Trunking Elastix to Yeastar

Elastix server is at 76.79.56.227, and the customer’s PBX is at 10.1.132.7.  Connectivity between sites is managed via SmartRouter L2TP VPN connections.  On the customer side, there is a route saying 76.79.56.227 lives on the VPN, not across the public internet.  This allows full intercommunication between servers without any NAT, which is imperative.
That all said, here are my settings — On the Yeastar MyPBX side:



And then the Elastix side:


Note this is all being done without any username or password.  This is because EACH SIDE trusts the IP address of the other.  This technique could not be used securely with a dynamic IP address on either side.
Now that the trunk is there, I need to set up routing.  I’m going to have each side have a prefix to route calls to extensions on the other side.  In my case, users of the Elastix public server can dial 132 + any 3-digit extension on the MyPBX.  Putting the “132” in the “prefix” box instructs Elastix to strip the 132 off the number before sending it to the trunk.  This makes MyPBX just see an extension number when it rings in, which is exactly what I want.




And, this wasn’t really necessary, but I figured I’d let the users of the MyPBX system call users off the public server while I was at it.  In this case, I’m going to have them dial 555 + any four digit extension for users off the Elastix server:

Reset Password root GUI diladele

1. Copy file database /var/opt/qlproxy/db/qlproxy.sqlite
2. edit qlproxy.sqlite with sqlexpresslite.

change the value in main.auth_user table

pbkdf2_sha256$12000$flbDn9Ag2hU7$r528LZySkEkzxBV1RQxc/SWlc5G4LMsQVwcmxBWlKgU=

this is the password P@ssw0rd

Save and upload back, try to login 

install plex server on openmediavault

Juat install OMV Extras and then in OMV Extras there is a Plex repo that needs to be enabled

how to install omv extra;

1. wget http://omv-extras.org/openmediavault-omvextrasorg_latest_all.deb
2. dpkg -i openmediavault-omvextrasorg_latest_all.deb
3. apt-get update

openmediavault 2.1 error Package apt-transport-https is not installed

oot@openmediavault:/# dpkg -i openmediavault-omvextrasorg_latest_all.deb
Selecting previously unselected package openmediavault-omvextrasorg.
(Reading database ... 40854 files and directories currently installed.)
Unpacking openmediavault-omvextrasorg (from openmediavault-omvextrasorg_latest_all.deb) ...
dpkg: dependency problems prevent configuration of openmediavault-omvextrasorg:
openmediavault-omvextrasorg depends on apt-transport-https; however:
Package apt-transport-https is not installed.

dpkg: error processing openmediavault-omvextrasorg (--install):
dependency problems - leaving unconfigured
Processing triggers for openmediavault ...
Restarting engine daemon ...
Errors were encountered while processing:


solution :
 apt-get -f install

Then continue install plex server

Default Server UnKnown error on NSLOOKUP from Windows

The reason for this is your DNS server does not posses a record for the server itself. Or simply it does not know what is it's own name. By creating a PTR static entry we can fix this and let DNS server know it's own name.


1. Open the DNS management console in the Server 2008
        Start > Administrative Tools > DNS

2. Go to the your Reverse Lookup Zone icon and right click on it and select "New Pointer(PTR)".

3. In the New PTR window enter the  IP address of DNS server and enter(or select) the host name of the server.

4. Now click OK and restart the DNS server service.

Configure NAS4free with HA

NAS4Free High available iSCSI failover VMware server. 

The following post will be how to install and set up NAS4Free server for your ESXi/ESX VMware server as an iSCSI storage.
NAS4Free is based on FreeBSD and has all the required services to serve your system as a High-Available Storage server. (HAST and CARP)
Of course you can use this solution in your network as a High-Available storage or as a Windows cifs samba server, if you modify the services on NAS4Free.
I’ll stick first to the iSCSI setup and later we will show you how to set up NFS and Windows(SAMBA) shares.

