Migrating the users and groups
Copied my groups from /etc/group:
dmitriano:x:1000:
slogpost:x:1001:www-data,bak
beauty:x:1009:www-data,bak
test1:x:1012:www-data,beauty,dmitriano,devnote,bak
test2:x:1013:www-data,bak
devnote:x:1018:www-data,bak
exchange:x:1025:
git:x:1026:www-data,bak
game:x:1027:www-data,bak
shar:x:1029:www-data,bak
bak:x:1032:
Copied and my users from /etc/passwd:
dmitriano:x:1000:1000:Dmitry Efimov,,,:/home/dmitriano:/bin/bash
slogpost:x:1001:1001:,,,,:/home/slogpost:/bin/bash
beauty:x:1009:1009::/home/beauty:/bin/bash
test1:x:1012:1012::/home/test1:/bin/bash
test2:x:1013:1013::/home/test2:/bin/bash
devnote:x:1018:1018::/home/devnote:/bin/bash
exchange:x:1025:1025::/home/exchange:/bin/sh
game:x:1027:1027::/home/game:/bin/bash
git:x:1026:1026::/home/git:/bin/bash
shar:x:1029:1029::/home/shar:/bin/bash
bak:x:1032:1032::/home/bak:/bin/bash
and copied corresponding lines from /etc/shadow
Created home directories for all the users:
mkhomedir_helper dmitriano
mkhomedir_helper slogpost
mkhomedir_helper beauty
mkhomedir_helper test1
mkhomedir_helper test2
mkhomedir_helper devnote
mkhomedir_helper exchange
mkhomedir_helper game
mkhomedir_helper git
mkhomedir_helper shar
mkhomedir_helper bak
Made my user a sudoer:
adduser dmitriano sudo
Enabling the Firewall
sudo ufw allow ssh
sudo ufw enable
Running OpenVPN
git clone https://github.com/dmitriano/dockovpn.git
sudo docker build -t alekslitvinenk/openvpn
export MY_IP=$(curl -s https://api.ipify.org)
sudo docker run -it --rm --cap-add=NET_ADMIN -p 1194:1194/udp -e HOST_ADDR=$MY_IP --name dockovpn alekslitvinenk/openvpn
sudo docker inspect dockovpn | grep IPAddress
wget -O client.ovpn http://172.17.0.2:8080
sudo ufw allow 1194/udp
Copying the certificates
Archived the certificates on the old machine and copied them to the new machine:
cd /etc/
sudo tar czf ~/work/bak/letsencrypt.tar.gz letsencrypt/
scp letsencrypt.tar.gz dmitriano@$NEW_IP:/home/dmitriano/work/bak/
Extracted them on the new machine:
cd /etc/
sudo tar xzf ~/work/bak/letsencrypt.tar.gz
Installing Squid
sudo apt install squid-openssl
sudo ufw allow 3128/tcp
telnet $NEW_IP 3128
Filtered comments and empty lines out in the Squid config:
grep -Ev "^[[:blank:]]*(#|$)" squid.conf.bak > squid.conf
And tested it works over HTTP with the following config:
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
include /etc/squid/conf.d/*.conf
#http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern . 0 20% 4320
From my Windows 10 machine:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --proxy-server=172.236.29.157:3128
And with curl:
curl -x developernote.com:3128 --proxy-user guest:<password> -L http://api.ipify.org/
Enabled HTTPS:
sudo apt install apache2-utils
sudo htpasswd -Bc squid-password guest
sudo ufw delete allow 3128/tcp
sudo ufw allow 3129/tcp
updated the config as follows:
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid-password
acl guests proxy_auth REQUIRED
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
http_access allow guests
include /etc/squid/conf.d/*.conf
#http_access deny all
http_port 3128
#https_port 3129 tls-cert=/etc/letsencrypt/live/developernote.com/fullchain.pem tls-key=/etc/letsencrypt/live/developernote.com/privkey.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
#sslcrtd_program /lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB
https_port 3129 connection-auth=off tls-cert=/etc/letsencrypt/live/developernote.com/fullchain.pem tls-key=/etc/letsencrypt/live/developernote.com/privkey.pem
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern . 0 20% 4320
and tested it with curl:
curl -x https://developernote.com:3129 --proxy-user guest:<password> -L https://api.ipify.org/
https://github.com/diladele/squid-ubuntu
The default version of Ubuntu 24.04 noble comes with both squid and squid-openssl packages. If you already installed squid package, uninstall it first and then install squid-openssl package.
sudo apt-get install squid-openssl
Enable TLS caching with squid using the https_port directive
https://stackoverflow.com/questions/78235077/enable-tls-caching-with-squid-using-the-https-port-directive
https_port 3129 tls-cert=/etc/squid/squid-ca-cert.pem tls-key=/etc/squid/squid-ca-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /lib/squid/security_file_certgen -c -s /usr/local/squid/var/cache/squid/ssl_db -M 4MB
https://stackoverflow.com/a/19671392/2394762
grep -Ev “^[[:blank:]]*(#|$)” should filter out both comments and empty lines, as is frequently useful.
https://www.server-world.info/en/note?os=Ubuntu_24.04&p=squid&f=3
htpasswd -Bc /etc/squid/.htpasswd ubuntu
https://wiki.squid-cache.org/Features/Authentication
auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd
squid error:transaction-end-before-headers – HIER_NONE
https://serverfault.com/questions/1059944/configuring-squid-to-not-log-tcp-connections-lots-of-errortransaction-end-bef
https://community.ipfire.org/t/lots-of-none-none-000-0-error-transaction-end-before-headers-hier-none-error-messages-in-the-squid-log/9548
https://stackoverflow.com/questions/9445489/performing-http-requests-with-curl-using-proxy
curl -x http://proxy_server:proxy_port –proxy-user username:password -L http://url
How to persist data with docker compose
https://dev.to/darkmavis1980/how-to-persist-data-with-docker-compose-ik8
Bind mounts vs Volumes