how to set up staff and student proxies in Macquarie University
---------------------------------------------------------------
[terrence@bugger terrence]$ uname -a
OSF1 bugger.its.unimacq.edu.au V4.0 1530 alpha
[terrence@bugger terrence]$ nslookup bugger.its.unimacq.edu.au
Server: ns.unimacq.edu.au
Address: 137.111.66.5
Name: bugger.its.unimacq.edu.au
Address: 137.111.6.177
[terrence@bugger terrence]$ sudo -l
terrence's password:
User terrence may run the following commands on this host:
(%webusers, !#0, !%system) /bin/sh
(siwc) /usr/local/bin/sushi
(siwcsql) /usr/local/bin/sushi
(siwcnbdy) /usr/local/bin/sushi
[terrence@bugger terrence]$ alias
alias siwc='/usr/local/bin/sudo -u siwc /usr/local/bin/sushi - -c /usr/local/bin/bash'
siwc@bugger ~ > whoami
siwc
siwc@bugger ~ > cat .bash_profile
...
# CVS information
export CVSROOT=:ext:readcvs@xxxxxxxxxxxxxxxxxxxxxx:/servers/CVSROOT/
export CVS_RSH=/usr/local/bin/ssh
export CVS_SERVER=/usr/bin/cvs
# Functions
# Publish file to live web servers (shortcut to avoid typing scp lots...)
function publish() {
if [ -z "$1" ]
then
echo "Usage: publish <filename>"
elif [ -f "$1" ]
then
echo "PUBLISHING FILE TO LIVE WEBSERVERS"
echo "-----------------------------------"
echo "> scp -p $1 parody:$PWD/"
scp -p $1 parody:$PWD/
echo "> scp -p $1 gelat:$PWD/"
scp -p $1 gelat:$PWD/
echo "DONE..."
else
echo "ERROR: File [$1] is not a regular file"
fi
}
...
siwc@bugger ~ > ps axuw |grep apache
apache 2363 0.0 0.4 15.0M 4.0M ?? I Jan 22 0:01.59 /usr/local/apache/bin/httpd -DSSL -f /etc/apache/httpd.conf
siwc@bugger ~ > less /etc/apache/httpd.conf
...
# Apache presents the first virtual host found if you don't have the
# right Host: header to specify one. This is a bit naff. This 000
# host is to try to get around that. Note that 000.unimacq.edu.au
# is not actually in the DNS or anything stupid like that.
<VirtualHost *:80>
DocumentRoot /servers/http/DEFAULT/docs
ServerName DEFAULT
ErrorLog /dev/null
TransferLog /dev/null
ScriptAlias /cgi-bin/ /servers/http/DEFAULT/cgi-bin/
</VirtualHost>
# The web farm is largely configured via this include directive.
# Each file in this dir is a config for one virtual host
Include /etc/apache/Domains
...
siwc@bugger ~ > less /etc/apache/Domains/www.unimacq.edu.au.conf
...
ScriptAlias /cgi-bin/ /servers/http/www.unimacq.edu.au/cgi-bin/
...
siwc@bugger /servers/http/www.unimacq.edu.au/cgi-bin >
Here are two subnets 137.111.172.0/24 (staff) and 137.111.174.0/24 (student lab):
------------------------ ------------------------------
siwc@bugger /servers/http/www.unimacq.edu.au/cgi-bin > less proxy.pac
...
NetAddr::IP->new("137.111.174.0/24"),
...