The following setup used here:

Node1 primary IP address for serving iSCSI and CARP services: 192.168.101.165
Node1 secondary IP address for HAST synchronisation: 172.16.100.1

Node2 primary IP address for serving iSCSI and CARP services: 192.168.101.166
Node2 secondary IP address for HAST synchronisation: 172.16.100.2

Virtual IP address(CARP address) for iSCSI service: 192.168.101.167

Node1 host name: has1
Node2 host name: has2

– Install both nodes with lates NAS4Free edition.

– Change node names according to your set up for example: node1 and node2.

– Add node names to host file on both nodes.

– Setup carp services under Network/Interface management:

– Advertisement skew on has1 node: 0
– Advertisement skew on has2 node: 10

If has1 node dies then has2 node will take over all the services.

You must use same link up and link down action on both side of the nodes otherwise the switch over wont work properly!
So everything should be the same except the advertisement skew value.

Next step setup HAST services:

As you can see here the second network interface card used for the HAST service synchronisation not the main interface.
After you setup HAST service reboot both nodes, the apply wont help to start the services for some reason. 

– Switch on ssh service and ssh into both nodes.

On Master issue these commands:

hastctl role init disk1
hastctl create disk1
hastctl role primary disk1

On Slave issue these commands:
hastctl role init disk1
hastctl create disk1
hastctl role secondary disk1
Check both nodes with: hastctl status
Then configure ZFS
On Master:
Add disks (Disks->Management)
disk1: N/A (HAST device)
Advanced Power Management: Level 254
Acoustic level: Maximum performance
S.M.A.R.T.: Checked
Preformatted file system: ZFS storage pool device
Format as zfs (Disks->Format)
Add ZFS Virtual Disks (Disks->ZFS->Pools->Virtual Device)
Add Pools(Disks->ZFS->Pools->Management)
Add PostInit script on both nodes to /system/advanced/command scripts/ tab.
/usr/local/sbin/carp-hast-switch slave
Shut down the master and on the slave import the pool through the GUI.  Tab: /ZFS/Configuration/Detected
Then synchronise the pool on the slave!
When finished on slave, start master and switch VIP back to master.
zpool status disk1
hastctl status

Troubleshooting commands from SSH terminal:
zpool status
########

nast1: ~ # zpool status mvda0
  pool: mvda0
 state: UNAVAIL
status: One or more devices are faulted in response to IO failures.
action: Make sure the affected devices are connected, then run ‘zpool clear’.
   see: http://illumos.org/msg/ZFS-8000-HC
  scan: none requested
config:
        NAME                   STATE     READ WRITE CKSUM
        mvda0                  UNAVAIL      0     0     0
          2144332937472371213  REMOVED      0     0     0  was /dev/hast/hast
#########
If status unavailable then you could try:

zpool clear “pool name”
It will scan and scrub the local disks.
#########
nast1: ~ # zpool status mvda0
  pool: mvda0
 state: ONLINE
status: One or more devices has experienced an error resulting in data
        corruption.  Applications may be affected.
action: Restore the file in question if possible.  Otherwise restore the
        entire pool from backup.
   see: http://illumos.org/msg/ZFS-8000-8A
  scan: scrub in progress since Mon Jun  2 15:26:25 2014
        1.19G scanned out of 1.43G at 28.3M/s, 0h0m to go
        0 repaired, 82.75% done
config:
        NAME         STATE     READ WRITE CKSUM
        mvda0        ONLINE       0     0     0
          hast/hast  ONLINE       0     0     0
#########
Then check pool again:
zpool status
#########
nast1: ~ # zpool status
  pool: mvda0
 state: ONLINE
  scan: scrub repaired 0 in 0h0m with 0 errors on Mon Jun  2 15:27:17 2014
config:
        NAME         STATE     READ WRITE CKSUM
        mvda0        ONLINE       0     0     0
          hast/hast  ONLINE       0     0     0

