Romeo Mihalcea's questions

I have the following setup:

• a local DNS server (unbound) listening on 10.10.20.1
• a wireguard server on 10.10.0.1/24
• a wireguard client on 10.10.0.2/32 with DNS pointed to 10.10.20.1

I can connect to the server and I can see the peer:

peer: ..redacted
endpoint: 127.0.0.1:33218 
allowed ips: 10.10.0.2/32, 10.10.20.1/32 
latest handshake: 1 minute, 19 seconds ago 
transfer: 247.87 KiB received, 571.86 KiB sent 
persistent keepalive: every 25 seconds

Once connected, I can issue dig commands on my terminal and they return ok:

dig u/10.10.20.1 reddit.com
;; Warning: query response not set

; <<>> DiG 9.10.6 <<>> u/10.10.20.1 reddit.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27447
;; flags: rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;reddit.com.            IN  A

;; ANSWER SECTION:
reddit.com.     0   IN  A   151.101.129.140
reddit.com.     0   IN  A   151.101.193.140
reddit.com.     0   IN  A   151.101.65.140
reddit.com.     0   IN  A   151.101.1.140

;; Query time: 87 msec
;; SERVER: 10.10.20.1#53(10.10.20.1)
;; WHEN: Thu Aug 11 21:18:35 EEST 2022
;; MSG SIZE  rcvd: 103

Once connected, ifconfig shows my interface up:

utun7: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420
    options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
    inet 10.10.0.2 --> 10.10.0.2 netmask 0xffffffff

But, my browser does not resolve anything, nor does any other software on my system. Funnily enough, I have a VM with a Windows machine and...the internet works once connected. Any help is much appreciated.

I am calling some iptables rules from a docker container that runs with NET_ADMIN which means iptables commands from the container are applied on the host (yes, I need them this way).

When checking the host with iptables-save I see no rules being added but I also see a Warning: iptables-legacy tables present, use iptables-legacy-save to see them and, when running iptables-legacy-save I can see my rules that are set by the container.

My question is as follows. Are these rules active even if present in the legacy table? Can I do something better?

Container is alpine 3.15, host is debian 10 Buster. Ideally I would want this container to be able to run on ubuntu and debian, regardless of versions.

I have this shaping script that is supposed to penalise downloads larger than 10mb by downgrading their connection speed.

If I test with one connection the penalty is in effect and the download speed is lowered to set value. If I open a new download in paralel, the penalty download rate is shared between the two penalised connections. My goal is to offer a guaranteed penalty rate, not a shared one. Any ideas what am I doing wrong?

dev=eth0

rate_full=100000mbit
conn_rate_limit=10mbit
conn_rate_ceil=20mbit
conn_rate_burst=30mbit

htb_class=10
max_byte=10485760


tc qdisc del dev $dev root > /dev/null 2>&1
tc qdisc add dev $dev root handle 1: htb

tc class add dev $dev parent 1: classid 1:1 htb rate $rate_full
tc class add dev $dev parent 1: classid 1:$htb_class htb rate $conn_rate_limit ceil $conn_rate_ceil burst $conn_rate_burst
tc filter add dev $dev parent 1: prio 0 protocol ip handle $htb_class fw flowid 1:$htb_class

#after 10 megabyte a connection is considered a download
iptables -t mangle -A OUTPUT -p tcp -m connbytes --connbytes $max_byte: --connbytes-dir both --connbytes-mode bytes -j MARK --set-mark $htb_class

I have a docker container running on my host as the server:

mode server
dev tun_udp_0
proto udp
port 1200
script-security 3
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radius/radius.cnf
keepalive 10 60
key-direction 0
tls-version-min 1.2
verify-client-cert none
reneg-sec 300

