Installing Squid (Caching / Proxy) on CentOS 7

Squid is a caching and forwarding web proxy. It is most often used in conjunction with a traditional LAMP stack (Linux, Apache, MySQL, PHP), and can be used to filter traffic on HTTP, FTP, and HTTPS, and increase the speed (thus lower the response time) for a web server via caching.

squid_proxy_logo copy.jpg

Pre-Flight Check
  • These instructions are intended specifically for installing Squid on a single CentOS 7 node.
  • I’ll be working from a Liquid Web Core Managed CentOS 7 server, and I’ll be logged in as root.
  • Squid Sever IP-Address => 192.168.4.8
Step 1 Install Squid

First, clean-up yum:

# yum clean all

As a matter of best practice we’ll update our packages:

# yum -y update

Installing Squid and related packages is now as simple as running just one command:

# yum -y install squid


Step 2: Configure Squid to Start on Boot

And then start Squid:

# systemctl start squid

Be sure that Squid starts at boot:

# systemctl enable squid

To check the status of Squid:

# systemctl status squid

You will see an output similar to this.

[root@ip-172-31-23-60 ~]# systemctl status squid
 ● squid.service - Squid caching proxy
 Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
 Active: active (running) since Sun 2016-10-16 04:36:10 UTC; 4min 36s ago
 Main PID: 7416 (squid)
 CGroup: /system.slice/squid.service
 ├─7416 /usr/sbin/squid -f /etc/squid/squid.conf
 ├─7418 (squid-1) -f /etc/squid/squid.conf
 └─7419 (logfile-daemon) /var/log/squid/access.log
Oct 16 04:36:10 ip-172-31-23-60 systemd[1]: Starting Squid caching proxy... Oct 16 04:36:10 ip-172-31-23-60 systemd[1]: Started Squid caching proxy. Oct 16 04:36:10 ip-172-31-23-60 squid[7416]: Squid Parent: will start 1 kids Oct 16 04:36:10 ip-172-31-23-60 squid[7416]: Squid Parent: (squid-1) process...d Hint: Some lines were ellipsized, use -l to show in full.


Step 3: Verify and Checking the Version of the Squid the Installation

Squid should start immediately after the installation. Use the following command to view information on the command:

# squid -h

Use the following command to check the version number of Squid and the configuration options it was started with:

# squid -v

Your results should appear similar to:

Squid Cache: Version 3.3.8
configure options: ‘–build=x86_64-redhat-linux-gnu’ ‘–host=x86_64-redhat-linux-gnu’ ‘–program-prefix=’ ‘–prefix=/usr’ ‘–exec-prefix=/usr’ ‘–bindir=/usr/bin’ ‘–sbindir=/usr/sbin’ ‘–sysconfdir=/etc’ ‘–datadir=/usr/share’ ‘–includedir=/usr/include’ ‘–libdir=/usr/lib64’ ‘–libexecdir=/usr/libexec’ ‘–sharedstatedir=/var/lib’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–disable-strict-error-checking’ ‘–exec_prefix=/usr’ ‘–libexecdir=/usr/lib64/squid’ ‘–localstatedir=/var’ ‘–datadir=/usr/share/squid’ ‘–sysconfdir=/etc/squid’ ‘–with-logdir=$(localstatedir)/log/squid’ ‘–with-pidfile=$(localstatedir)/run/squid.pid’ ‘–disable-dependency-tracking’ ‘–enable-eui’ ‘–enable-follow-x-forwarded-for’ ‘–enable-auth’ ‘–enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam’ ‘–enable-auth-ntlm=smb_lm,fake’ ‘–enable-auth-digest=file,LDAP,eDirectory’ ‘–enable-auth-negotiate=kerberos’ ‘–enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group’ ‘–enable-cache-digests’ ‘–enable-cachemgr-hostname=localhost’ ‘–enable-delay-pools’ ‘–enable-epoll’ ‘–enable-icap-client’ ‘–enable-ident-lookups’ ‘–enable-linux-netfilter’ ‘–enable-removal-policies=heap,lru’ ‘–enable-snmp’ ‘–enable-ssl’ ‘–enable-ssl-crtd’ ‘–enable-storeio=aufs,diskd,ufs’ ‘–enable-wccpv2’ ‘–enable-esi’ ‘–enable-ecap’ ‘–with-aio’ ‘–with-default-user=squid’ ‘–with-filedescriptors=16384’ ‘–with-dl’ ‘–with-openssl’ ‘–with-pthreads’ ‘build_alias=x86_64-redhat-linux-gnu’ ‘host_alias=x86_64-redhat-linux-gnu’ ‘CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie’ ‘LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now’ ‘CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie’ ‘PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig’

The main configuration file for Squid proxy can be found on /etc/squid/squid.conf. You can now setup your browser to use the proxy server you just created. For Internet Explorer and Google Chrome, you can go to Control Panel > Internet Options. In the Connections tab, click on LAN settings and enter your proxy server IP address and port 3128. You will see that you are now browsing the internet through the proxy server.

