Squid: Configuring Whitelisted URLs

PROBLEM

To configure a proxy server that only allows whitelisted URLs through.

SOLUTION

Install Squid… in this case, on Ubuntu.

sudo apt install -y squid

Ensure the service is running.

my@shittycode:/etc/squid$ sudo systemctl status squid
● squid.service - Squid Web Proxy Server
Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-04-21 17:20:54 CDT; 3min 3s ago
Docs: man:squid(8)
Process: 9008 ExecStartPre=/usr/sbin/squid --foreground -z (code=exited, status=0/SUCCESS)
Process: 9012 ExecStart=/usr/sbin/squid -sYC (code=exited, status=0/SUCCESS)
Main PID: 9013 (squid)
Tasks: 4 (limit: 44379)
Memory: 16.1M
CGroup: /system.slice/squid.service
├─9013 /usr/sbin/squid -sYC
├─9015 (squid-1) --kid squid-1 -sYC
├─9016 (logfile-daemon) /var/log/squid/access.log
└─9017 (pinger)

Apr 21 17:20:54 shittycode squid[9015]: Max Swap size: 0 KB
Apr 21 17:20:54 shittycode squid[9015]: Using Least Load store dir selection
Apr 21 17:20:54 shittycode squid[9015]: Set Current Directory to /var/spool/squid
Apr 21 17:20:54 shittycode squid[9015]: Finished loading MIME types and icons.
Apr 21 17:20:54 shittycode squid[9015]: HTCP Disabled.
Apr 21 17:20:54 shittycode squid[9015]: Pinger socket opened on FD 14
Apr 21 17:20:54 shittycode squid[9015]: Squid plugin modules loaded: 0
Apr 21 17:20:54 shittycode squid[9015]: Adaptation support is off.
Apr 21 17:20:54 shittycode squid[9015]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9
Apr 21 17:20:55 shittycode squid[9015]: storeLateRelease: released 0 objects

Create a file ( /etc/squid/whitelist.txt ) containing the whitelisted URLs. In this example, only one URL is whitelisted.

my@shittycode:/etc/squid$ cat whitelist.txt
www.google.com

To simplify the configuration, backup /etc/squid/squid.conf and create the same file with these minimal configurations.

my@shittycode:/etc/squid$ cat squid.conf

# An ACL named 'whitelist'
acl whitelist dstdomain '/etc/squid/whitelist.txt'

# Allow whitelisted URLs through
http_access allow whitelist

# Block the rest
http_access deny all

# Default port
http_port 3128

Restart the service to pick up the change.

sudo systemctl restart squid

To test the configuration, when hitting a non-whitelisted URL, it should return 403.

my@shittycode:/etc/squid$ curl -x localhost:3128 -I -L yahoo.com
HTTP/1.1 403 Forbidden
Server: squid/4.10
Mime-Version: 1.0
Date: Wed, 21 Apr 2021 22:22:02 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3507
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from shittycode
X-Cache-Lookup: NONE from shittycode:3128
Via: 1.1 shittycode (squid/4.10)
Connection: keep-alive

When hitting a whitelisted URL, it should return 200.

my@shittycode:/etc/squid$ curl -x localhost:3128 -I -L www.google.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Date: Wed, 21 Apr 2021 22:21:03 GMT
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Expires: Wed, 21 Apr 2021 22:21:03 GMT
Cache-Control: private
Set-Cookie: 1P_JAR=2021-04-21-22; expires=Fri, 21-May-2021 22:21:03 GMT; path=/; domain=.google.com; Secure
Set-Cookie: NID=214=AAK1Z6cV4cXlOGLIdHrKhiyzW2iBKpkN5-3OXvVrxEGrw-VekbvM1uFMMUAGubhAciT8NcyCVto2fpDPHJXRBECcqJRFTsUDNb3WBUNIgvK0zWpyxz8bl1aSqB22nQhf2fEwfDM9nAkVZyQG8rst054qOfAHO9kDvkrZRWn9HyM; expires=Thu, 21-Oct-2021 22:21:03 GMT; path=/; domain=.google.com; HttpOnly
X-Cache: MISS from shittycode
X-Cache-Lookup: MISS from shittycode:3128
Via: 1.1 shittycode (squid/4.10)
Connection: keep-alive

macOS Big Sur: Poor Screen Quality When Connecting to Old Monitor via HDMI

PROBLEM

You have a shiny Mac laptop running macOS Big Sur. This laptop is connected to an old external monitor via HDMI. The screen quality looks pixelated and fuzzy.

