Proxy recommendations?
Message
Proxy recommendations?
I want to use a proxy to better control network access on my system(s), as was once recommended to me by pietinger. I see no wiki page for this. Can I get some advice?
That's a tough one.
Security guys love complaining about services exposed directly to the internet and demand it to be hidden behind a proxy, so the service ends up hidden behind a proxy which does nothing beneficial but still obfuscates logs by having all clients connect from hte same IP address.
What does this proxy actually have to do, and why do you want the security separated from the service itself?
There are valid reasons to do that, but they may or may not apply to your use case, and overcomplicating things won't do you any good either.
Security guys love complaining about services exposed directly to the internet and demand it to be hidden behind a proxy, so the service ends up hidden behind a proxy which does nothing beneficial but still obfuscates logs by having all clients connect from hte same IP address.
What does this proxy actually have to do, and why do you want the security separated from the service itself?
There are valid reasons to do that, but they may or may not apply to your use case, and overcomplicating things won't do you any good either.
As szatox said, it depends on your use case.
If you just need a proxy and want to filter what can be accessed i can recommend net-proxy/tinyproxy, if you want to do more fancy things and don't mind the extra complexity net-proxy/squid is a popular option (wiki: https://wiki.gentoo.org/wiki/Squid)
If you just need a proxy and want to filter what can be accessed i can recommend net-proxy/tinyproxy, if you want to do more fancy things and don't mind the extra complexity net-proxy/squid is a popular option (wiki: https://wiki.gentoo.org/wiki/Squid)
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Re: Proxy recommendations?
It can be only privoxy (because I use it also) ... but there is a wiki page:leyvi wrote:I want to use a proxy [...] as was once recommended to me by pietinger. I see no wiki page for this.
https://wiki.gentoo.org/wiki/Privoxy
( I wrote about it also here: https://wiki.gentoo.org/wiki/User:Pieti ... e_FireWall
... and in this chapter:
https://wiki.gentoo.org/wiki/User:Pieti ... all#Basics
I linked in number 4 to:
https://wiki.gentoo.org/wiki/Security_H ... k_Security
containing a chapter about squid:
https://wiki.gentoo.org/wiki/Security_H ... rity#Squid
which has also a wiki page:
https://wiki.gentoo.org/wiki/Squid )
Tinyproxy has no own wiki page but is here described:
https://wiki.gentoo.org/wiki/Content_Filter
- flexibeast
- l33t
- Posts: 682
- Joined: Mon Apr 04, 2022 4:15 am
- Location: Naarm/Melbourne, Australia
- Contact:
As an aside: there's a wiki category "Proxy-Related", whose ambiguity has resulted in pages like that for Privoxy being included alongside information about being a 'proxy maintainer' in the Gentoo sense.
So i've just changed the category of the "Privoxy", "Squid" and "Content Filter" pages to "Proxy", such that they can be found via the relevant category page. i've also moved the "Tools for the work as proxied maintainer", "Package maintainer's responsibilities" and "Abbreviations, terminology, and jargon" pages to the "Proxy maintainers" category. However, there are still four pages in the "Proxy-Related" category which i can't change because i don't have the relevant permission bits; i've added a comment on the Talk page for the "Project:Proxy Maintainers" page suggesting that those four pages be moved into the "Proxy maintainers" category.
So i've just changed the category of the "Privoxy", "Squid" and "Content Filter" pages to "Proxy", such that they can be found via the relevant category page. i've also moved the "Tools for the work as proxied maintainer", "Package maintainer's responsibilities" and "Abbreviations, terminology, and jargon" pages to the "Proxy maintainers" category. However, there are still four pages in the "Proxy-Related" category which i can't change because i don't have the relevant permission bits; i've added a comment on the Talk page for the "Project:Proxy Maintainers" page suggesting that those four pages be moved into the "Proxy maintainers" category.
Good to know, thanks.flexibeast wrote:As an aside: there's a wiki category "Proxy-Related", whose ambiguity has resulted in pages like that for Privoxy being included alongside information about being a 'proxy maintainer' in the Gentoo sense.
So i've just changed the category of the "Privoxy", "Squid" and "Content Filter" pages to "Proxy", such that they can be found via the relevant category page. i've also moved the "Tools for the work as proxied maintainer", "Package maintainer's responsibilities" and "Abbreviations, terminology, and jargon" pages to the "Proxy maintainers" category. However, there are still four pages in the "Proxy-Related" category which i can't change because i don't have the relevant permission bits; i've added a comment on the Talk page for the "Project:Proxy Maintainers" page suggesting that those four pages be moved into the "Proxy maintainers" category.
