Miguel's questions

How can i add permissions for a specific group to read/write from an existent named pipe, using a powershell script?

This is as far as i went:

$AccessRule = New-Object System.IO.Pipes.PipeAccessRule( "Users", "FullControl", "Allow" )
$PipeSecurity = [System.IO.Directory]::GetAccessControl("\\.\pipe\docker_engine")
$PipeSecurity.AddAccessRule($AccessRule) 

throw error

Cannot convert argument "rule", with value: "System.IO.Pipes.PipeAccessRule", for "AddAccessRule" to type "System.Security.AccessControl.FileSystemAccessRule"

Following this guide for windows installation, i try the webroot method, from an elevated cmd shell:

C:\WINDOWS\system32> certbot certonly --webroot

The command fails with unauthorized error, because IIS is does not expose hidden folder .well-known created by certbot tool.

I am running IIS 8.5 on a windows server.

How can i enable hidden folders in IIS?

There are many posts how to do that, most for older versions.

According to this post, to setup squid as transparent server for port 80 it should be as simple as this:

//squid.config
http_port 3128 transparent
http_port 80 accel #vhost option is deprecated
http_port 443 accel #not forget https 

but can't put it to work. i can't figure out if is my ip tables configuration, or the squid configuration.

Squid runs on the same pc as the gateway and dhcp server.

The iptables configuration:

# Generated by xtables-save v1.8.2 on Sun Feb  2 14:05:24 2020
*mangle
:PREROUTING ACCEPT [512813:147258305]
:INPUT ACCEPT [505693:146550975]
:FORWARD ACCEPT [5559:319150]
:OUTPUT ACCEPT [485369:200427691]
:POSTROUTING ACCEPT [486362:200704832]
COMMIT
# Completed on Sun Feb  2 14:05:24 2020
# Generated by xtables-save v1.8.2 on Sun Feb  2 14:05:24 2020
*filter
:INPUT ACCEPT [505677:146546207]
:FORWARD DROP [5532:317382]
:OUTPUT ACCEPT [485351:200422918]
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 993 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
COMMIT
# Completed on Sun Feb  2 14:05:24 2020
# Generated by xtables-save v1.8.2 on Sun Feb  2 14:05:24 2020
*nat
:PREROUTING ACCEPT [55608:3516287]
:INPUT ACCEPT [48615:2816337]
:POSTROUTING ACCEPT [4525:272304]
:OUTPUT ACCEPT [17086:1270605]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.1.1.0:3128
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT

The squid.config file:

acl LocalNet src 192.168.4.0/24 #my network . 
http_access allow LocalNet

acl localnet src 0.0.0.1-0.255.255.255
#acl localnet src 10.0.0.0/8
#acl localnet src 100.64.0.0/10
#acl localnet src 169.254.0.0/16
#acl localnet src 172.16.0.0/12
#acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80  #http
acl Safe_ports port 21  #ftp
acl Safe_ports port 443 #https
acl Safe_ports port 70  #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535  #unregisted ports
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multilining http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
#include /etc/squid/conf.d/*
http_access allow localhost
http_access allow all

#for explicit proxy
#http_port 3128
#http_port 3129 tproxy

#for transparent proxy
http_port 3128 transparent
http_port 80 accel
http_port 443 accel

#cache
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
cache_effective_user proxy
cache_effective_group proxy

#log file
logformat timeread %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
access_log daemon:/var/log/squid/access.log timeread

The squid start log:

squid[23403]: Starting Squid Cache version 4.6 for arm-unknown-linux-gnueabihf...
squid[23403]: Service Name: squid
squid[23403]: Process ID 23403
squid[23403]: Process Roles: worker
squid[23403]: With 1024 file descriptors available
squid[23403]: Initializing IP Cache...
squid[23403]: DNS Socket created at [::], FD 5
squid[23403]: DNS Socket created at 0.0.0.0, FD 9
squid[23403]: Adding domain Home from /etc/resolv.conf
squid[23403]: Adding nameserver 192.168.1.254 from /etc/resolv.conf
squid[23403]: Logfile: opening log daemon:/var/log/squid/access.log
squid[23403]: Logfile Daemon: opening log /var/log/squid/access.log
squid[23403]: Unlinkd pipe opened on FD 15
squid[23403]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
squid[23403]: Store logging disabled
squid[23403]: Swap maxSize 102400 + 262144 KB, estimated 28041 objects
squid[23403]: Target number of buckets: 1402
squid[23403]: Using 8192 Store buckets
squid[23403]: Max Mem  size: 262144 KB
squid[23403]: Max Swap size: 102400 KB
squid[23403]: Rebuilding storage in /var/spool/squid (clean log)
squid[23403]: Using Least Load store dir selection
squid[23403]: Set Current Directory to /var/spool/squid
squid[23403]: Finished loading MIME types and icons.
squid[23403]: HTCP Disabled.
squid[23403]: Pinger socket opened on FD 22
squid[23403]: Squid plugin modules loaded: 0
squid[23403]: Adaptation support is off.
squid[23403]: Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 18 flags=41
squid[23403]: Accepting reverse-proxy HTTP Socket connections at local=[::]:80 remote=[::] FD 19 flags=9
squid[23403]: Accepting reverse-proxy HTTP Socket connections at local=[::]:443 remote=[::] FD 20 flags=9
squid[23403]: Done reading /var/spool/squid swaplog (0 entries)
squid[23403]: Store rebuilding is 0.00% complete
squid[23403]: Finished rebuilding storage from disk.
squid[23403]:         0 Entries scanned
squid[23403]:         0 Invalid entries.
squid[23403]:         0 With invalid flags.
squid[23403]:         0 Objects loaded.
squid[23403]:         0 Objects expired.
squid[23403]:         0 Objects cancelled.
squid[23403]:         0 Duplicate URLs purged.
squid[23403]:         0 Swapfile clashes avoided.
squid[23403]:   Took 0.05 seconds (  0.00 objects/sec).
squid[23403]: Beginning Validation Procedure
squid[23403]:   Completed Validation Procedure
squid[23403]:   Validated 0 Entries
squid[23403]:   store_swap_size = 0.00 KB
squid[23403]: storeLateRelease: released 0 objects

Update

iptables configuration update below, according to @Piotr P. Karwasz. Also i add log that can be see at /var/log/messages.

# Generated by xtables-save v1.8.2 on Wed Feb  5 18:05:20 2020
*mangle
:PREROUTING ACCEPT [26643:2488050]
:INPUT ACCEPT [26417:2421007]
:FORWARD ACCEPT [203:57945]
:OUTPUT ACCEPT [46685:14572738]
:POSTROUTING ACCEPT [47031:14661263]
COMMIT
# Completed on Wed Feb  5 18:05:20 2020
# Generated by xtables-save v1.8.2 on Wed Feb  5 18:05:20 2020
*filter
:INPUT ACCEPT [26404:2417368]
:FORWARD ACCEPT [7:448]
:OUTPUT ACCEPT [46671:14569146]
-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
-A OUTPUT -j LOG
COMMIT
# Completed on Wed Feb  5 18:05:20 2020
# Generated by xtables-save v1.8.2 on Wed Feb  5 18:05:20 2020
*nat
:PREROUTING ACCEPT [612:69658]
:INPUT ACCEPT [577:59792]
:POSTROUTING ACCEPT [26:2979]
:OUTPUT ACCEPT [543:44473]
-A PREROUTING -j LOG
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -j LOG
-A POSTROUTING -o eth0 -j MASQUERADE
-A OUTPUT -j LOG
-A OUTPUT -o lo -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Wed Feb  5 18:05:20 2020
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

For clarity, here the command i use to filter for dns query hits:

tail -f /var/log/messages |grep -wi --color  -w 'UDP.*DPT=53'

Update 2

Bind 9 was blocking the dns querys. even stoped. Guess is not a regular service. I changed bind9 settings to allow dns querys from anyplace.

Now i got hits like this on the log, for port 53:

Feb  5 18:36:43 MyLinuxBox kernel: [11771.211903] IN=wlan0 OUT= MAC=b8:27:eb:35:e4:5b:48:43:7c:04:7e:55:08:00 SRC=192.168.42.19 DST=192.168.42.1 LEN=59 TOS=0x00 PREC=0x00 TTL=255 ID=43761 PROTO=UDP SPT=63906 DPT=5

It seams the dns query pass through the linux-box, from wlan0 to eth0, as is supposed too, but the response doesn't reach the client, resulting in a dns query timeout.

It is possible bind9 is still messing with the query.

The standard squid log format writes time in seconds from epoch. How to add date and time in a human readable format?

Setting up a proxy manually doesn't work on my enterprise network. When running the docker login it returns the following error message:

Error response from daemon: Get https://a/v2/: Proxy Authentication Required ( ... requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )

I am running the docker instance on Windows 10.