By default the Squid proxy server is configured to connect to a local network only, if you are not into the local network of the proxy server, you will see an error saying “The proxy server is refusing connections”. If you are getting these kind of errors, then you will need to configure Access Control Lists or ACL into the squid configuration file.

You can check the error logs of Squid using the following command.

# tail -f /var/log/squid/access.log

You will see an output similar to shown below.

 [root@ip-172-31-23-60 ~]# tail -f /var/log/squid/access.log
    1476596170.987  61641 61.14.229.246 TCP_MISS/200 3460 CONNECT aus5.mozilla.org:443 - HIER_DIRECT/52.42.158.162 -
    1476596470.531 121781 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476596574.995 101350 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476596867.906 290539 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476596875.984   4939 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476597519.292 1561080 61.14.229.246 TCP_MISS/200 3828 CONNECT qa.sockets.stackexchange.com:443 - HIER_DIRECT/198.252.206.25 -
    1476597857.853 979174 61.14.229.246 TCP_MISS/200 216 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476598063.413   4459 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476598213.392 351400 61.14.229.246 TCP_MISS/200 158 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476598576.745 511218 61.14.229.246 TCP_MISS/200 158 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -

Configuring Squid

Squid can be easily configured by editing the global configuration file /etc/squid/squid.conf. To edit the configuration file run the following command.

# vi /etc/squid/squid.conf

A minimum sample configuration file will look like this.

    # Recommended minimum configuration:
    ## Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machinesacl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT#
    # Recommended minimum Access Permission configuration:
    #
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports# Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports# Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager# We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost#
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    ## Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost# And finally deny all other access to this proxy
    http_access deny all# Squid normally listens to port 3128
    http_port 3128# Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256# Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern 
^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i
(/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320

Allow IP Address to Use the Internet Through Your Proxy Server

To allow a range of IP address to use the Internet through your proxy server. You can add a new ACL entry. Squid supports CIDR notations. Consider an example, if you want to allow a range of IP address from 192.168.4.1 to 192.168.4.255 then you can make the following entry in Squid configuration file under the list of ACLs.

    acl localnet src 192.168.4.8/24

Your list of ACLs will finally look like this.

    acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    acl localnet src 192.168.4.0/24 # Your newly added ACL

For changes to take effect you will need to restart your Squid server, use the following command for same.

# systemctl restart squid

Allow a Specific Port for HTTP Connections

By default Squid only consider very few ports as safe ports and allow connections through them. The ports which are allowed by default are:

    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http

The ports which are not listed above will not be accessed through the proxy. You can add a Port into the list of Safe_ports by modifying the list of ACLs for ports. For example it you want to allow port 168 to be accessed through the proxy server you can add the following ACL entry for this.

    acl Safe_ports port 168

For changes to take effect you will need to restart your Squid server, use the following command for same.

# systemctl restart squid

Using Basic Authentication with Squid

If you want to authenticate the user before they can use your proxy server, you can do it using the basic authentication feature available in Squid proxy. Although Squid supports many kind of authentication but basic authentication is very easy to set up.

First of all you will need to install httpd-tools, which comes with a tool htpasswd which we will use to create an encrypted password file. Run the following command to install httpd-tools.

# yum -y install httpd-tools

Now create a new file and provide the ownership to squid daemon so that it can access it. Run the following command for same.

# touch /etc/squid/passwd && chown squid /etc/squid/passwd

Now you can add a new user to the password file using the htpasswd tool. In this tutorial we will be creating an example user pxuser. You can replace pxuser with anything you like. Run the following command to create a new user using htpasswd tool.

# htpasswd /etc/squid/passwd pxuser

It will ask for the new password twice, provide the password and you will see following output.

