I have no intention of talking about Squid and how to install/configure it, you can find plenty of resources online and on its main website. However I want to share some useful configuration options I like to use, such as user definition and prohibition of simultaneous user logins. Also I would share my automatic password generation script written in Perl, making your life easier if you ever wanted to have sets of users, with their passwords being automatically generated and emailed to them whenever you wanted!

User Definition in Squid

There are a myriad of ways to have user authentication in squid, the easiest is to have ncsa_auth program, which comes with Squid and you already have it if you got Squid, along with htpasswd program which gets installed by Apache web server. So, go get Apache if you want htpasswd. You can locate your ncsa_auth by entering your squid directory (usually in /usr/local/squid) and running:

Now you need to create the password file. Let’s name our password file ourPassFile and place it in the directory squid is installed, i.e. /usr/local/squid by default. Lots of folks might complain it’s much better we put it in /etc/squid, but I’d like to keep it in my own place, any problem?! Aha, don’t forget that you also need to make sure that it’s universally readable.

# touch /usr/local/squid/ourPassFile
# chmod o+r /usr/local/squid/ourPassFile

New password:
Re-type new password:
Adding password for user bijan

# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/ourPassFile

#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users
http_access deny all

That's pretty much it. By restarting squid, or better to say killing it (/usr/local/squid/sbin/squid -k shutdown) and starting it again (/usr/local/squid/sbin/squid -NCd1), you are forced to enter username/password to browse a web page.

Automatic User Generation

Let's say you want to add 10 more users and generate automatic passwords for them. Even more, you want to re-generate passwords for them periodically and send them their new username/password. I have patched up a Perl script which makes the job really easy.

At first you have to create a file, called users and enter your users' emails in there line by line. This file should be placed in the same directory ourPassFile is. It should contain something like:

Next you have to clear an empty file named clearFile.

Easy, hah?! Now you should create passGenerator.pl and put the following lines in it:

This file should be placed exactly in the same directory your ourPassFile is, or you have to edit it and give it appropriate addresses.

No need to mention you have to make this file executable by:

After running passGenerator.pl, it reads the users file line by line, for each username (which is the email address as well) an automatic password is generated and added to ourPassFile, also the unencrypted, clear-text password is saved in clearFile as well; should you need to remind a user of his/her password, you don't have any difficulty reading it! In the end the username/password is emailed to the user! As easy as apple pie.

This script is very simple, so, I don't think you'd have any difficulty should you want to change it based on your needs.

Banning Simultaneous User Login

What is good of username/password if even one single user decides to share his/her credentials with others?! You killed yourself prohibiting the whole savage zoo out there in your network accessing your precious proxy server, and one user feeling so terribly guilty of lack of equality and friendly with couple of other people (who happen to be friends with some more!) decides to share his credentials and end your reins of biased discrimination! Now you are left with your hands down in your pants, no control over anything!

No worries mate, you can ban simultaneous use! It took me couple of hours of googling & testing to find out, but it definitely works! As you know squid's credentials are carried out with each requested web page, better to say there is no user login in Squid, each time you try accessing squid, you send your username/password to it. So, we can't honestly define a user, it's only a variable carried in the HTTP Request. So, what is the work around? A simple trick!

By using the ACLs below, we can log the IP address of a user for the first time for a certain TTL (Time To Live). Within that TTL, if another IP address tries to use the same username, we simply block him! You need to modify your squid.conf in the following manner:

auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/ourPassFile

auth_param basic credentialsttl 2 hours
authenticate_ttl 3 minutes
authenticate_ip_ttl 180 seconds