I have tried the following 2 things for debugging:

• Passing the credentials in the URL, but the proxy doesn't seem to allow basic authentication or if it does it will not accept the credentials in the parameters.

• Changing the docker service account, as posted here, but that breaks the docker installation. Commands sent from the PowerShell always return an error when accessing the pipe.

I am out of options. Is there another way to solve this?

If I understand the system correctly, I need some way to pass the credentials to the proxy, because the proxy is requiring it this way. Also, it can't get the credentials from a service running with a local service account.

How do I change the windows services account for docker?

The Windows services are Docker Desktop Service and docker.

When I set then to use an application account, it returns the following error:

Unable to launch process: 1314
   at Docker.Core.Pipe.NamedPipeClient.Send(String action, Object[] parameters) in C:\workspaces\stable-18.09.x\src\github.com\docker\pinata\win\src\Docker.Core\pipe\NamedPipeClient.cs:line 36
   at Docker.Actions.DoStart(SynchronizationContext syncCtx, Boolean showWelcomeWindow, Boolean executeAfterStartCleanup) in C:\workspaces\stable-18.09.x\src\github.com\docker\pinata\win\src\Docker.Windows\Actions.cs:line 92
   at Docker.Actions.<>c__DisplayClass19_0.<Start>b__0() in C:\workspaces\stable-18.09.x\src\github.com\docker\pinata\win\src\Docker.Windows\Actions.cs:line 74
   at Docker.WPF.TaskQueue.<>c__DisplayClass19_0.<.ctor>b__1() in C:\workspaces\stable-18.09.x\src\github.com\docker\pinata\win\src\Docker.WPF\TaskQueue.cs:line 59

I also tried to temporarily give administrative permissions to the account with no success.

Update Log file:

[17:26:35.527][GUI            ][Info   ] Starting...
[17:26:35.786][ComponentVersions][Info   ] Edition community
[17:26:35.792][GUI            ][Error  ] An instance is already running. Exiting.
[17:26:38.921][HyperV         ][Info   ] Shutdown VM ...
[17:26:38.945][HyperV         ][Info   ] VM MobyLinuxVM is stopped
[17:26:38.945][HyperV         ][Debug  ] [stop] took 00:00:20.4717348 to run
[17:26:38.945][OptimizeDisk   ][Info   ] Optimize
[17:26:38.945][PowerShell     ][Info   ] Run script...
[17:26:40.565][Moby           ][Info   ] Stop
[17:26:40.576][HyperV         ][Info   ] Create
[17:26:40.576][PowerMode      ][Info   ] Start
[17:26:40.576][HyperVGuids    ][Info   ] Installing GUIDs...
[17:26:40.576][PowerShell     ][Info   ] Run script with parameters: -Create True -VhdPathOverride  -VhdSize 64000000000 -SwitchSubnetAddress 10.0.75.0 -SwitchSubnetMaskSize 24 -CPUs 2 -Memory 2048 -IsoFile C:\Program Files\Docker\Docker\Resources\docker-for-win.iso
[17:26:40.576][Firewall       ][Info   ] Removing all existing rules...
[17:26:40.577][HyperVGuids    ][Info   ] GUIDs installed
[17:26:40.628][HyperV         ][Info   ] Script started at 17:26:40.628
[17:26:40.921][Firewall       ][Info   ] All existing rules are removed.
[17:26:40.921][Firewall       ][Info   ] Opening ports for C:\Program Files\Docker\Docker\Resources\com.docker.proxy.exe...
[17:26:40.934][Firewall       ][Info   ] Opening ports for SMB...
[17:26:40.945][HyperV         ][Info   ] Modules loaded at 17:26:40.945
[17:26:40.947][Firewall       ][Info   ] Ports are opened
[17:26:41.572][HyperV         ][Info   ] Using existing Switch: DockerNAT
[17:26:45.905][HyperV         ][Info   ] Using existing Switch IP address
[17:26:45.934][HyperV         ][Info   ] Setting CPUs to 2 and Memory to 2048 MB
[17:26:47.543][HyperV         ][Info   ] Connect Internal Switch DockerNAT
[17:26:47.875][HyperV         ][Info   ] Remove existing DVDs
[17:26:50.030][HyperV         ][Info   ] Attach DVD C:\Program Files\Docker\Docker\Resources\docker-for-win.iso
[17:26:50.933][HyperV         ][Info   ] Disabled Guest Service Interface
[17:26:50.955][HyperV         ][Info   ] Enabled Heartbeat
[17:26:50.972][HyperV         ][Info   ] Disabled Key-Value Pair Exchange
[17:26:50.993][HyperV         ][Info   ] Enabled Shutdown
[17:26:51.009][HyperV         ][Info   ] Enabled Time Synchronization
[17:26:51.024][HyperV         ][Info   ] Disabled VSS
[17:26:51.136][HyperV         ][Info   ] VM created.
[17:26:51.136][HyperV         ][Debug  ] [create] took 00:00:10.5592691 to run
[17:26:51.136][PowerShell     ][Info   ] Run script '(Hyper-V\Get-VM MobyLinuxVM).Id.Guid'...
[17:26:51.150][IsoConfig      ][Info   ] Generating CA Cert Bundle
[17:26:51.176][IsoConfig      ][Info   ] CA Cert Bundle Generated
[17:26:51.796][Moby           ][Info   ] Connecting...
[17:26:51.797][Moby           ][Error  ] Failed to read Moby's logs: The operation has timed out.
[17:26:51.797][HyperV         ][Info   ] Start
[17:26:51.797][PowerShell     ][Info   ] Run script with parameters: -Start True -IsoFile C:\Program Files\Docker\Docker\Resources\docker-for-win.iso -confIsoFile C:\ProgramData\DockerDesktop\tmp-d4w\config.iso -DockerIsoFile C:\Program Files\Docker\Docker\Resources\docker.iso -VhdPathOverride 
[17:26:51.857][HyperV         ][Info   ] Script started at 17:26:51.857
[17:26:51.975][HyperV         ][Info   ] Modules loaded at 17:26:51.975
[17:26:51.979][HyperV         ][Info   ] Starting VM MobyLinuxVM...
[17:26:52.070][HyperV         ][Info   ] Remove existing DVDs
[17:26:52.447][NamedPipeServer][Error  ] Unable to execute Start: Unable to launch process: 1314    at Docker.Win32Helpers.NativeImpersonatedProcess.Start(NativeImpersonatedProcess* , basic_string<wchar_t\,std::char_traits<wchar_t>\,std::allocator<wchar_t> >* watchguardPath) in c:\program files (x86)\microsoft visual studio\2017\buildtools\vc\tools\msvc\14.16.27023\include\xstring:line 1825
   at Docker.Win32Helpers.ImpersonatedProcess.Start(String watchguardPath) in c:\workspaces\stable-18.09.x\src\github.com\docker\pinata\win\src\docker.win32helpers\impersonatedprocess.cpp:line 250
   at Docker.Backend.Processes.ExternalProcess.StartImpersonatedProcess(String fileName, String arguments, String currentDirectory, IDictionary`2 envVariables, WindowsIdentityRecorder identity, CancellationToken stopToken) in C:\workspaces\stable-18.09.x\src\github.com\docker\pinata\win\src\Docker.Backend\Processes\ExternalProcess.cs:line 66
   at Docker.Backend.Processes.ExternalProcess.Start(String arguments, String currentDirectory, IDictionary`2 envVariables, WindowsIdentityRecorder identity) in C:\workspaces\stable-18.09.x\src\github.com\docker\pinata\win\src\Docker.Backend\Processes\ExternalProcess.cs:line 52
   at Docker.Backend.Processes.VpnKit.Start(Settings settings, String vmId) in C:\workspaces\stable-18.09.x\src\github.com\docker\pinata\win\src\Docker.Backend\Processes\VpnKit.cs:line 45
   at Docker.Backend.ContainerEngine.Linux.DoStart(Settings settings, String daemonOptions) in C:\workspaces\stable-18.09.x\src\github.com\docker\pinata\win\src\Docker.Backend\ContainerEngine\Linux.cs:line 248
   at Docker.Backend.ContainerEngine.Linux.Start(Settings settings, String daemonOptions) in C:\workspaces\stable-18.09.x\src\github.com\docker\pinata\win\src\Docker.Backend\ContainerEngine\Linux.cs:line 117
[17:26:52.593][NamedPipeClient][Error  ] Unable to send Start: Unable to launch process: 1314
[17:26:52.594][Notifications  ][Error  ] Unable to launch process: 1314

I try to run the following script but dockerd is not recognized in my workstation.

My OS is windows 10. Just installed the latest version of docker that is 18.09.2

It is my first time with docker.

My client is trying to access the Web Service from the web but it is getting http error Forbidden. I don't know if the problem is on my service or if it is on the client proxy service. How can i set IIS to log failure attempts too?