    [root@ip-172-31-23-60 ~]# htpasswd /etc/squid/passwd pxuser
    New password:
    Re-type new password:
    Adding password for user pxuser

By default htpasswd uses MD5 encryption for the password, hence your password will be stored in MD5 hash.

As we have our password file ready, you can now edit the squid configuration file using the following command.

# vi /etc/squid/squid.conf

Add the following lines into the configuration file under the access control lists of ports.

    auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
    auth_param basic children 5
    auth_param basic realm Squid Basic Authentication
    auth_param basic credentialsttl 2 hours
    acl auth_users proxy_auth REQUIRED
    http_access allow auth_users

Write the changes to the file and exit from editor. Reload the Squid daemon using the following command.

# vi systemctl restart squid

Now if you will try to use the proxy server, it will ask you for authentication. Provide your username and password and you will be able to use the proxy server. Unauthenticated user will be shown an error page.

Blocking Websites

You can easily block a single or a list of websites from the users. Using a separate file for the list of websites to be blocked is a good way to manage the blocked websites. Create a new file to store the list of websites to be blocked using your favorite editor.

# vi /etc/squid/blocked_sites

Now enter the list of sites you want to block. One website per line.

    liptanbiswas.com
    liptan.com

Save the file and exit the editor. In this example we used some example websites, you can put a list of actual websites you wish to block. Now open the Squid configuration file again using the following command.

# vi /etc/squid/squid.conf

Enter the following lines under acl list and http_access list.

    acl blocked_sites dstdomain "/etc/squid/blocked_sites"
    http_access deny blocked_sites

Write the changes to the file and exit from editor. Reload the Squid daemon using the following command.

# systemctl restart squid

Now if you will try to access the blocked sites, you will get an access denied message from Squid.

Changing Squid Port

You can easily change the port on which squid listens to. Edit the configuration file using the following command.

# vi/etc/squid/squid.conf

Scroll down to find the following lines into the file.

    # Squid normally listens to port 3128
    http_port 3128

Now change the http_port from 3128 to any port you want. Make sure that no other service is using the port which you will use for Squid. Now restart the Squid daemon and you will see that the changes are in effect.

That’s it. You have successfully install Squid Server on CentOS 7.
Thank you.
 For more reading materials please click here
Installing Squid (Caching / Proxy) on CentOS 7

Installation of CentOS 7.3

centos-7-logo.jpgcentos7_thumb.jpg

CentOS 7, a Linux platform based on sources of Red Hat Enterprise Linux, has been released with the stable updates like bug fixes, new packages upgrades ( Like Samba, Squid, libreoffice, SELinux, systemd and others and support for the 7th generation of Intel Core i3, i5, i7 processors.

This guide will show you how to install CentOS 7.3 using the DVD ISO image on a UEFI based machine.

Requirements:

Download CentOS 7.3 ISO Image

After you’ve downloaded the image from the above link, burn it to a DVD or use ISO and boot from it. Then you will see menu after a while. From the menu select Install CentOS 7 and hit Enter to continue.

1

The welcome screen will appear. Choose the language you want to perform the installation process and press hit on Continue button.

3.jpg

On the next screen you will see Installation Summary.

2.png

In the Localization menu input the information in Date and Time menu, Keyboard layout and Language support where you can choose your geographical location from the map, change date and time correctly and language support as per your requirement.

1. Date and Time

date.png

2. Keyboard Setting

keyboard.png

3. Language Support

language.png

In the Software section, you can choose installation source as DVD/CD, or define ISO file path, and select the software installation mode.

1. Installation Source

installation source.png

2. Software Selection

software selection.png

After that scroll down the Installation Main Menu Page.

installation summary.png

In the System section, define automatic or manual partition of virtual hard drive in Installation Destination menu, enable kdump, configure network connectivity and host-name in Network & Host Name menu and select default security policy profile.

1. Installation Destination

installation destination.png

2. KDUMP

kdump.png

3. Network & Hostname

network seeting.png

4. Security Policy

security Policy.png

Now click on “Begin Installation” to proceed ahead.

begin Installation.png

Now you can see configuration setup page.

configuration.png

Here, Set ROOT password and create users as required. It will take some time to complete the installation depending on your machine’s hardware performance. After your installation is completed, reboot your machine.

1. Set ROOT Password

root password.png

2. Create New User

created user.png

3. Finished Configuration

finish configuration.png

That’s it. You have successfully installed CentOS 7 on Virtual Machine.