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
tls-crypt /etc/openvpn/keys/ta.key 0

compress lz4-v2

client-cert-not-required
username-as-common-name

user nobody
group nogroup
client-config-dir ccd
server 10.20.0.0 255.255.240.0

persist-key
persist-tun

push "sndbuf 393216"
push "rcvbuf 393216"
push "compress lz4-v2"
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"

duplicate-cn

cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

txqueuelen 200
sndbuf 393216
rcvbuf 393216
fast-io
tun-mtu 1500

And I have another docker container running as the client ON the same machine to do some testing periodically:

dev tun 
proto udp 
remote 1.1.1.1 1200 udp 
client 
script-security 3 
down-pre 
auth-user-pass /tmp/vpn.auth 
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
verb 3 
ping 5 
nobind 
cipher AES-256-CBC 
auth SHA512 
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 
remote-cert-tls server 
connect-retry 5 
connect-retry-max 6 
ping-exit 30 
ca [inline] 
tls-crypt [inline] 1 
<ca> 
-----BEGIN CERTIFICATE----- 
..
-----END CERTIFICATE----- 
</ca> 
<tls-crypt> 
# 
# 2048 bit OpenVPN static key 
# 
-----BEGIN OpenVPN Static key V1----- 
..
-----END OpenVPN Static key V1----- 
</tls-crypt>

When the connectio is attempted it stops at some point - always the same one:

2020/10/30 07:15:43.744 [I]  --  Fri Oct 30 07:15:43 2020 WARNING: file '/tmp/vpn.auth' is group or others accessible 
2020/10/30 07:15:43.744 [I]  --  Fri Oct 30 07:15:43 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020 
2020/10/30 07:15:43.744 [I]  --  Fri Oct 30 07:15:43 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10 
2020/10/30 07:15:43.744 [I]  --  Fri Oct 30 07:15:43 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 
2020/10/30 07:15:43.744 [I]  --  Fri Oct 30 07:15:43 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 
2020/10/30 07:15:43.744 [I]  --  Fri Oct 30 07:15:43 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 
2020/10/30 07:15:43.744 [I]  --  Fri Oct 30 07:15:43 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 
2020/10/30 07:15:43.744 [I]  --  Fri Oct 30 07:15:43 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.1:1200 
2020/10/30 07:15:43.744 [I]  --  Fri Oct 30 07:15:43 2020 Socket Buffers: R=[212992->212992] S=[212992->212992] 
2020/10/30 07:15:43.744 [I]  --  Fri Oct 30 07:15:43 2020 UDP link local: (not bound) 
2020/10/30 07:15:43.744 [I]  --  Fri Oct 30 07:15:43 2020 UDP link remote: [AF_INET]1.1.1.1:1200 
2020/10/30 07:16:13.195 [I]  --  Fri Oct 30 07:16:13 2020 [UNDEF] Inactivity timeout (--ping-exit), exiting 
2020/10/30 07:16:13.196 [I]  --  Fri Oct 30 07:16:13 2020 SIGTERM[soft,ping-exit] received, process exiting

If I try to connect from outside using the same client config it works. I get this error only on UDP; TCP works without issues (I have 2 servers running: TCP and UDP).

Any ideas?

I followed a suggestion and bricked my server. I no longer have apt / apt-get after installing apt-transport-https and I regret it.

I tried installing apt via dpkg but it errors out with:

dpkg: regarding apt_1.8.2.1_amd64.deb containing apt:
 apt breaks apt-transport-https (<< 1.5~alpha4~)
  apt-transport-https (version 1.4.10) is present and installed.

dpkg: error processing archive apt_1.8.2.1_amd64.deb (--install):
 installing apt would break apt-transport-https, and
 deconfiguration is not permitted (--auto-deconfigure might help)
Errors were encountered while processing:
 apt_1.8.2.1_amd64.deb

how do I uninstall apt-transport-https and revert back?

The code used in my example is taken from a REDSOCKS tutorial but it doesn't do the job for me. I'm trying to redirect all my tcp traffic through a local proxy server.