siwc@bugger /servers/http/www.unimacq.edu.au/cgi-bin > export REMOTE_ADDR=137.111.172.168; ./proxy.pac
Content-type: application/x-ns-proxy-autoconfig
function FindProxyForURL(url, host)
{
if (
dnsDomainIs(host, ".unimacq.edu.au") ||
dnsDomainIs(host, ".mq.oz.au") ||
isInNet(host, "137.111.0.0", "255.255.0.0") ||
isInNet(host, "192.43.207.0", "255.255.255.0") ||
isInNet(host, "202.0.67.0", "255.255.255.0") ||
isInNet(host, "203.0.40.0", "255.255.255.0") ||
isInNet(host, "210.8.192.0", "255.255.252.0") ||
isInNet(host, "172.16.1.0", "255.255.252.0") ||
isInNet(host, "137.111.215.70", "255.255.255.255") ||
isInNet(host, "127.0.0.1", "255.255.255.255") ||
isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "172.16.0.0", "255.240.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0") ||
isPlainHostName(host)
)
return "DIRECT";
else
return "PROXY wwwproxy.unimacq.edu.au:8000; DIRECT";
}
It goes to staff proxy - wwwproxy.unimacq.edu.au:8000 (hurry.its and dud.its on Microbits Intelli-App iMimic engine)
siwc@bugger /servers/http/www.unimacq.edu.au/cgi-bin > export REMOTE_ADDR=137.111.174.168; ./proxy.pac
Content-type: application/x-ns-proxy-autoconfig
function FindProxyForURL(url, host)
{
if (
dnsDomainIs(host, ".unimacq.edu.au") ||
dnsDomainIs(host, ".mq.oz.au") ||
isInNet(host, "137.111.0.0", "255.255.0.0") ||
isInNet(host, "192.43.207.0", "255.255.255.0") ||
isInNet(host, "202.0.67.0", "255.255.255.0") ||
isInNet(host, "203.0.40.0", "255.255.255.0") ||
isInNet(host, "210.8.192.0", "255.255.252.0") ||
isInNet(host, "172.16.1.0", "255.255.252.0") ||
isInNet(host, "137.111.215.70", "255.255.255.255") ||
isInNet(host, "127.0.0.1", "255.255.255.255") ||
isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "172.16.0.0", "255.240.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0") ||
isPlainHostName(host)
)
return "DIRECT";
else
return "PROXY wwwproxy.student.unimacq.edu.au:8000; DIRECT";
}
It goes to student proxy - wwwproxy.student.unimacq.edu.au:8000 (sleazy.its and snotty.its with Squid)
Any change in proxy.pac should publish later:
siwc@bugger /servers/http/www.unimacq.edu.au/cgi-bin > publish proxy.pac
PUBLISHING FILE TO LIVE WEBSERVERS
-----------------------------------
> scp -p proxy.pac parody:/servers/http/www.unimacq.edu.au/cgi-bin/
proxy.pac 100% 10KB 0.0KB/s 00:00
> scp -p proxy.pac gelat:/servers/http/www.unimacq.edu.au/cgi-bin/
proxy.pac 100% 10KB 0.0KB/s 00:00
DONE...
To change student proxy configuration on sleazy and snotty:
bash-2.05b# uname -a
FreeBSD sleazy.its.unimacq.edu.au 5.2.1-RELEASE-p13 FreeBSD 5.2.1-RELEASE-p13 #1: Wed Feb 23 14:43:12 EST 2005 root@xxxxxxxxxxxxxxxxxxxxxxxxx:/usr/obj/usr/src/sys/GENERIC i386
bash-2.05b# pwd
/root/files/cvs/cvs.its.unimacq.edu.au/proxies/student
bash-2.05b# env |grep CVS
CVSROOT=:ext:readcvs@xxxxxxxxxxxxxxxxxxxxxx:/servers/CVSROOT
CVS_RSH=/usr/bin/ssh
bash-2.05b# cvs up
bash-2.05b# ./install.sh
all the squid configuration files are under "/usr/local/etc/squid" directory:
bash-2.05b# ls /usr/local/etc/squid
errors
icons
mib.txt
mime.conf
mime.conf.default
msntauth.conf
msntauth.conf.default
other_student_proxies_list.conf
quota.conf
quota.conf-backup
quota.conf-backup.INSTALLBACKUP-20040607-22:59:51
quota.conf-primary
quota.conf-primary.INSTALLBACKUP-20040607-22:59:51
quota.conf-test
quota.conf-test.INSTALLBACKUP-20040608-12:15:54
squid.conf
squid.conf.default
student-proxy-squid.conf
student-proxy-squid.conf.INSTALLBACKUP-20040607-12:04:48
bash-2.05b# diff student-proxy-squid.conf student-proxy-squid.conf.INSTALLBACKUP-20060123-15:57:47
233d232
< acl spin174 src 137.111.174.0/24
435,445d433
< http_access allow spin174 acu
< http_access allow spin174 ballarat
< http_access allow spin174 deakin
< http_access allow spin174 latrobe
< http_access allow spin174 melbourne
< http_access allow spin174 mu
< http_access allow spin174 monash
< http_access allow spin174 rmit
< http_access allow spin174 swin
< http_access allow spin174 vut
< http_access allow spin174 usercheck quotacheck
bash-2.05b# /usr/local/etc/rc.d/student-proxy.sh
Usage: squid {parse|start|stop|status|reconfigure|rotate|restart|status|restoreallquotas|buildquotadirs|init}
To staff proxy dud.its.unimacq.edu.au and hurry.its.unimacq.edu.au. Access them only via admin interface:
https://dud.its.unimacq.edu.au:8443/
https://hurry.its.unimacq.edu.au:8443/
login as user "dcmadmin", under
Configuration Files -> Open -> select Shared_ACLs
Then go to:
Configuration -> Content -> Cache Control Policy -> Profile -> select "denied_clients"
then click Change Profile button. Add 137.111.174.0/24 in it. Deny PCs from this subnet
to access Staff proxy.
Apply Changes -> Save and Close Configuration file.
Administration -> Cache Reset -> Restart the Cache
The primary configuration on each server is called hurry.its.unimacq.edu.au_baseconfig
and dud.its.unimacq.edu.au_baseconfig. These use Shared_ACLs to define access control.
|