Yeah, I suppose. You kinda mentioned that in the first post. Too vague.leyvi wrote:I want to have mandatory access control for the network.
Is http basic auth access control? Is a firewall access control?
Who should be allowed to access the service?
Why do access control at a proxy and not in the application itself?
Is it even a http service or maybe something else?
In fact I recently learned that with opensnitch it is possible to control network access on per UID or per process. However I must cautioning you that do not run multiple layers of firewall (iptables/nftables or ufw) together. it took me several weeks to debug to find where the problem be.leyvi wrote:I mean granular control for all layers. I would do this with my firewall, but short of containerizing everything, I can't think of a way to get total control over program access to the network.
Thanks, I'll check it out.pingtoo wrote:In fact I recently learned that with opensnitch it is possible to control network access on per UID or per process. However I must cautioning you that do not run multiple layers of firewall (iptables/nftables or ufw) together. it took me several weeks to debug to find where the problem be.leyvi wrote:I mean granular control for all layers. I would do this with my firewall, but short of containerizing everything, I can't think of a way to get total control over program access to the network.
With the new AppArmor version you are now able to restrict the network access at a very fine level: You can now allow even at IP-address- and port-level!leyvi wrote:[...] I can't think of a way to get total control over program access to the network.
Look into "man apparmor.d" in chapter "Network Rules" ->
Mediation of inet/inet6 family
AppArmor supports fine grained mediation of the inet and inet6 families by using the ip and port conditionals. The ip conditional accepts both IPv4 and IPv6 using the regular representation of four octets separated by ’.’ for IPv4 and eight
groups of four hexadecimal numbers separated by ’:’ for IPv6. Contiguous leading zeros can be replaced by ’::’ once. On a connected socket, the sender and receiver don’t need to be specified in the recvfrom and sendto system calls. In that
case, and with unbounded sockets, the IP address is none, or unknown. Unknown or Unbound IP addresses are represented in policy by the ’none’ keyword. When the ip conditional is omitted, then all IP addresses will be allowed: IPv4, IPv6 and
none. If INADDR_ANY or in6addr_any is used, then the ip conditional can be omitted or they can be represented by:
network ip=::, #allow in6addr_any
network ip=0.0.0.0; #allow INADDR_ANY
The network rules support the specification of local and remote IP addresses and ports.
network ip=127.0.0.1 port=8080,
network peer=(ip=10.139.15.23 port=8081),
network ip=fd74b03a:b361::cf32 peer=(ip=fd74
network port=8080 peer=(port=8081),
network ip=127.0.0.1 port=8080 peer=(ip=10.139.15.23 port=8081),
b03a:b361::cf32 peer=(ip=fd74Had no idea. Thanks pietinger! I'll check it out.pietinger wrote:With the new AppArmor version you are now able to restrict the network access at a very fine level: You can now allow even at IP-address- and port-level!leyvi wrote:[...] I can't think of a way to get total control over program access to the network.
Look into "man apparmor.d" in chapter "Network Rules" ->
Mediation of inet/inet6 family
AppArmor supports fine grained mediation of the inet and inet6 families by using the ip and port conditionals. The ip conditional accepts both IPv4 and IPv6 using the regular representation of four octets separated by ’.’ for IPv4 and eight
groups of four hexadecimal numbers separated by ’:’ for IPv6. Contiguous leading zeros can be replaced by ’::’ once. On a connected socket, the sender and receiver don’t need to be specified in the recvfrom and sendto system calls. In that
case, and with unbounded sockets, the IP address is none, or unknown. Unknown or Unbound IP addresses are represented in policy by the ’none’ keyword. When the ip conditional is omitted, then all IP addresses will be allowed: IPv4, IPv6 and
none. If INADDR_ANY or in6addr_any is used, then the ip conditional can be omitted or they can be represented by:
network ip=::, #allow in6addr_any
network ip=0.0.0.0; #allow INADDR_ANY
The network rules support the specification of local and remote IP addresses and ports.
network ip=127.0.0.1 port=8080,
network peer=(ip=10.139.15.23 port=8081),
network ip=fd74
network port=8080 peer=(port=8081),
network ip=127.0.0.1 port=8080 peer=(ip=10.139.15.23 port=8081),