#!/bin/bash

CHAIN="MYCHAIN"
PROTO="tcp"

iptables -t nat -N ${CHAIN}

# Ignore LANs and some other reserved addresses.
iptables -t nat -A ${CHAIN} -d 0.0.0.0/8 -j RETURN
iptables -t nat -A ${CHAIN} -d 10.0.0.0/8 -j RETURN
iptables -t nat -A ${CHAIN} -d 127.0.0.0/8 -j RETURN
iptables -t nat -A ${CHAIN} -d 169.254.0.0/16 -j RETURN
iptables -t nat -A ${CHAIN} -d 172.16.0.0/12 -j RETURN
iptables -t nat -A ${CHAIN} -d 192.168.0.0/16 -j RETURN
iptables -t nat -A ${CHAIN} -d 224.0.0.0/4 -j RETURN
iptables -t nat -A ${CHAIN} -d 240.0.0.0/4 -j RETURN

# Anything else should be redirected to port 12345
iptables -t nat -A ${CHAIN} -p ${PROTO} -j REDIRECT --to-ports 12345
iptables -A INPUT -p ${PROTO} -j ${CHAIN}

I receive this error when executing the script: iptables v1.8.4 (legacy): Couldn't load target 'MYCHAIN':No such file or directory.

I think I'm missing a rule but I can't figure out which one.

I have this setup where I'm using a droplet to resolve some DNS requests so it acts as a nameserver for a subdomain: check.farm.test.com

The server works ok and receives traffic so, somehow, the NS record seems to be effective. The problem is that I cannot query it in dig or any other tool.

Here's my setup:

test.com.           NS      ns-312.awsdns-43.com. 
check.test.com.     NS      ns.test.com
ns.test.com.        A       123.132.231.312

My custom DNS server is sitting at 123.132.231.312 and receives traffic when anything.check.test.com is accessed but dig check.test.com NS shows nothing. With +trace I get connection timed out; no servers could be reached. The G-suite toolbox dig tool shows:

opcode QUERY
rcode SERVFAIL
flags QR RD RA
;QUESTION
check.dnsleak.dnsadblock.com. IN NS
;ANSWER
;AUTHORITY
;ADDITIONAL```

I'm learning more about DNS systems and right now I'm studying a very nice project written in Go and I noticed in the code that it queries for some DNS records towards nowhere/?name=probe-test.dns.nextdns.io

Initially I thought that this can't be right, it looks more like an invalid url rather than a domain name but I fired up a console and hit dig nowhere/?name=probe-test.dns.nextdns.io and it returned an A record.

$ dig nowhere/?name=probe-test.dns.nextdns.io

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> nowhere/?name=probe-test.dns.nextdns.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53429
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;nowhere/?name=probe-test.dns.nextdns.io. IN A

;; ANSWER SECTION:
nowhere/?name=probe-test.dns.nextdns.io. 300 IN A 45.90.28.0

;; Query time: 26 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Mar 12 18:55:41 EET 2020
;; MSG SIZE  rcvd: 84

Can someone explain to me how is this a valid entry.

I have this app that is supposed to change the DNS servers of a Linux machine programatically but I can't seem to find a proper way to do it. Some versions are good with updating resolv.conf, others only work if you play with netplan etc. Is there a proper way of doing this thing that works on all instances?

So far I found these options:

resolv.com - works on some instances but it is ineffective on others

netplan - only used and present on newer versions of ubuntu (and possibly others) so I can't rely on it being effective either

changing dns-nameservers inside /etc/network/interfaces - I have to restart the network after that and I'm still not sure it's a solution that works

Which route do you guys suggest I should go or is there something that I'm missing? How does one programatically change the DNS servers of a box?

I have a list of docker containers running on a server. One of the containers is (will be) fail2ban running on privileged mode. My problem right now is with passing and sharing the same volume (log file) through these containers in order for it to be written by services and read by fail2ban.

I was wondering if there's a way with fail2ban to read from a stream of data like docker logs -f apache. This would take the pain away from managing that logfile, passing it through containers, dealing with read/write locks and also figuring out how to rotate it.