#########
Recreate sync on disks or split brain:
On Master issue these commands:
hastctl role init disk1
hastctl create disk1
hastctl role primary disk1
On Slave issue these commands:
hastctl role init disk1
hastctl create disk1
hastctl role secondary disk1
If you lost sync because of disk error or network error then you could recreate the sync between the hast disk(s).
Just recreate the roles and the nodes will start syncing the data. (use commands above)  Be careful with the roles and the nodes, don’t mix them up!
If you recreate the roles and the disks, you wont lose data at all. It will only start synching the disk(s) bt wont overwrite data.
If it a split brain scenario then you should decide which node has the newer data and issue the above commands according to the data. So for example if the secondary node has newer data then the primary then obviously you should issue: role primary on the second node and role secondary on the primary node and vica-versa.

Add external HDD to Proxmox

do these step

1. add phisical harddisk to your machine.
2. # fdisk -l
secondary hardisk will be found “/dev/sdb”

2. create phisically volume
pvcreate /dev/sdb

3. create volume group
vgcreate “backup1” /dev/sdb

* to remove use coomand  vgreduce "backup1" /dev/sdb

4. Create LVM group via webconfig.


Goodluck 

error dnscache zimbra

solusi duplicate port dns 53

zmprov ms `zmhostname` -zimbraServiceEnabled dnscache
zmcontrol restart

Restart windows server with admin console

Restart windows server with force and admin console

SHUTDOWN /r /f /t 0 /m \\ip address server.

If I have server at colocation then I need reboot via remote cause of failure remote desktop.

I need to reboot TechieswebLAB1 with :

1. Open TechieswebLAB1 C drive using UNC path

• Open Windows RUN and enter
• \\techieswebLAB1\c$
• On the credential window supply TechieswebLAB1, Administrator user name and password (privileged user credential having permission to reboot/Shutdown).
• This will store/cache the credentials details in my computer.
  
  

1. Open Window RUN and type the command “Shutdown /i”, a window will be opened to enter the details of the remote computer which we need to reboot.
   
   

OMV failed iscsi target

Failed to execute command 'export LANG=C; invoke-rc.d 'iscsitarget' start 2>&1': Starting iSCSI enterprise target service:FATAL: Module iscsi_trgt not found. failed!

Do the following

1. apt-get install module-assistant debhelper build-essential
2. m-a a-i iscsitarget

OMV -upgrade

2. Upgrade
   1. To make sure you´re running the latest OMV 0.5 Version, run this command:
      

      Source Code

   1. apt-get update && apt-get dist-upgrade && omv-update
   2.  Type in the following code via CLI:
      

      Source Code

   3. omv-release-upgrade
   4. Reboot.
   5. Done.

Setup Mikrotik P2P

Creating a Point to Point (P2P) link using MikroTik Equipment

This tutorial / guide will walk you through setting up a point to point (P2P) link between two MikroTik RouterOS devices. Both devices must have a wireless interface, an ethernet interface and sufficient antenna gains and direction for whatever link distance you are trying to establish. The RBSXT devices are ideal for this type of setup as they have a high gain directional antenna. Personally I have used these devices with good line of sight to achieve real world throughput of about 20mbps TCP traffic (one way) at a distance of 8km. MikroTik do manufacture other devices which are capable of a lot more, but the devices I used were the SXT Lite2 and are only about AUD$55 each.
Let’s get to it.

1. We’ll start with the access point side of this setup, or rather the side that is going to set the SSID, security, channel etc. So start by plugging that in and connecting to it through Winbox or SSH. We’re going to be using Winbox screenshots throughout most of this as Winbox is usually easier to use to visualize what is happening and for those who haven’t done much work with MikroTik before.
2. After you’re connected up via Winbox, create a new bridge interface by clicking on Bridge on the left hand menu, selecting the Bridge tab and then clicking the plus symbol. You’ll want to give it a name, in this case bridge1 is fine (default when there are no bridges)
   