~ Thank you ~

For more reading materials please click here

Installation of CentOS 7.3

DHCP Install and Configure

DHCP

Dhcp

DHCP stands for Dynamic Host Configuration Protocol. It handles the automatic assignment of IP addresses and other configuration settings for devices on your network.

Detail configuration steps (Centos 6.8):

  1. Ensure internet connected for this first time.
  2. Ensure selinux is disabled
  3. Ensure good entries in iptables (FIREWALL) or simply disable firewall
#service iptables stop        => firewall is disabled for now.

#chkconfig iptables off       => iptables will be off on every startup
  1. Update yum repositories and packages by typing the below command
[root@localhost ~]# yum update
  1. Install dhcp server and client using the below command
[root@localhost ~]# yum install dhcp
  1. Assign a static ip (eg: “192.168.1.11”) in the same DHCP range for the listening interface ( eg : “eth0” ). Open /etc/sysconfig/network-scripts/ifcfg-eth0file and make the changes as per your requirement.
DEVICE="eth0"
HWADDR="00:0C:29:F1:01:4B"
NM_CONTROLLED="yes"
ONBOOT="yes"
BOOTPROTO="none"
IPADDR=192.168.1.11
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
  1. Now open /etc/sysconfig/dhcpdfile and add the preferred interface name to DHCPDARGS variable as below
# Command line options here
DHCPDARGS=eth0
  1. open /etc/dhcp/dhcpd.conffile and paste the below lines and save it.
#specify domain name
option domain-name "samajik.edu.np";

#specify DNS server ip and additional DNS server ip
option domain-name-servers 192.168.1.10, 208.67.222.222;

#specify default lease time
default-lease-time 600;

#specify Max lease time
max-lease-time 7200;

#specify log method
log-facility local7;

#Configuring subnet and iprange
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.50 192.168.1.254;
option broadcast-address 192.168.1.255;

#Default gateway ip
option routers 192.168.1.1;
}
#Fixed ip address based on MAC id
host Printer01 {
hardware ethernet 02:34:37:24:c0:a5;
fixed-address 192.168.1.55;
}
  1. Check configuration
#dhcpd –cf /etc/dhcp/dhcpd.conf

Above command shows error if configuration file contains any error with line number. If the file is of dhcpd service is just started.

  1. Start dhcpd service
#service dhcpd start          => simply starts dhcpd service

#chkconfig dhcpd on           => starts dhcpd service on every boot

dhcp server should now work

Now we can check dhcp working in live as:

Check log file continuously for latest updates:

By default dhcp server puts its log to messages file in /var/log/messages so,

#tail –f /var/log/messages

We can see updated entries as:

output

Thank you.

For more reading materials please click here

DHCP Install and Configure

Setup DNS Server using Bind 9 on CentOS 7

DNS-and-IP-Address

BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet which provides ability to perform name to ip conversion. The name BIND stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s at the University of California at Berkeley. BIND is by far the most widely used DNS software on the Internet, providing a robust and stable platform on top of which organizations can build distributed computing systems with the knowledge that those systems are fully compliant with published DNS standards.

dns.jpg

Prerequisites

  1. Updated minimal working CentOS 7 Server with root credentials,
  2. Setup its FQDN,
  3. Configure required Basic Networking Setup that connects to the Internet.

DNS Server Details:

Operating System     : CentOS 7 minimal server
Hostname             : test.com
IP Address           : 192.168.4.9/24

Installing BIND9 on CentOS 7

BIND package can directly be installed using the ‘yum’ command.

# yum install bind bind-utils -y

1. Configure DNS Server

Edit ‘/etc/named.conf’ file.

# vi /etc/named.conf

Add the lines as shown in bold:

 //
 // named.conf
 //
 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 // server as a caching only nameserver (as a localhost DNS resolver only).
 //
 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 //
 // See the BIND Administrator's Reference Manual (ARM) for details about the
 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.htmloptions {
 listen-on port 53 { 127.0.0.1;192.168.4.9; }; ### Master DNS IP ###
 #  listen-on-v6 port 53 { ::1; };
 directory     "/var/named";
 dump-file     "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-query     { localhost;192.168.4.0/27; };           ### Define IP Range ###
 allow-transfer{ 8.8.8.8; localhost; 192.168.1.102; };       ### Slave DNS IP ###
 forwarders { 8.8.8.8; 8.8.4.4; };       # Forwards DNS quries to Google DNS Server #
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "test.com" IN {
        type master;
        file "test.com.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