I have a Dante server on a host with multiple public ip addresses but it is unable to bind to the ips of the host. The ips are pingable, I have another service listening on each of them (different port) which works so I know the ips work. On my test server which has 10 public addresses it works with no issues but not on this one which has hundreds. The error:

debug: sockaddr2ifname(): address 138.xxx.93.2.51002 does not belong to interface

Here's my config:

logoutput: /dev/stdout
debug: 1

internal: 138.xxx.93.2 port = 51002
external 138.xxx.93.2

external.rotation: same-same

socksmethod: username none
clientmethod: none

user.privileged: root
user.notprivileged: nobody

client pass {
        from: 45.xxx.56.91/32 to: 138.xxx.93.2/32
        log: error
}

socks pass {
        from: 0/0 to: 0/0
        session.state.key: from
        session.state.max: 100
        session.state.throttle: 10/2
}

I want to be able to execute a custom script when pam does the authentication but I get an error out that I can't seem to pass:

Feb 20 17:39:47 DC03R07DS25-08 sockd[2874]: pam_exec(sockd:auth): send password to child
Feb 20 17:39:47 DC03R07DS25-08 sockd[2893]: pam_exec(sockd:auth): Calling /tmp/test.sh ...
Feb 20 17:39:47 DC03R07DS25-08 sockd[2874]: pam_exec(sockd:auth): waitpid returns with -1: No child processes

That's a very basic script that just prints out a 0 to allow everthing.

#!/bin/bash
# read the users password from stdin (pam_exec.so gives the provided password
# if invoked with expose_authtok)

read password
echo $password > /tmp/a.txt

exit 0

And here's my pam.d config:

auth required pam_exec.so debug expose_authtok /tmp/test.sh
account required    pam_permit.so

I really need expose_authtok so I can have access to the password in that script.

I am using Ubuntu 14.04.

Is there any way in Dante that I can create my own authentication script? Take this squid configuration for example:

auth_param basic program /usr/bin/python /etc/auth.py

I have a web server behind nginx and everything works well except for one thing. I'm trying to confirm an amazon SNS Subscription which needs to post some parameters (with a confirmation url) to my website before becoming active. All my attempts failed and I thought it's something with AWS taking longer than expected to post...until I opened up the nginx logs to see if any requests are being sent at all when I saw this critical error:

[crit] 6#6: *13 SSL_do_handshake() failed (SSL: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol) while SSL handshaking, client: 54.239.98.103, server: 0.0.0.0:443

With it being critical it won't let the request go to the web server and confirm my SNS.

Any ideas what could be the cause of this? Also, here's my nginx conf:

worker_processes auto;
error_log /dev/stderr info;

user nobody nogroup;
pid /tmp/nginx.pid;
error_log /tmp/nginx.error.log;

events {
    worker_connections 1024;
    accept_mutex off;
}

http {
    include mime.types;
    default_type application/octet-stream;
    access_log /dev/stdout;
    sendfile on;
    keepalive_timeout 65;
    gzip on;
    gzip_disable "MSIE [1-6].(?!.*SV1)";
    gzip_vary on;

    upstream app_server {
        server unix:/tmp/gunicorn.sock fail_timeout=0;
    }

    server {
        #   redirect all http requests to https
        listen 80;
        listen [::]:80 ipv6only=on;
        return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl spdy;

        client_max_body_size 4G;
        server_name www.devcasts.io;
        keepalive_timeout 5;

        #   Use HTTP Strict Transport Security (HSTS)
        #   v. Django Doc: https://docs.djangoproject.com/en/1.7/topics/security/
        #   v. https://gist.github.com/plentz/6737338
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

        #   ssl_session_cache caches session parameters that create the SSL/TLS
        #   connection. This cache, shared among all worker_connections, will
        #   drastically improve later requests since the connection setup
        #   information is already known. As a reference, a 1MB shared cache
        #   can hold approximately 4,000 sessions. As the timeout length is
        #   increased you will need a larger cache to store the sessions. The
        #   default timeout value for ssl_session_timeout is 5 minutes so to
        #   improve performance it can be increased to a several hours.

