Differences

This shows you the differences between two versions of the page.

--- gateway_centos_7 [2015/03/28 11:55] – herwarth
+++ gateway_centos_7 [2016/01/01 14:05] (current) – herwarth
@@ Line 166: / Line 166: @@
 #
 # option definitions common to all supported networks...
-# specify domain name
 option domain-name "lz.zorgnet";
-# specify name server's hostname or IP address
 option domain-name-servers 10.108.108.15;
-# default lease time
+option local-proxy-config code 252 = text;
 default-lease-time 86400;
-# max lease time
 max-lease-time 172800;
-# this DHCP server to be declared valid
 authoritative;
-# specify network address and subnet mask
 subnet 10.108.108.0 netmask 255.255.255.0 {
-# specify the range of lease IP address
+  range dynamic-bootp 10.108.108.151 10.108.108.200;
-range dynamic-bootp 10.108.108.151 10.108.108.200;
+  option broadcast-address 10.108.108.255;
-# specify broadcast address
+  option routers 10.108.108.254;
-option broadcast-address 10.108.108.255;
+  option local-proxy-config "http://10.108.108.5/proxy.pac";
-# specify default gateway
+}
-option routers 10.108.108.254;
+host admin1 {
+  hardware ethernet 00:0c:29:c9:ee:dc;
+  fixed-address 10.108.108.151;
 }
 </code>
@@ Line 195: / Line 195: @@
 .
 visible_hostname gateway.lz.local
-http_port 3128
+http_port 0.0.0.0:3128
 .
 #enable only (adapt to zorgnet subnet)
@@ Line 202: / Line 202: @@
 #enable 1024MB cache-size
 cache_dir ufs /var/spool/squid 1024 16 256
+.
+# Diable IPv6
+dns_v4_first on
 .
 </code>
@@ Line 209: / Line 212: @@
 On the Windows client set the proxy server as the Administrator user in IE. After that run command-box with the following command:
   netsh winhttp import proxy source=ie
+Or use a proxy.pac file:
+<code - /var/www/html/proxy.pac>
+function FindProxyForURL(url, host) {
+// If the requested website is hosted within the internal network, send direct.
+    if (isPlainHostName(host) ||
+	shExpMatch(host, "10.*") ||
+	shExpMatch(host, "127.*") ||
+	shExpMatch(host, "0.0.0.0"))
+        return "DIRECT";
+    else
+        return "PROXY 10.108.108.5:3128";
+}
+</code>
+  cd /var/www/html
+  ln -s proxy.pac wpad.dat
 =====Guacamole=====
 This is the HTML5 RDP/SSH/VNC gateway application using Tomcat and Apache as reverse-proxy.
@@ Line 250: / Line 271: @@
   setsebool -P httpd_can_network_connect 1
 ====Configuration====
-<code - /etc/httpd/conf.d/guacamolo.conf>
+<code - /etc/httpd/conf.d/default.conf>
 <VirtualHost *:80>
     ServerAdmin webmaster@helux.nl
-    RewriteEngine On
+    <Directory "/var/www/html">
-    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
+        AllowOverride All
+        Options MultiViews FollowSymlinks SymLinksIfOwnerMatch IncludesNoExec
+        Options -Indexes
+        Order allow,deny
+        Allow from all
+    </Directory>
-    ErrorLog /var/log/httpd/guacd-error.log
+    <Files "proxy.pac">
-    CustomLog /var/log/httpd/guacd-access.log common
+        AddType application/x-ns-proxy-autoconfig pac
-</VirtualHost>
+    </Files>
+    <Files "wpad.dat">
+        AddType application/x-ns-proxy-autoconfig dat
+    </Files>
+    ErrorLog /var/log/httpd/default-error.log
+    CustomLog /var/log/httpd/default-access.log common
+</VirtualHost>
+</code>
+<code - /etc/httpd/conf.d/guacamolo.conf>
 <VirtualHost *:443>
     ServerAdmin webmaster@helux.nl
@@ Line 345: / Line 379: @@
 ====Create new zones====
-  firewall-cmd --permanent --new-zone=local
   firewall-cmd --permanent --new-zone=zorgnet
@@ Line 352: / Line 385: @@
   firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0
   firewall-cmd --permanent --zone=public --add-source=::/0
-  firewall-cmd --permanent --zone=local --add-source=172.16.3.0/24
   firewall-cmd --permanent --zone=zorgnet --add-source=10.108.108.0/24
@@ Line 370: / Line 401: @@
   firewall-cmd --permanent --zone=public --add-service=http
   firewall-cmd --permanent --zone=public --add-service=https
+  firewall-cmd --permanent --zone=public --add-service=ssh
-  firewall-cmd --permanent --zone=local --add-service=ssh
-  firewall-cmd --permanent --zone=local --add-service=http
-  firewall-cmd --permanent --zone=local --add-service=https
   firewall-cmd --permanent --zone=zorgnet --add-service=ssh
@@ Line 384: / Line 412: @@
 ====Set default zone====
-  firewall-cmd --set-default-zone=local
+  firewall-cmd --set-default-zone=public
   systemctl enable firewalld
+=====Fail2ban=====
+  yum install -y fail2ban fail2ban-systemd
+  yum update -y selinux-policy*
+Configure fail2ban, we decide to use FirewallD which is implemented by default in CentOS 7.
+Put the following lines in /etc/fail2ban/jail.d/sshd.local
+<code - /etc/fail2ban/jail.d/sshd.local>
+[sshd]
+enabled = true
+port = ssh
+logpath = %(sshd_log)s
+maxretry = 5
+bantime = 86400
+</code>
+  systemctl enable fail2ban
+  systemctl start fail2ban
 {{tag>centos}}

User Tools

Site Tools

Differences

Page Tools