acl onlyonce max_user_ip -s 1
acl ncsa_users proxy_auth REQUIRED

http_access deny onlyonce
http_access allow ncsa_users
http_access deny all

Anyhow, tonight I was rushing back home, walking very fast in Africa, one of Tehrans’ busiest boulevards, that I suddenly noticed what once looked like a dream for me, i.e. living in this city and having a good job to make me feel proud, has just come to reality and I was too busy to even notice it. It wasn’t even a long time ago that I couldn’t stop dreaming about it, and now, I was living the life I wanted back then. Remembering that, made me smile and I started to wander freely, not just bolting back home. I started looking at cars, waiting in heavy traffic, and their drivers maybe wishing they were pedestrians for the time being, instead of having to move even slower than people in the side walk; I let other people pass me, looking at how fast they are walking for tomorrow, but for once in a long time, I was walking for that exact moment and enjoying looking at my surroundings and feeling victorious for what I could achieve and the life I currently have.

I just decided that I’m gonna slow walk home the nights that I can and enjoy feeling the moments passing by, noticing how it’s going, instead of just letting it go on its own

]]> http://hoomand.com/2010/11/14/walking-slow/feed/ 3 http://hoomand.com/2010/07/26/java-chat-serverclient/ http://hoomand.com/2010/07/26/java-chat-serverclient/#comments Mon, 26 Jul 2010 10:09:30 +0000 bijan http://hoomand.com/?p=86 After some days of coding, I could write my simple Java chat server and client! It’s still amazing when you write a simple but strong network program. The way you feel the communication and see the bits on wire makes me always stand in awe. Anyway, you can find the program in here. Basically you should run the server program first, I’d suggest you go for the graphical version. It’s a multi thread program, allowing you to start/stop server whenever you want, while waiting for active connections and at the same time sending all data it gets from a connected client to the others.

Chat Server, after creating a server (It only shows you your ethernet IP address, to easily let the clients know!)

Then you should run the chat client. In which you can connect to any started server. You can also choose a nickname and a color and everybody else in the chat room sees ya with your preferred name & color! Also when you write a new message and hit enter, you can see the window title marquee effect which makes it easy to notice a window among many other open windows in your task bar! This marquee effect almost took me a day to complete, but I like its look & feel.

The last but not the least, thanks to Java, you can run both the server or client in Windows, Linux and Mac!

The chat client, before connection

Two chat clients connected to one server:port, talking!

The server monitoring all connected clients!

If you disconnect the server, all the connected clients will be disconnected too!

The Challenge

Our call center unit has lots of personnel, and as the nature of the job dictates, they find themselves in quite unique pickles in a daily basis. Guess what happens when one of their computers doesn’t start (for a mere reason that the power cable was loose) or they SIP phone doesn’t get any IP from DHCP (again most probably coz their ethernet cable isn’t properly fixed into the network adaptor)? They know the IT personnels’ direct phone extensions and just call anyone they think is more knowledgeable. Most often they just call the chief IT person. What’s wrong with that? Some people get lots of support calls, some others don’t receive any!

IT department internal extensions have a pattern of 2XX, i.e. for example my phone number in 299. The call center’s internal numbers follow 5XX pattern. What I wanted to do was disallowing call center personnel calling IT department directly and defining a queue with a number like 3500, that they could only call that number. Everyday, some of the IT personnel would log themselves in the aforementiond queue, thus all call center calls dialing 3500 would be answered by them. This way you can define a chart that everyday only one or two IT people have the responsibility of answering call center calls and others do more useful stuff!

The Solution

At first you have to install Custom Context module. I found a good manual in here (It’s in Persian, if you can’t read Persian, search for it, they are other English manuals online). Now you have to go to your newly installed module and define a Custom Context containing the pattern of all extensions you don’t want to be dialled. How? Easy peasy japaneasy guys. Just make a new Custom Context, and inside it, in the Dial Rules, enter 2XX for your pattern. This is the pattern that we wana prohibit the Call Center personnel from calling. Now you have to scroll down, in the Internal Dial Plan section, should set ext-local equal to Deny Rules. Please notice that ext-local is a combo box with 4 options. If you choose Deny, means people that you’re gonna set this Custom Context for, won’t be able to call any other extension in the PBX! Yes, it doesn’t have to do anything with the Dial Plan box above anymore, if you choose Deny, means people under this Custom Context can not call any other internal number! So, we always set this to Allow, unless we wana deny some certain numbers, or allow some certain numbers (depending on your policy). In here, we choose Deny Rules, because we want the call center personnel to be able to call every other extension in the company, except those three digit numbers starting with 2.