        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;

        #   Session tickets store information about specific SSL/TLS sessions.
        #   When a client resumes interaction with an application the session
        #   ticket is used to resume the session without re negotiation. As an
        #   alternative to session tickets, session id's can be used. Session
        #   id's map to a specific session stored in the ssl_session_cache via
        #   a MD5 hash. Both mechanisms can be used to shortcut the SSL handshake.

        ssl_session_tickets on;

        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        location / {
            try_files $uri @proxy_to_app;
        }

        location @proxy_to_app {
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_redirect off;

            proxy_pass   http://app_server;
        }

        ssl_certificate /etc/nginx/ssl/devcasts.pem;
        ssl_certificate_key /etc/nginx/ssl/devcasts.key;

        ssl_protocols SSLv3 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
        ssl_prefer_server_ciphers on;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/ssl/trustchain.crt;
        resolver 8.8.8.8 8.8.4.4;
    }
}

I have this server (the host) which has 1000 external ip addresses. I created a docker container running squid3 and I need to use those ip addresses. I can enable forwarding from the host but that just forwards the request to the local docker ip which screws up my squid ACLs since squid sees the internal ip instead of the external one.

My question is as follows, how do I play with docker or lxc (docker has lxc directives via -lxc-conf=) so that I can see my host's external ip addresses in my container (running ifconfig for example). Right now docker starts with it's own isolated network so it's unusable to me.

The host external ip addresses are assigned to interface p1p1.

I tried running it with -lxc-conf="lxc.network.type = phys" -lxc-conf="lxc.network.link = p1p1" but that completely messes my hosts interface and even kicks me out of ssh.

Any idea what I'm doing wrong?

I have this box I'm trying to setup squid on. I've got it working up to 99% so far because I have an error somewhere that I can't find.

Consider the following ACL part:

acl inbound_myip_1 myip 192.xxx.175.2
tcp_outgoing_address 192.xxx.175.2 inbound_myip_1

acl user_1 proxy_auth johnny
acl user_2 proxy_auth eugene

http_access allow user_1 inbound_myip_1
http_access allow user_2 inbound_myip_1

http_access deny user_1 !inbound_myip_1
http_access deny user_2 !inbound_myip_1

http_access deny all

I have 2 users (johnnyand eugene) who should have access to 192.xxx.175.2. Authentication is done via a python script helper which is tested and works. If I put the proxy in my browser, it first asks for the user/password, I enter my credentials and then replies with an error from squid: Access Denied. If I refresh again the password prompt is not shown any more which means the auth is still in place. I also checked that helper in the console and it replies ok to credentials.

I enabled the debugging to see in my cache log what's happening and here's the relevant part:

2013/12/09 14:10:19.285| authenticateAuthUserAddIp: user 'john' has been seen at a new IP address (109.xxx.147.127:51161)
2013/12/09 14:10:19.285| The request GET http://yahoo.com/ is DENIED, because it matched 'inbound_myip_1'
2013/12/09 14:10:19.286| storeGetMemSpace: Starting, need 1 pages
2013/12/09 14:10:19.286| ZPH: Preserving TOS on miss, TOS=0
2013/12/09 14:10:19.286| The reply for GET http://yahoo.com/ is ALLOWED, because it matched 'inbound_myip_1'
2013/12/09 14:10:19.503| The request GET http://www.squid-cache.org/Artwork/SN.png is DENIED, because it matched 'inbound_myip_1'
2013/12/09 14:10:19.503| ZPH: Preserving TOS on miss, TOS=0
2013/12/09 14:10:19.503| The reply for GET http://www.squid-cache.org/Artwork/SN.png is ALLOWED, because it matched 'inbound_myip_1'
2013/12/09 14:10:25.285| ConnStateData::swanSong: FD 10
2013/12/09 14:12:20.875| ConnStateData::swanSong: FD 8

Any ideas why do my requests get denied?