3. After creating the bridge interface, we will want to create an Ethernet over IP interface. The EoIP interface tunnelling is a MikroTik RouterOS protocol that creates an ethernet tunnel between two routers on top of an IP connection. This is what allows us to bridge all traffic across the link just as if there were a physical Ethernet interface and cable between the two wireless devices. Go to Interfaces in the menu, select the Interface tab and click the blue plus symbol. Select EoIP Tunnel at the top and then fill out some details. You can leave the name as eoip-tunnel1 if you like.
   Set MTU to 1500
   Set Remote Address to 10.8.8.2
   Uncheck ‘Clamp TCP MSS’
   
4. Once that is done, we will want to bridge together a physical ethernet port on our router/wireless MikroTik device and the EoIP tunnel interface for your point to point link. Click on Bridge, select the Ports tab and then click the blue plus symbol. Interface will be eoip-tunnel1 as created in the last step and bridge will be bridge1 as we set earlier. Click OK.
   
5. Let’s do the exact same thing we did in Step 4, except choose ether1  (or whatever ethernet port you want to connect to the other end)  in the interface list, and bridge1 in the bridge list. Click OK.
6. Next we will set a firewall rule. Click on IP -> Firewall in the menu and then select the Mangle tab. Click the blue plus symbol for a new rule and select ‘input’ as the Chain. Click on the Action tab and then set the following:
   Action = set priority
   New Priority = from dscp
   Click OK
   
7. Let’s add in some IP addresses now. Head to IP -> Addresses in the menu and click on the blue plus symbol. We’re going to set the IP address of this wlan interface to 10.8.8.1/30 (similarly how we set the remote address to 10.8.8.2 in Step 3 as that will be at the other end). Click OK and then click the blue plus symbol again and set the IP address of the bridge1 interface. This can be whatever you please and will be the address the router responds to when you are connected to either end of the network via LAN. An example address is below
   
8. Now we will setup the wireless interface. Head to Interfaces in the menu and choose the Interface tab. Select the wireless interface you want to use to create the point to point link and double click on it. Click on Advanced Mode in the sidebar and set the following settings. Please note the following:
   Radio name will generally be the mac address of your radio, you can leave this as it
   SSID can be set to whatever you like, we use gate-link in this example but please remember it for the other end
   Frequency can be set to whatever you like (pertaining to your countries laws), we use 2472 in this example but please remember it for the other end
   Mode must be bridge
   Choose a 20/40MHz HT Above Channel Width for good performance. You can tinker with these later.
   Country should be set to your country
   Please set the Antenna Gain to that of the antenna you are using, so you do not exceed your countries power limits
   Wireless protocol should be nv2
   
9. Click on the ‘NV2′ tab at the top so that we can set a password. Set the Preshared key to whatever you like (remember this for later) and click OK.
   
10. OK! Now we are all setup on the AP side for our point to point link. Let’s head over to the station side (the other end of the link) and fire up that router. Connect into it via Winbox and we will repeat a lot of the steps we have gone through here.
11. After you’re connected up via Winbox, create a new bridge interface by clicking on Bridge on the left hand menu, selecting the Bridge tab and then clicking the plus symbol. You’ll want to give it a name, in this case bridge1 is fine (default when there are no bridges)
    
12. After creating the bridge interface, we will want to create an Ethernet over IP interface like we did earlier. Go to Interfaces in the menu, select the Interface tab and click the blue plus symbol. Select EoIP Tunnel at the top and then fill out some details. You can leave the name as eoip-tunnel1 if you like.
    Set MTU to 1500
    Set Remote Address to 10.8.8.1
    Uncheck ‘Clamp TCP MSS’
    