2. Create Zone files

# vi /var/named/test.com.ca

Add the following lines:

$TTL    86400
 @               IN SOA  @       root (
                                42              ; serial (d. adams)
                                3H              ; refresh
                                15M             ; retry
                                1W              ; expiry
                                1D )            ; minimum
                            IN NS           @
                            IN A            192.168.4.9
 www1                       IN A            192.168.4.9
 www                        IN A            192.168.4.9
 test                       IN A            192.168.4.9
 nepalisupport              IN A            192.168.4.9

3. Start the DNS service

Enable and start DNS service:

# systemctl enable named
# systemctl start named

4. Firewall Configuration

We must allow the DNS service default port 53 through firewall.

# firewall-cmd --permanent --add-port=53/tcp
# firewall-cmd --permanent --add-port=53/udp

5. Restart Firewall

# firewall-cmd --reload

6. Configuring Permissions, Ownership, and SELinux

Run the following commands one by one:

# chgrp named -R /var/named
# chown -v root:named /etc/named.conf restorecon -rv /var/named restorecon /etc/named.conf

7. Test DNS configuration and zone files for any syntax errors

Check DNS default configuration file:

# named-checkconf /etc/named.conf

If it returns nothing, your configuration file is valid.

Check Forward zone:

# named-checkzone local /var/named/test.com.ca

Sample output:

zone local/IN: loaded serial 2011071001
OK

Now add the DNS Server details in your network interface config file.

# vi /etc/sysconfig/network-scripts/ifcfg-enp0s3
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
NAME="enp0s3"
UUID="5d0428b3-6af2-4f6b-9fe3-4250cd839efa"
ONBOOT="yes"
HWADDR="08:00:27:19:68:73"
IPADDR0="192.168.4.9"
PREFIX0="24"
GATEWAY0="192.168.4.1"
DNS="192.168.4.9"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"

Edit file /etc/resolv.conf,

# vi /etc/resolv.conf

Add the name server ip address:

nameserver      192.168.4.9

Save and close the file.

Restart network service:

# systemctl restart network

8. Test DNS Server

# dig www.test.com

Sample Output:

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> masterdns.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<
# nslookup www.test.com

Sample Output:

Server:        192.168.4.9
Address:    192.168.4.9#53

Name:    test.com
Address: 192.168.4.9

Client Side Configuration

If Client has a Linux Operating System,

Add the DNS server details in ‘/etc/resolv.conf’ file in all client systems

# vi /etc/resolv.conf
nameserver 192.168.4.9

Restart network service or reboot the system.

Test DNS Server

Now, you can test the DNS server using any one of the following commands:

# dig www.test.com

If Client has a Windows Operating System,

Add DNS server details in ipv4 Network settings and browse in the address bar.

That’s it. Now you have successfully configured a DNS Server on your CentOS 7 Machine.

Thank you.

For more reading materials please click here

Setup DNS Server using Bind 9 on CentOS 7

Install & Configure Samba Server In CentOS 7

Samba copy.jpg

Samba is an open source, and free software suite that provides file and print services to the SMB/CIFS clients. It allows us to share files, folders, and printers between Linux server and Windows clients. Using Samba, we can setup a domain controller on Unix/Linux server, and integrate the Windows clients to the Domain controller.

samba_printer_v-3.png

This tutorial will describe you how to setup a basic samba server in CentOS 7 system.

Scenario

In this tutorial, I will be using two systems as described below.

Samba server:

Operating system : CentOS 7 minimal server
IP Address : 192.168.4.9/24

Samba client:

Operating system : Windows 7 Professional
IP Address : 192.168.4.23/24

Install Samba

Check for existing samba package if any using the following commands.

# rpm -qa | grep samba
# yum list installed | grep samba

If samba is installed, remove it using the below command:

# yum remove samba*

Now, install samba using the following command.

# yum install samba* -y

1. Configure a fully accessed anonymous share

Now, let us create a fully accessed anonymous share for the users. Any one can read/write in this share.

Create a directory called ‘/samba/anonymous_share’ and set full permission. You can name this share as per your liking.

# mkdir -p /samba/anonymous_share
# chmod -R 0777 /samba/anonymous_share

Edit Samba configuration file;

# vi /etc/samba/smb.conf

Find the following directives, and make the changes as shown below.