Running font smoothing (as below) doesn’t fix the problem:

defaults -currentHost write -g AppleFontSmoothing -int 3

You are poor enough to buy a new 4K monitor.

SOLUTION

The usage of HDMI seems to fool macOS Big Sur, thinking your old monitor is a glorious new TV. This causes macOS to use YPbPr instead of RGB mode.

The fix is to perform Extended Display Identification Data (EDID) override to force macOS to use RGB mode.

Some instructions on the web are inaccurate. There’s no need to reboot into Recovery Mode to disable System Integrity Protection (SIP) via csrutil first.

Instead, run the following command:

sudo mkdir -p /Library/Displays/Contents/Resources/Overrides
cd /Library/Displays/Contents/Resources/Overrides
sudo curl -O https://gist.githubusercontent.com/ejdyksen/8302862/raw/patch-edid.rb
sudo ruby patch-edid.rb

Reboot the laptop.

Docker: Executing Startup Script When Running Container Interactively

PROBLEM

When running the Docker container interactively (ex: docker run --rm -it myimage), you want to run a startup script every time.

SOLUTION

For Ubuntu, Debian and Centos images, write the startup script to /root/.bashrc:

# UBUNTU
FROM ubuntu:latest
RUN echo "echo 'Welcome!'" >> /root/.bashrc
WORKDIR /home

# DEBIAN
FROM debian:latest
RUN echo "echo 'Welcome!'" >> /root/.bashrc
WORKDIR /home

# CENTOS
FROM centos:latest
RUN echo "echo 'Welcome!'" >> /root/.bashrc
WORKDIR /home

For Alpine image, it’s a little different because it uses Ash shell. Besides writing the startup script to /root/.profile, you also need to set that path to an environment variable called ENV:

FROM alpine:latest
ENV ENV=/root/.profile
RUN echo "echo 'Welcome!'" > $ENV
WORKDIR /home

Gone From Our Sight…

Gone from our sight, but never from our hearts.

– Unknown

Git: Querying Tags Without Cloning the Repository

PROBLEM

A typical way to get a list of tags from a repository is to clone it before running git tag:-

git clone git@ssh.dev.azure.com:v3/test/my-shitty-repo
cd my-shitty-repo
git -c 'versionsort.suffix=-' tag --sort='v:refname'

# output
1.0.0-b20200317174203
1.0.0
1.0.1-b20200318174753
1.0.1-b20200318174841
1.0.1-b20200407185909
1.0.1
1.0.2-b20200413205910
1.0.2

versionsort.suffix=- ensures 1.0.0-XXXXXX comes after 1.0.0.

To retrieve the latest tag:-

git clone git@ssh.dev.azure.com:v3/test/my-shitty-repo
cd my-shitty-repo
git -c 'versionsort.suffix=-' tag --sort='v:refname' |
tail -n1

# output
1.0.2

While it works, it requires us to clone the repository first, and if we want to retrieve tags from multiple repositories, we are quickly filling our hard drive space.

SOLUTION

Git has a way to perform a remote query through git ls-remote.

To perform the same task without cloning the repository, we can run this:-

git -c 'versionsort.suffix=-' ls-remote \
--tags \
--sort='v:refname' \
git@ssh.dev.azure.com:v3/test/my-shitty-repo

# output
b90df3d12413db22d051db1f7c7286cdd2f00b66	refs/tags/1.0.0-b20200317174203
e355a58829a2d2895ab2d7610fad1ab26dc0c1e7	refs/tags/1.0.0
345153c39a588a6ab2782772ee9dcf9f9123efa9	refs/tags/1.0.1-b20200318174753
efc40f0bd68bb8c7920be7700cab81db0e6bdf83	refs/tags/1.0.1-b20200318174841
efc40f0bd68bb8c7920be7700cab81db0e6bdf83	refs/tags/1.0.1-b20200407185909
c5ed5fe30cba621f40daa542c0613fa2c1c1a47d	refs/tags/1.0.1
7205ada5d8bd4318f82e58e8752ba651211f9d82	refs/tags/1.0.2-b20200413205910
6ba62a0f06f831812cbb13a6d1e83602ffe9e8d3	refs/tags/1.0.2

To retrieve the latest tag:-

git -c 'versionsort.suffix=-' ls-remote \
--tags \
--sort='v:refname' \
git@ssh.dev.azure.com:v3/test/my-shitty-repo |
tail -n1 |
sed -E 's|.*refs/tags/(.+)|\1|'

# output
1.0.2