13. Once that is done, we will want to bridge together a physical ethernet port on our router/wireless MikroTik device and the EoIP tunnel interface. Click on Bridge, select the Ports tab and then click the blue plus symbol. Interface will be eoip-tunnel1 as created in the last step and bridge will be bridge1 as we set earlier. Click OK.
14. Let’s do the exact same thing we did in Step 13, except choose ether1  (or whatever ethernet port you want to connect to the other end)  in the interface list, and bridge1 in the bridge list. Click OK.
15. Next we will set a firewall rule for the point to point. Click on IP -> Firewall in the menu and then select the Mangle tab. Click the blue plus symbol for a new rule and select ‘input’ as the Chain. Click on the Action tab and then set the following:
    Action = set priority
    New Priority = from dscp
    Click OK
    
16. Let’s add in some IP addresses now. Head to IP -> Addresses in the menu and click on the blue plus symbol. We’re going to set the IP address of this wlan interface to 10.8.8.2/30 (similarly how we set the remote address to 10.8.8.1 in Step 12 as that will be at the other end). Click OK and then click the blue plus symbol again and set the IP address of the bridge1 interface. This can be whatever you please and will be the address the router responds to when you are connected to either end of the network via LAN. An example address is below
    
17. Now we will setup the wireless interface for your point to point link. Head to Interfaces in the menu and choose the Interface tab. Select the wireless interface you want to use to receive the point to point link and double click on it. Click on Advanced Mode in the sidebar and set the following settings. Please note the following:
    Radio name will generally be the mac address of your radio, you can leave this as it
    SSID must be the same as you set at the other end in Step 8.
    Frequency can be set to whatever you like (pertaining to your countries laws), we use 2472 in this example. This needs to be the same as you set in Step 8.
    Mode must be station
    Choose a 20/40MHz HT Above Channel Width for good performance. You can tinker with these later. This needs to be the same as you set in Step 8.
    Country should be set to your country
    Please set the Antenna Gain to that of the antenna you are using, so you do not exceed your countries power limits
    Wireless protocol should be nv2
    
18. Click on the ‘NV2′ tab at the top so that we can set the password we used before. Set the Preshared key to the same as in Step 9 and click OK.
    
19. OK! Now we are all setup on the client or station side. Everything should be good to go if you plugin both routers and point them at each other (depending on your antenna types).

Sample VLAN HP

ProCurve Switch 2810-48G# conf t

ProCurve Switch 2810-48G(config)# vlan  100

ProCurve Switch 2810-48G(vlan-100)# untagged 1-11

ProCurve Switch 2810-48G(vlan-100)# tagged 24

ProCurve Switch 2810-48G(vlan-100)# exit

ProCurve Switch 2810-48G(config)# conf  t

ProCurve Switch 2810-48G(config)# vlan 200 name "VLAN200"

ProCurve Switch 2810-48G(config)# vlan 200

ProCurve Switch 2810-48G(vlan-200)# untagged 13-16

ProCurve Switch 2810-48G(vlan-200)# tagged 24

ProCurve Switch 2810-48G(vlan-200)# exit

ProCurve Switch 2810-48G(config)# sh ru

ProCurve Switch 2810-48G# sh ru

Running configuration:

; J9022A Configuration Editor; Created on release #N.11.06

hostname "ProCurve Switch 2810-48G"

snmp-server community "public" Unrestricted

vlan 1

   name "DEFAULT_VLAN"

   untagged 12,17-48

   ip address dhcp-bootp

   no untagged 1-11,13-16

   exit

vlan 100

   name "VLAN100"

   untagged 1-11

   no ip address

   tagged 24

   exit

vlan 200

   name "VLAN200"

   untagged 13-16

   no ip address

   tagged 24

   exit

ProCurve Switch 2810-48G# wr mem

ProCurve Switch 2810-48G# sh vlan

 Status and Counters - VLAN Information

  Maximum VLANs to support : 8

  Primary VLAN : DEFAULT_VLAN

  Management VLAN :

  802.1Q VLAN ID Name         Status       Voice Jumbo

  -------------- ------------ ------------ ----- -----

  1              DEFAULT_VLAN Port-based   No    No

  100            VLAN100      Port-based   No    No

  200            VLAN200      Port-based   No    No

To configure an IP address for VLANs 100 and 200, see below:

ProCurve Switch 2810-48G# conf t

ProCurve Switch 2810-48G(config)# vlan 100

ProCurve Switch 2810-48G(vlan-100)# ip address 10.15.15.200 255.255.255.0

ProCurve Switch 2810-48G(vlan-100)# exit

ProCurve Switch 2810-48G(config)# vlan 200

ProCurve Switch 2810-48G(vlan-200)# ip address 10.15.16.200 255.255.255.0

ProCurve Switch 2810-48G(vlan-200)# sh vlan

 Status and Counters - VLAN Information

  Maximum VLANs to support : 8

  Primary VLAN : DEFAULT_VLAN

  Management VLAN :

  802.1Q VLAN ID Name         Status       Voice Jumbo

  -------------- ------------ ------------ ----- -----

  1              DEFAULT_VLAN Port-based   No    No

  100            VLAN100      Port-based   No    No

  200            VLAN200      Port-based   No    No

ProCurve Switch 2810-48G(vlan-200)# sh ru

Running configuration:

; J9022A Configuration Editor; Created on release #N.11.06

hostname "ProCurve Switch 2810-48G"

snmp-server community "public" Unrestricted

vlan 1

   name "DEFAULT_VLAN"

   untagged 12,17-48

   ip address dhcp-bootp

   no untagged 1-11,13-16

   exit

vlan 100

   name "VLAN100"

   untagged 1-11

   ip address 10.15.15.200 255.255.255.0

   tagged 24

   exit

vlan 200

   name "VLAN200"

   untagged 13-16

   ip address 10.15.16.200 255.255.255.0

   tagged 24

   exit

ProCurve Switch 2810-48G(vlan-200)#

ip route 192.168.5.0 255.255.255.0 10.254.254.1

ip route 192.168.6.0 255.255.255.0 10.254.254.1

ip route 0.0.0.0 0.0.0.0 192.168.4.1

one link for ftp user

Create one link for ftp user

ftp://username:password@ip server/folder or filename

delay pool and limit files

Setting delay pool and limit download files


acl admin src "/etc/squid/admin"
#acl management src "/etc/squid/management"
acl staff src 192.168.130.0/24
#
delay_pools 2
delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow admin
#delay_access 1 allow admin management
delay_access 1 deny all
delay_class 2 2
delay_parameters 2 -1/-1 256000/4000000
delay_access 2 allow staff
delay_access 2 deny all

reply_body_max_size 2 GB admin
reply_body_max_size 10 MB staff

Limit download squid

Vi squid.conf

acl t1 src 192.168.254.200
acl t2 src 192.168.254.0/24

http_access allow t1
http_access allow t2

reply_body_max_size 0 allow t1
reply_body_max_size 10 MB allow t2

Konfigurasi squid with ssl filtering

#
# Recommended minimum configuration:
#
via on
#pid filename /var/run/squid.pid
acl query urlpath_regex cgi \?
no_cache deny query
forwarded_for transparent
#forwarded_for truncate

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
visible_hostname proxy-sunter1
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

dns_nameservers 202.145.0.1
dns_nameservers 202.145.0.2

# And finally deny all other access to this proxy
#http_access deny all

# Squid normally listens to port 3128
http_port 8001
http_port 8002 intercept
https_port 8003 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/certificate/ipeka.org.private cert=/certificate/ipeka.org.cert

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/log/squid/squid_ssldb -M 4MB
sslcrtd_children 20 startup=5 idle=1