[...]

## Add the following lines under [global] section ##
unix charset = UTF-8
dos charset = CP932

## Change the to windows default workgroup ##
workgroup = WORKGROUP

## Uncomment and set the IP Range ##
hosts allow = 127. 192.168.1.

## Uncomment ##
max protocol = SMB2

## Uncomment, and change the value of 'Security' to 'user' ## 
security = user

## Add the following line ##
map to guest = Bad User

## Add the following lines at the bottom ##
[Anonymous share]
path = /samba/anonymous_share
writable = yes
browsable = yes
guest ok = yes
guest only = yes
create mode = 0777
directory mode = 0777

Start samba services, and enable them to start automatically on every reboot.

systemctl start smb
systemctl start nmb
systemctl enable smb
systemctl enable nmb

Test the Samba server configuration

We can test the Samba server configuration syntax errors using the command ‘testparm’.

testparm

Sample Output:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Anonymous share]"
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
    dos charset = CP932
    netbios name = SAMBA SERVER
    server string = Samba Server Version %v
    map to guest = Bad User
    log file = /var/log/samba/log.%m
    max log size = 50
    server max protocol = SMB2
    idmap config * : backend = tdb
    hosts allow = 127., 192.168.1.
    cups options = raw

[homes]
    comment = Home Directories
    read only = No
    browseable = No

[printers]
    comment = All Printers
    path = /var/spool/samba
    printable = Yes
    print ok = Yes
    browseable = No

[Anonymous share]
    path = /samba/anonymous_share
    read only = No
    create mask = 0777
    directory mask = 0777
    guest only = Yes
    guest ok = Yes

If all good, you’re good to go now.

Firewall configuration

Allow Samba server default ports through firewall.

# firewall-cmd --permanent --add-port=137/tcp
# firewall-cmd --permanent --add-port=138/tcp
# firewall-cmd --permanent --add-port=139/tcp
# firewall-cmd --permanent --add-port=445/tcp
# firewall-cmd --permanent --add-port=901/tcp

Restart firewall to apply the changes.

# firewall-cmd --reload

SELinux Configuration

SELinux Configuration

Turn the samba_enable_home_dirs Boolean on if you want to share home directories via Samba.

# setsebool -P samba_enable_home_dirs on

If you create a new directory, such as a new top-level directory, label it with samba_share_t so that SELinux allows Samba to read and write to it. Do not label system directories, such as /etc/ and /home/, with samba_share_t, as such directories should already have an SELinux label.

In our case, we already have created a anonymous directory. So let us label it as shown below.

# chcon -t samba_share_t /samba/anonymous_share/

Note: If you don’t want to mess up with the SELinux, just disable it as shown below, and continue.

To disable SELinux, edit file /etc/sysconfig/selinux,

# vi /etc/sysconfig/selinux

Set SELinux value to disabled.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Restart the server to take effect the changes.

Test Samba Shares

Now, goto any windows client system. In this example, I am using Windows 7 system.

ClickStart -> Run. Enter the samba Server IP as shown below.

Windows 7, 1 nic, bridge, internet [Running] - Oracle VM VirtualBox_001

Now, you’ll be able to access the fully accessed samba shares.

Windows 7, 1 nic, bridge, internet [Running] - Oracle VM VirtualBox_002

You can create, modify or delete the files/folders inside the shares. For example, lets create a sample folder as ‘nepalisupport‘ inside the samba share folder.

samba.jpg

Check the newly created files or folders are present in the samba server

# ls -l /samba/anonymous_share/

Sample Output:

total 0
drwxrwxrwx. 2 nobody nobody 6 Sep 26 17:55 unixmen

As you see in the result, the folder has been created in the /samba/anonymous/ directory.

2. Create security enabled share in samba server

What we have seen so far is creating a fully accessed samba share. Anyone can access that share folder, and can create, delete files/folders in that share.

Now, let us create a password protected samba share so that the users should enter the valid username and password to access the share folder.

Create a user called “nepalisupport” and a group called “smbgroup”.

# useradd -s /sbin/nologin nepalisupport
# groupadd smbgroup

Assign the user nepalisupport to smbgroup, and set samba password to that user.

# usermod -a -G smbgroup nepalisupport
# smbpasswd -a nepalisupport

Create a new share called “/samba/secure_share” and set the permissions to that share.