I'm trying to create an external acl helper for squid3 to (hopefully) cut down some config lines from my squid3 server and I wrote a simple python script for it:

#!/usr/bin/python

import sys
import logging
import time


logger = logging.getLogger( 'squid_auth' )
logger.setLevel( logging.DEBUG )
fh = logging.FileHandler( 'spam.log' )
fh.setLevel( logging.DEBUG )
formatter = logging.Formatter( '%(asctime)s - %(name)s - %(levelname)s - %(message)s' )
fh.setFormatter( formatter )
logger.addHandler( fh )


def grant ():
      sys.stdout.write( 'OK\n' )
      sys.stdout.flush()


def deny ():
      sys.stdout.write( 'ERR\n' )
      sys.stdout.flush()


while True:
      line = sys.stdin.readline().strip()
      if line:
              logger.info( line )
              grant()
      else:
              time.sleep( 1 )

and added it into my squid.conf:

external_acl_type custom_acl %SRC %LOGIN %DST /etc/changemyip/squid/config/acl.py
acl CustomAcl external custom_acl
http_access allow CustomAcl

The path to the script is right (I can execute it in shell), the program has execute rights and everything but, when I reload squid I get this error about 5-6 times then squid crashes:

Aug 17 14:08:52 server7 (squid): The custom_acl helpers are crashing too rapidly, need help!
Aug 17 14:08:52 server7 squid[28233]: Squid Parent: child process 28290 exited with status 1
Aug 17 14:08:52 server7 squid[28233]: Exiting due to repeated, frequent failures

As you can see the script is just printing OK\n to the stdout to grant everyone. I haven't even started implementing any logic to it.

Tested with squid version: 3.1.19

I have this directive in the server.cfg which assigns a range of ips for connecting users:

server 10.8.0.0 255.255.255.0

Each time I connect a client it always (if he's the first in line) gets 10.8.0.4 or .5 (since the server reserves 10.8.0.1 for itself).

What I want to do is to assign a random ip to my clients from the range I have created via the server config not just next ip for next client the way openvpn does it right now. Is there something I can do to achieve this?

Allright so I'm about to upgrade my box (with 2k external ips) to the latest squid (3.3.x) since my old version do not take any advantage of the multi-core processors.

While researching on the workers I found a discussion where someone says:

Use cpu_affinity_map in squid.conf. Leave Cpu0 "for the OS". Be careful not to put two busy workers on sibling hyper-cores. This is just a sketch of an optimization algorithm. There are many details that depend on your setup.

I also understand that it's best to use as many workers as you have CPUs:

FWIW, we usually see best performance results when using cpu_affinity_map with 1:1 mapping between workers and cores (which effectively disables those complex algorithms as far as Squid workers are concerned).

My question is...it's that physical CPUs? My box reports 8 cpus but only 2 physical shown when I run cat /proc/cpuinfo | grep "physical id" | sort | uniq | wc -l so that means 2 workers?

If I put 2 workers on 2 physical CPUs how does Leave Cpu0 "for the OS" fits? This means I set only 1 worker for cpu1 while OS uses cpu0?

P.S. I know about cpu afinity. I just need a clarification about how to find out exactly how many workers I can use before I lose poerformance.

I successfully managed to deploy a freeradius server and created a python script which does an additional check on the user (incoming request). I checked the internet (resources for freeradius are pretty horrible) and only found a thread which explains some basics about adding a python script to the process.

Right now I have it inside /etc/freeradius/sites-enabled/default under the authorize section:

update control {
       Auth-Type := `/usr/bin/python /etc/test.py '%{User-Name}' '%{User-Password}'`
}

My test.py file spits Reject or Accept. I also have sql authentication setup with freeradius and the problem is that, if my script returns Accept any other authorization request under is ignored; response will still be an Accept even if sql check rejects the user.

From what I understand I should pass a noop instead of Accept to allow freeradius to continue and only pass Reject if I need to reject the user but If I respond with noop the server complains.

Any ideas? Maybe I need to add my code to the Authentication. section? How?