A picture is worth a thousand words, so, here it goes:

Don’t forget to set ext-queues combo box to Allow, as it’s shown at the bottom of the picture above, or you won’t be able to call any queue. We’re almost done. You only have to edit every call center extension and join it in the Custom Context you defined above. They won’t be able to dial any 2XX extension! Now go and make your 3500 queue and put a password for it. Give this number as the IT Help Desk number to the call center personnel. Everyday some of you IT guys can log into your queue and wait for their beautiful calls

But what about at work place, among colleagues? Well, again there are different ideas. This lady thinks its totally inappropriate and just because she never uses bad language, it should be prohibited. But this research is trying to show that swearing at work might even boost productivity and reduces stress. You want my opinion? Well, I certainly don’t like all time polite people, plus I always try to keep the face, not getting close to those not worth or not worth the trouble! So, really depends on where you work. For me, I could always adopt. I’ve been in places really polite, which I had to watch my mouth so damn good not to utter a word that gets me kicked out, but after a while I could get used to their own language and ways of expressing myself without crashing others. I’ve also been in rude environments, which you either had to kill or get killed! But there are those who aren’t really good at this swearing thing, they either can’t respond well if they receive one or they’re very extreme. The reality might be that there’s a wilderness out there and you gotta know how to survive in different environments, but if you find yourself in an unsuitable position, just try to talk to the bad mouth or return the colorful words, or in long turn you might end up at your office in early morning with a huge shot gun!

If you found yourself faking a smile at someone who knocks you out in speaking with some naughty words in regular bases, it basically means you should get more involved defending yourself & not making a dumb figure around the office. In contrast, if you find someone not feeling easy with your language for a time, take it easy on them, you’re harassing the poor creature!

Imagine you have two seperate Local Area Networks, like one in your office and one at home. These 2 are behind a firewall and of course they have a private IP address, long story short: There’s no way for’em to see each other. Something like the following picture:

As you see we have 2 LANs, our Computer A is in the first LAN, with an IP address of 192.168.1.100 and Computer B, yes, the second LAN, with the address of 10.0.0.50; You’re sitting behind Computer A at home, and wana connect to Computer B at your work place. What can you do?!

Let’s say both these computers can SSH to a public server in the Internet, if they can do it, you’re done. You can connect to Computer B such a way like you’re exactly sitting in the 2nd LAN, doing whatever Computer B can do, at the comfort of resting behind Computer A. How?!

First you need to have a ssh user on the MiddleMan computer (the server) on the Internet. Let’s say your username on that server is BijanMid. You also need to create a ssh username in Computer B, if you’ve never been behind Computer B (It’s not your work place, it’s somewhere you don’t have access to, you should ask someone in there to create it for ya), let’s say your SSH username on Computer B is BijanCompB. Ok, here comes the magic:

From Computer B, issue the following command:

ssh -R 1040:localhost:22 BijanMid@MiddleMan

This is a reverse ssh connection. It basically says anyone who later on tries to connect to port 1040 of MiddleMan, should be redirected to localhost port 22, who is localhost? Well, you’re issuing the command from Computer B, so, localhost means that!

Note: You have to edit /etc/ssh/sshd_config and make sure you have the following configurations:

The first 3 lines make sure your ssh connection doesn’t get timed out, the last line, GatewayPorts is the important figure around here, it is the one allowing you ssh into one port of middle man and diverted to your computer B.

Now from Computer A, execute this:

ssh -p 1040 BijanCompB@MiddleMan

What does it mean? It means ssh to port 1040 of MiddleMan, with the user we have at Computer B! Is it possible? Yes, If anyone ssh to port 1040 of MiddleMan, it’s redirected to ComputerB, so, we have to use Computer B’s username in here, there’s literally no middle man here!