# mkdir /samba/secure_share
# chmod -R 0755 /samba/secure_share
# chown -R nepalisupport:smbgroup /samba/secure_share

Edit samba config file;

# vi /etc/samba/smb.conf

Add the below lines at the bottom of samba config file.

[secure_share]
path = /samba/secure_share
writable = yes
browsable = yes
guest ok = no
valid users = @smbgroup

Test the samba configuration for any errors.

# testparm

Sample output:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Anonymous share]"
Processing section "[secure_share]"
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
    dos charset = CP932
    netbios name = UNIXMEN SAMBA SERVER
    server string = Samba Server Version %v
    map to guest = Bad User
    log file = /var/log/samba/log.%m
    max log size = 50
    server max protocol = SMB2
    idmap config * : backend = tdb
    hosts allow = 127., 192.168.1.
    cups options = raw

[homes]
    comment = Home Directories
    read only = No
    browseable = No

[printers]
    comment = All Printers
    path = /var/spool/samba
    printable = Yes
    print ok = Yes
    browseable = No

[Anonymous share]
    path = /samba/anonymous_share
    read only = No
    create mask = 0777
    directory mask = 0777
    guest only = Yes
    guest ok = Yes

[secure_share]
    path = /samba/secure_share
    valid users = @smbgroup
    read only = No

Label  the /samba/secure_share/ with samba_share_t so that SELinux allows Samba to read and write to it.

# chcon -t samba_share_t /samba/secure_share/

Restart samba services.

# systemctl restart smb
# systemctl restart nmb

Test Samba shares

Now, goto windows client, check for the secured share folder.

Windows 7, 1 nic, bridge, internet [Running] - Oracle VM VirtualBox_004

Double click to open the secured share. You’ll be asked to enter the user name and password to access the share.

1.png

That’s it. Now, you can access the secured samba share folder.

Windows 7, 1 nic, bridge, internet [Running] - Oracle VM VirtualBox_006

That’s it. Samba Server is ready to use.

Thank you.

For more reading materials please click here !!!

Install & Configure Samba Server In CentOS 7

Set Up Apache Web Server on CentOS 7

The Apache web server is one of the most popular and powerful web servers in the world. It is also one of the most secure web servers available. This tutorial will explain how to install and configure a basic and secure Apache web server in CentOS 7.

Requirements

  • A server running CentOS v. 7
  • A static IP Address for your server

Set up the Apache HTTP server

Update the package repository

Before installing Apache, it is a good idea to update the package repository. You can do this by running the following commands:

# yum update -y
# yum install httpd -y

Disable SELinux

By default SELinux is enabled in CentOS 7. It is recommended that you disable it first.

You can disable SELinux by editing the /etc/selinux/config file:

# nano /etc/selinux/config

Change the line from SELINUX=enforcing to SELINUX=disabled

SELINUX=disabled

Save and close the file, then restart your machine for the changes to take effect.

Allow Apache through the firewall

You will need to allow the default Apache port 80 (HTTP) and 443 (HTTPS) using FirewallD.

You can do this by running the following commands:

 # firewall-cmd --permanent --add-port=80/tcp
 # firewall-cmd --permanent --add-port=443/tcp

Reload the firewall service for the changes to take effect.

 # firewall-cmd --reload

Create a test page

In CentOS7 the default Apache DocumentRoot path is /var/www/html/. However, there is no index.html file in this directory. You will need to create one.

# vi /var/www/html/index.html

Add the following content:

Apache index page

Restart the Apache service to reflect the changes:

# systemctl start httpd

You can configure the Apache service to start on boot by running the following command:

# systemctl enable httpd

Test the Apache HTTP server

To verify that the Apache web server is up and running, open your web browser and go to your server’s IP Address with the url http://your.server.ip.address.

You should see a default page like the one in the image below.

Apache test page

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To Set up a secure Apache HTTPS server with SSL

Install SSL

In order to secure Apache, you need to install SSL first.

You can install SSL using the following command:

# yum install mod_ssl openssl

Generate a self-signed certificate

First, you need to generate a private key ca.key with 2048-bit encryption.

# openssl genrsa -out ca.key 2048

Then generate the certificate signing request cs.csr using the following command.

# openssl req -new -key ca.key -out ca.csr

You will be prompted for information about the certificate.

SSL certificate

Finally, generate a self-signed certificate ca.crt of X509 type valid for 365 keys.

# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

After creating the certificate, you need to copy all of the certificate files to the necessary directories.

You can do this by running the following commands:

# cp ca.crt /etc/pki/tls/certs/
# cp ca.key /etc/pki/tls/private/
# cp ca.csr /etc/pki/tls/private/

Set up the certificates

All the certificates are ready. The next thing to do is to set up Apache to display the new certificates.

You can do this by editing the SSL config file:

# vi /etc/httpd/conf.d/ssl.conf

Find the section that begins with . Uncomment the DocumentRoot and ServerName line and replace example.com with your server’s IP address.

DocumentRoot "/var/www/html"
ServerName 192.168.1.42:443

Next, find the SSLCertificateFile and SSLCertificateKeyFile lines and update them with the new location of the certificates.

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

After making these changes, restart Apache service for the changes to take effect.

# sudo systemctl restart httpd

Test the secure Apache HTTPS server

To verify that the secure Apache HTTPS web server is working, open your web browser and go to your server’s IP Address with the url https://your.server.ip.address.

An error should appear on your browser and you must manually accept the certificate.

Apache warning page

Once you add an exception to the browser’s identity verification, you should see a test page for your newly-secure site.

Apache secure test page

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now, Lets Configure Apache Virtual Hosts

In Apache, you can use virtual hosts to direct http traffic for a given domain name to a particular directory (i.e. the root directory of the website for the domain in the request). This feature is commonly used to host multiple websites, but we recommend using it for every website on your server including the first.

Set up the virtual host

1. Create the virtual directories for your domain:

# mkdir -p /var/www/html/test

2. Change the ownership to the Apache group:

# mkdir -p /var/www/html/test

3. Change the directory’s permission:

# chmod -R 755 /var/www/html

Create content for the website

If you have the content for the website prepared, you can upload it to the /test folder you created in the last section.

If you don’t have content ready to upload, you can create a sample home page (As an index file, which is the first page that loads when visitors come to your domain).

1. Create the index file:

# vi /var/www/html/test/index.html

2. Add some content to the file and save it using <wq!>,

 
     
    Welcome to my site! 
     
     

Hooray! test.com virtual host is working!

 


Configure your virtual host directories

We’re going to create two directories: one to store the virtual host files (sites-available) and another to hold symbolic links to virtual hosts that will be published (sites-enabled).

Create sites-available and sites-enabled directories

  • Create the directories:
    # mkdir /etc/httpd/sites-available
    # mkdir /etc/httpd/sites-enabled

Edit your Apache configuration file

Edit the main configuration file (httpd.conf) so that Apache will look for virtual hosts in the sites-enabled directory.

Open your config file:

# vi /etc/httpd/conf/httpd.conf

Add this line at the very end of the file:

IncludeOptional sites-enabled/*.conf

This way, we’re telling Apache to look for additional config files in the sites-enabled directory.

Save and close the file:

:wq!

Create virtual host file

We’re going to build it from a new file in your sites-available directory.

1. Create a new config file:

# vi /etc/httpd/sites-available/test.conf

Paste this code in, replacing your own domain for test and save it.

    ServerAdmin webmaster@dummy-host.example.com    
    ServerName www.test.com
    ServerAlias test.com 
    DocumentRoot /var/www/html/test/public_html 
    ErrorLog /var/www/html/test/error.log 
    CustomLog /var/www/html/test/requests.log combined 

The lines ErrorLog and CustomLog are not required to set up your virtual host, but we’ve included them, in case you do want to tell Apache where to keep error and request logs for your site.

Enable your virtual host file with a sym link to the sites-enabled directory:

# ln -s /etc/httpd/sites-available/test.conf /etc/httpd/sites-enabled/test.conf

  • Restart Apache:

sudo service httpd restart

Adding additional virtual hosts

To create additional sites, repeat the following sections:

  1. Set up the virtual host,
  2. Create content for the website,
  3. Create virtual host file — but for additional virtual hosts, you will need to create new config files in /etc/httpd/sites-available/,

For example:

/etc/httpd/sites-available/your second domain name

Note:- Don’t forget to point your domain name to your server. In other words, Configure DNS entries of Domains in DNS Server.

That’s it. You have successfully configured a Apache Web Server and it’s Virtual Hosts. This article was well tested on CentOS 7.3 machine.

Thank you.

For more reading materials please click here

Set Up Apache Web Server on CentOS 7