#always_direct allow broken_sites
sslproxy_capath /etc/pki/tls/certs
#sslproxy_capath /certificate/
sslproxy_cafile /etc/pki/tls/certs/ca-bundle.crt
#sslproxy_cafile /certificate/ipeka.org.private
#acl broken_sites dstdomain "/etc/squid/broken_sites"
acl broken_sites dstdom_regex -i "/etc/squid/broken_sites"
acl open src "/etc/squid/open-ssl"
always_direct allow broken_sites
ssl_bump none localhost

sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
ssl_bump server-first all

icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service_failure_limit -1
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
#acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
adaptation_access qlproxy1 allow qlproxy_icap_edomains
#adaptation_access qlproxy2 deny qlproxy_icap_edomains
#adaptation_access qlproxy2 deny qlproxy_icap_etypes
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all

ssl_bump none broken_sites qlproxy_icap_edomains
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 1000 16 256
cache allow all
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/access.log
#max_filedesc 4096

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#cache_effective_user squid
#cache_effective_group squid

cache_mem 10 MB
memory_replacement_policy heap LRU
cache_replacement_policy heap LRU
minimum_object_size 0 KB
maximum_object_size_in_memory 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
#cache_dir ufs /var/spool/squid 1000 16 256

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

Linux Enable IP Forwarding

Open /etc/sysctl.conf file using a text editor, enter:
# vi /etc/sysctl.conf
Set net.ipv4.ip_forward to 1, enter:

 
net.ipv4.ip_forward = 1
 

Save and close the file. Reload the changes by typing the following command:
# sysctl -p

SuperBlock last mount time is in the future CENTOS

If you come across " SuperBlock last mount time is in the future " on CENTOS 6 when in booting process.
please added conf file in /etc/e2fsck.conf

# Superblock last mount time is in the future (PR_0_FUTURE_SB_LAST_MOUNT).
0x000031 = {
    preen_ok = true
    preen_nomessage = true
}

# Superblock last write time is in the future (PR_0_FUTURE_SB_LAST_WRITE).
0x000032 = {
    preen_ok = true
    preen_nomessage = true
}

 
 May help you

Setup HTTPS filtering CENTOS

1. Update Centos

#!/bin/bash
set -e

# update should be done as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# update and upgrade
yum -y update

# disable selinux
sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

# and reboot
reboot

2. Install Apache Web Server

#!/bin/bash
set -e

# all web packages are installed as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# install python libs
yum -y install python-setuptools python-ldap

# install python django for web ui
easy_install django==1.6.8

# install apache web server to run web ui
yum -y install httpd mod_wsgi

# make apache autostart on reboot
systemctl enable httpd.service

# this fixes some apache errors when working with python-django wsgi
echo "WSGISocketPrefix /var/run/wsgi" >> /etc/httpd/conf.d/wsgi.conf


# and restart apache
service httpd restart

echo "Web requirements installed correctly!"

3. Install Diladele Web Safety

#!/bin/bash

# all packages are installed as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# bail out on any error
set -e

# get latest qlproxy
curl http://packages.diladele.com/qlproxy/4.0.0.FD85/amd64/release/centos7/qlproxy-4.0.0-FD85.x86_64.rpm > qlproxy-4.0.0-FD85.x86_64.rpm

# install it
yum -y --nogpgcheck localinstall qlproxy-4.0.0-FD85.x86_64.rpm

# qlproxy installed everything needed for apache, so just restart
systemctl restart httpd.service

echo "Diladele Web Safety is installed!"

4. Install required build tool
#!/bin/bash

# install all build tools
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# install development packages required
yum install -y gcc-c++ pam-devel db4-devel expat-devel libxml2-devel libcap-devel libtool redhat-rpm-config rpm-build openldap-devel openssl-devel krb5-devel

# squid needs perl and needs additional perl modules not present by default in CentOS 6
curl http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm > epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpm
yum install -y perl-Crypt-OpenSSL-X509


5. Install SQUID

#!/bin/bash

# stop on every error
set -e

# install RPMs as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# install stock squid
yum -y install squid

# make squid autostart after reboot
systemctl enable squid.service

echo "Squid RPM is installed successfully"

