http_access allow abc morning

http_access allow xyz morning lunch

http_access allow asd lunch
   


Example 2 : To restrict access to websites


Specifying which network  IPs we will support in squid 
acl subnet_lab1     src ip-address_lab1/netmask
acl subnet_lab2     src ip-address_lab2/netmask
acl subnet_pub      src ip-address_pub/netmask
 
Specifying Time intervals we will support
acl TIMEafterhoursMORN time MTWHF 00:00-08:00
acl TIMEafterhoursAFT     time MTWHF 16:30-24:00
acl TIMEsatMORN             time  A 00:00-07:00
acl TIMEsatAFT                 time  A 17:00-24:00
acl TIMEsundALLDAY        time  S 00:00-24:00 
  
Restricting Internal Access - relevant to   organisational policies
http_access deny subnet_pub TIMEafterhoursMORN
http_access deny subnet_pub TIMEafterhoursAFT
http_access deny subnet_pub TIMEsatMORN
http_access deny subnet_pub TIMEsatAFT
http_access deny subnet_pub TIMEsundALLDAY 
 
How To Bind MAC with IP in SQUID:


[root@localhost ~]# ping 192.168.50.24
PING 192.168.50.24 (192.168.50.24) 56(84) bytes of data.
64 bytes from 192.168.50.24: icmp_seq=1 ttl=128 time=2.64 ms
64 bytes from 192.168.50.24: icmp_seq=2 ttl=128 time=0.727 ms

--- 192.168.50.24 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.727/1.685/2.643/0.958 ms
[root@localhost ~]# arp 192.168.50.24
Address                    HWtype     HWaddress            Flags Mask            Iface
192.168.50.24            ether      00:0D:56:C5:13:B7      C                         eth0

 
[root@mail ~]# vim /etc/squid/squid.conf
acl pc1_mac arp 00:0D:56:C5:13:B7
acl pc1_ip src 192.168.50.24
http_access deny pc1_mac pc1_ip

 
Examples:
(1) To allow http_access for only one machine with MAC Address
00:08:c7:9f:34:41
To use MAC address in ACL rules. Configure with option -enable-arp-acl.
acl all src 0.0.0.0/0.0.0.0

acl pl800_arp arp 00:08:c7:9f:34:41

http_access allow pl800_arp

http_access deny all
This rule defines an ACL called BADPC with a single sourceIP address
of 192.168.1.25.It then denies access to the ACL.

acl BADPC src 192.168.1.25
http_access deny BADPC 


The following two rules will block all files that end in the file extensions ".mp3"and ".exe"
respectively. The "-i"means treat them as case insensitive which matches both upper 
and lower case.
acl FILE_MP3
urlpath_regex -i \.mp3$
http_access deny FILE_MP3
 
acl FILE_EXE
urlpath_regex -i \.exe$
http_access deny FILE_EXE 
Proxy Error Webpage Configuration :
 
[root@mail ~]# vim /etc/squid/errors/ERR_ACCESS_DENIED

<P>Your cache administrator is : Md Saiful Islam Chowdhury <br>
Mobile : 01190115978
<A HREF="mailto:%w">%w</A>.
 
Trnasparent proxy :
 
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 192.168.50.30



iptables -t nat -A PREROUTING -s 192.168.100.0/24  -p tcp --dport 80 -j REDIRECT --to-port 8080



OR



iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080




 Install and configure squid log analyzer Squint :
wget http://www.linux-bd.com/app/squint.tar.gz 
https://www.linux-bd.com/app/
[root@localhost ~]# cd Desktop/
[root@localhost Desktop]# ls
squint.tar.gz

[root@localhost Desktop]# tar -zxvf squint.tar.gz
[root@localhost Desktop]# ls

squint-0.3.18  squint.tar.gz


[root@localhost Desktop]# cd squint-0.3.18/
[root@localhost squint-0.3.18]# cp squint.pl squint.cron.sh /usr/local/bin/
[root@localhost squint-0.3.18]# squint.cron.sh init
[root@localhost squint-0.3.18]# squint.cron.sh all

















Now there is a bug in crontab format of squint in /etc/crontab to work the squint properly we have to fix that. Open the crontab file and see what exits for squint section.   





[root@localhost squint-0.3.18]# vim /etc/crontab


# squint squid reports

# Weekly, on Mondays 

00    01    *    *    Monday     root   /usr/local/bin/squint.cron.sh weekly 

# Monthly, on the first day of the month

00    02    1    *    *       root   /usr/local/bin/squint.cron.sh monthly

# Daily at 3am

*/1    03    *    *    *       root   /usr/local/bin/squint.cron.sh daily





[root@localhost squint-0.3.18]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                              [  OK  ]
[root@localhost squint-0.3.18]# /etc/init.d/squid restart
Stopping squid: ................                           [  OK  ]
Starting squid: ..                                           [  OK  ]



http://192.168.50.20/squint/ 











Acl Type:                   port                 

             
Description

Access can be controlled by destination (server) port address


                   Usage                   acl aclname port port-no                 

             
Example

This example allows http_access only to the destination 172.16.1.115:80 from network 172.16.1.0
acl acceleratedhost dst 172.16.1.115/255.255.255.255

acl acceleratedport port 80

acl mynet src 172.16.1.0/255.255.255.0

http_access allow acceleratedhost acceleratedport mynet

http_access deny all





Acl Type:                   arp                 

             


                   Usage                   acl aclname arp ARP-ADDRESS                 

             
Description

Ethernet (MAC) address matching This acl is supported on Linux, Solaris, and probably BSD variants.
To use ARP (MAC) access controls, you first need to compile in the optional code.

Do this with the --enable-arp-acl configure option:

% ./configure --enable-arp-acl ...

% make clean

% make
If everything compiles, then you can add some ARP ACL lines to your squid.conf


                   Default                   acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563

acl Safe_ports port 80 21 443 563 70 210 1025-65535

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT		                 

             
Example

acl ACLARP arp 11:12:13:14:15:16

ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16
Note

Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.



1. edit your squid.conf. Add these acl..
acl mac1 arp 00:14:85:99:3B:8D
acl ip1 arp 192.168.0.1



2.  Add this before "http_access deny all"
http_access allow mac1 ip1
      
URL Port (port)
Matches the destination port number of the request. 


acl aclname port number
acl aclname port range

Example 


acl web_port  port 80
acl voip_port port 10000-11000











































        

      









Subscribe to:
Posts (Atom)