All posts by Eliezer Croitoru

Squid Nuggets Introduction

About me

My name is Eliezer Croitoru and I’m a Linux and Database systems administrator for the past 14 years. I have been a member of the Squid-Cache Users and Developers community for many year.

My contributions to the Squid-Cache community includes the StoreID feature, free users support on the mailing list and the unofficial public Enterprise Linux  distributions (CentOS, Oracle, Fedora, Rocky and Alma) RPM’s repository.

I have also developed a bunch of Squid external acl helpers and utilities over the years for many purposes and orginizations. One of the most well known projects I have assisted with is with mentoring  BGU students for the IEEE publication “Website Fingerprinting Through the Cache Occupancy Channel and its Real World Practicality“.

local Mirror: RobustFingerprinting-TDSC

So what are these nuggets about?

Squid is a very complex piece of software and in it’s code embedded a lot of wisdom and effort which is there since 1985 and years back.

Over the years Squid was converted from C to C++ and a lot of helpers were written in many different programming and scripting languages. Each and every tiny piece of concept and idea when written in C or C++ is somehow going to require digging and archeological staff and work to understand and maybe re-design in the far future ( if at all). On my research of the Squid project over the years I learned a lot of things which I believe can be summarized for programmers, admins and engineers. For IT specialists the project can be an art show which they can observe and enjoy from the beauty of Computer Science.

Specifically I wanted to take Squid ACLs and SquidGuard internals and drill into them demonstrating with code (mainly using pesudo and ruby)  how their algorithms and implementations  can be re-written in modern languages.

I remember that a developer told me in the past the next sentence: “If you write it in perl it will work forever.” and it’s something which can be said on many higher level languages compared to much lower level languages. This with the AI platforms improvements in the couple years there is a possibility that many tools can be re-written much easily to achieve similar goals with less effort then in the past.

So the goal is to take piece of Squid and SquidGuard and share them as tasteful nugget snacks .

What is a Proxy Server and specifically HTTP proxy server?

Technically speaking a proxy server is a server that does a task for the client which is either the actual user or an organizational unit.

It can be a home, office, ISP or in much larger scales governments. And in this series I will focus on ACLs enforcement using Squid and other programs which Squid can delegate some aspects of the ACLs to them.

 

Prerequisites

To understand some of the content you are required to know some basics on “how the internet works” such as IP with it’s 7 layers and specific protocols such as DNS, HTTP and TLS. You need to also have the basic knowledge on how to use basic tools such as telnet or netcat and openssl or any other UI based equivalent.

Apart from that you must know some basic concepts of programming CLI( STDIN/STDOUT) based tools. If you know network programming then I hope it will be fun for you.

There are also couple concepts in Databases and Data Structures which are required so you would be able to appreciate the greatness of some of the simplest things which are embedded inside Squid and SquidGuard.

Some Additional resources

 

 

 

https://cs50.harvard.edu/x/2019/notes/5/

 

DellWorld’15: What is a Firewall Sandwich (FWS)?

PPTX: 120 G+ DPI and beyond Aravind Thangavelu Executive Director, Software Engineering

What is a Firewall Sandwich (FWS)?


“A scale-out, highly resilient Layer 2 and 3 architecture providing transparent  and or NATed/Routed security services to enhance existing security solutions”

  • DOES:
  • Can replace traditional HA firewall architectures
  • Work with Dell Networking S4810, S5000, S6000 and Dell Network Security SuperMassive 9×00 and 10XXX series products
  • Can Provide Layer 3 services at the firewall
  • Scale to 320 Gbps of DPI (IPS+ App Intelligence) , 2.56 Million SSL-DPI sessions and 40m TCP connections
  • Provide N+1 redundancy (vs. 1+1) without reliance on complex HA or clustering protocols
  • Support 1, 10 or 40GE ingress/egress connections (today) and performance

The code itself speaks

The code itself speaks

The digits 0 and 1 down below are finding their way to the earth.

There is an old “argument” on how teaching should be done. Some believes  that there is a specific order to things when teaching and learning. The biggest example I remember was Python is prettier then other languages, some named it as the “sexy” Programming Language. And indeed there are things that can be seen and can be read between the lines of code.

There is a fingerprint in the code!

But fingerprints and patterns or checksum algorithms are doomed to loos their place when the CS world due to a single reason:
Humans can create more then any and all of the computers on the planet together.

But still like any text there is wisdom in most of the pieces of code I had the pleasure to review or write. We as coders try to write in a functional or object oriented style while we are missing specific things from the picture.

We all do not know entirely what the “wisdom of the code” truly means. After years of IT support I can clearly say that there something like 4 types of code reviewers:

  • The Code is what it is and since it is the code then either the coder should be ashamed of it.
  • The Code is there to contain more then just the code itself, it has another upper level or metadata which not all may see.
  • The Code is what it is and the coder should be proud of it’s work.
  • The code is code and have lots of layers from the 0 and 1 layer lower and above and it contains some of the coder special spice.

I believe that the above 4 are only one way to look at this picture but I want to take into another direction.

I have experience with open source(GPL\BSD\Others) for at-least 10 years and I have seen pieces of code that hunted me for weeks.
I mean: seriously, why the code is not doing what it suppose to do?
Why when read the code it makes sense but eventually at run-time to does something unexpected. 20 Developers and a 5 QA testers are not enough?

So in the bottom line I believe that if the code was written based on a desired functionality or divided into objectives or it’s not “sexy” it is still a good way to tell a story,

Many of us are blessed with the words “genius” or “techie” or any other canonical name for our art and profession.

The bottom line

I believe that the sexiness of the code is not what’s attractive in it.
However I do believe that some “prettificiation” can help others to understand by themselves many things about the code itself and also about the author.

Squid-Cache and ME

I have published Squid-Cache RPM packages in the last couple years but now I’m starting to do things in slow speed and low gear.

The reason for that is that there are couple very nice alternatives out there which I used and found that are more suitable for the year 2018. If I can run a proxy that does the same thing but can utilize all of the cpu cores and in a balanced way I would make the effort to migrate from code that is based on 1985 style to one that is more advanced and also more reliable.

If you have found  Squid-Cache as your choice for the task and it works for you then great but… I found that it might work for specific clients but not in a network that has couple smart phones or tables in it.

Squid Version 4 on_unsupported feature brings something new to Squid-Cache and I believe that it might help to many like SKYPE to some how use Squid-Cache  without suffering too much.

I am waiting for Squid 4 stable release for quite some time with hope that we will have a new era. The issue is that even with my basic testing I am pretty sure that there is some memory overhead somewhere and this is one of the last pieces before the next step.

All The Bests,
Eliezer

Windows 10 Default Group Policy Restore

Based on the article at the bottom I am adding to my Journal a nice way to restore Windows 10 Pro to My Default Group Policy rules.

Recipe:

  • Download the GroupPolicy.7z  file
  • Backup your current system group policy folder:
    %systemroot%\System32\GroupPolicy
    Into a zip\tar\7z\other.
  • Delete all files in your destination system Group Policy folder:
    %systemroot%\System32\GroupPolicy\
  • Then extract the GroupPolicy.7z file content into the Group Policy folder:
    %systemroot%\System32\GroupPolicy
  • Start a command line(cmd) in administrative mode and run the command:
    gpupdate /force
    or restart/rebot your PC.

This helps to resolve some issues related to latest Microsoft Windows 10 Updates release.