6. Configure Firewall for transparant Proxy

#!/bin/bash

# firewall setup should be done as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# check kernel forwarding is enabled
enabled=`cat /proc/sys/net/ipv4/ip_forward`
if [[ $enabled -ne 1 ]]; then
        echo "Kernel forwarding seems to be disabled, enable it in /etc/sysctl.conf, reboot and rerun this script" 1>&2
        exit 1
fi

# set the default policy to accept first (not to lock ourselves out from remote machine)
iptables -P INPUT ACCEPT

# flush all current rules from iptables
iptables -F

# allow pings from eth0 and eth1 for debugging purposes
iptables -A INPUT -p icmp -j ACCEPT

# allow access for localhost
iptables -A INPUT -i lo -j ACCEPT

# accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow ssh connections to tcp port 22 from eth0 and eth1
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# allow connection from LAN to ports 3126, 3127 and 3128 squid is running on
iptables -A INPUT -i eth0 -p tcp --dport 3126 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3127 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3128 -j ACCEPT

# redirect all HTTP(tcp:80) traffic coming in through eth0 to 3126
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3126

# redirect all HTTPS(tcp:443) traffic coming in through eth0 to 3127
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127

# configure forwarding rules
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 22 -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

# enable NAT for clients within LAN
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# set default policies for INPUT, FORWARD (drop) and OUTPUT (accept) chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# list created rules
iptables -L -v

# save the rules so that after reboot they are automatically restored
/sbin/service iptables save

# enable the firewall
chkconfig iptables on

# and reboot machine
reboot

7. Squid Configuration

# ssl-bump settings managed by Diladele Web Safety for Squid Proxy
include "/opt/qlproxy/etc/squid/squid.acl"

# port configuration
http_port  3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem
http_port  3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem

# certificate storage manager
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB



icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service_failure_limit -1
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
adaptation_access qlproxy1 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_etypes
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all

8. Add database

/usr/lib64/squid/ssl_crtd -c -s /var/spool/squid_ssldb
chown -R squid:squid /var/spool/squid_ssldb

Install NTOP NG on CENTOS 6

1. download latest epel-release and install

yum -y install http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

2. Create a repository for NTOP.

vi /etc/yum.repos.d/ntop.repo 

[ntop]
name=ntop packages
baseurl=http://packages.ntop.org/centos/$releasever/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://packages.ntop.org/centos/RPM-GPG-KEY-deri
[ntop-noarch]
name=ntop packages
baseurl=http://packages.ntop.org/centos/$releasever/noarch/
enabled=1
gpgcheck=1
gpgkey=http://packages.ntop.org/centos/RPM-GPG-KEY-deri

3.  
[epel]
name=Extra Packages for Enterprise Linux X - $basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-X&arch=$basearch
failovermethod=priority
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-X

and

# cd /etc/yum.repos.d/
# wget https://copr.fedoraproject.org/coprs/saltstack/zeromq4/repo/epel-X/saltstack-zeromq4-epel-X.repo 

 Note: replace X with 6 (for CentOS 6) or 7 (for CentOS 7)
then do:

yum erase zeromq3 (Do this once to make sure zeromq3 is not installed)

yum install zeromq 

yum clean all

yum update 

yum install pfring n2disk nprobe ntopng ntopng-data nbox

 *Note: At this point I had a Transaction Check error because my kernel 
was newer than what the ntop compile expected, so I had to install an 
older kernel for the yum install to complete. If the above completes 
without an error you can skip this step, else grab the older kernel and 
try the package install again.

 yum -y install kernel-2.6.32.431.20.3.el6 

edit config file: 

  vi /etc/ntopng/ntopng.start 

  --local-networks "192.168.0.0/24"

  --interface 0

 vi /etc/ntopng/ntopng.conf

 -G=/var/run/ntopng.pid

edit firewall 

vi /etc/sysconfig/iptables

 -A INPUT -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT

• chkconfig redis on
   chkconfig ntopng on 

  Start the services.
  

               service redis start

        service ntopng start

   Browse to the NTOP server address.
  

                  http://yourserveraddress:3000

        username: admin

        password: admin