Caveat: If high ports like 1040 are filtered in middle man, again there’s no problem. Instead of directly sshing to port 1040 of MiddleMan, you have to first ssh to MiddleMan normally (port 22), with a user you already have in MiddleMan (Like BijanMid), and once you’re inside, you then issue:

ssh -p 1040 BijanCompB@localhost

Crazy, huh?! It’s like we’re trying to ssh to ourselves, but we are not, port 1040 forwards ya to Computer B.

There are other options as how can we restrict it to listen to certain IPs or even IP classes or how can we make it go silent without asking for a password, which I don’t wana talk about in here. I just wanted to share with ya the great hack I learned and you can dig more dirt up if you need.

One more thing, you can even get inside their intranet! You only need to add a -D switch to the command executed at Computer A:

ssh -p 1040 -D 1010 BijanCompB@MiddleMan

and then setting your browser’s proxy to use 127.0.0.1 as the proxy server listening on port 1010, using SOCKS protocol! Now you’re in their intranet as well!

Resources

There are many tutorials talking about this great technique, but those I found most valuable are as follows:

Hacktivate, reversing an SSH connection

toic, reverse ssh port forwarding

Just imagine how hard it’d get for a call center operator to go through this myriad of times during a day! I only wrote a small patch which adds a quick search phone box prior to any search option and automatically searches for the phone number entered through all the phone fields.

Yup, that’s it. If you like it, you can get the patch, put it in your vTiger 5.1.0 root directory and just extract it. It’ll overwrite the necessary files

Edit: My Super Quick Telephone Search patch was approved by the vTiger team. You can download it from the official vTiger Extensions now.

]]> http://hoomand.com/2010/05/08/vtiger-quick-telephone-search/feed/ 1 http://hoomand.com/2010/05/07/ielts-vs-toelf-and-the-blue-footed-b00bies/ http://hoomand.com/2010/05/07/ielts-vs-toelf-and-the-blue-footed-b00bies/#comments Fri, 07 May 2010 00:39:33 +0000 bijan http://hoomand.com/?p=13 After 2 month of waiting, I finally had my IELTS test taken here in Tehran. Studying for IELTS and having IELTS is kind of a fashion around here, not to mention that most people need it as well. So, I thought let’s try killing the beast and see what happens. I had my TOEFL iBT exam around 2 years ago and I was curious to see the differences between these 2 exams, I mean IELTS vs. TOEFL iBT. After all each side is blowing in its horn and there are countries who accept only IELTS, even if you have a high score in TOEFL iBT!

Long story short, I don’t consider IELTS a real English test! I don’t think it’s standard and I do believe the ielts.org thinks more about money than the most boasted about scientific part of the equation. Why? Well, there are couple of reasons:

• If you want to register for TOEFL, no matter where you are in the world, you should go to one main address: www.ets.org; that’s it, no more hassle. What about IELTS? Well, just in Iran, we have 2 different registrars, IELTS Iran and IELTS Tehran. The funny thing is, they have their own different procedures! You don’t see any centralized system, for gods sake, even their website interfaces are different. In one website the picture you have to upload of yourself can not be more than 10KBs (yeah! Just 10KBs), in the other one, well, it’s ok to go couple of more kbs! It all reminds me of some Food chained stores reseller programs, the guys who wanted to be the resellers (Test sub-centers if I don’t wana insult anyone) just paid the money to the main IELTS.org and got their permission. As long as they obey to some rules of taking the test, the rest is not important!
• Sending your TOEFL iBT results to any university in the world only costs ya $17, yes, nothing more. Not only they send a copy to that university from ets.org headquarters itself, they’d also send one recite to you wherever you are (for me, Iran). What about IELTS? Well, only issuing a certificate costs ya $50, sending it via international post is another story, it can cost ya anything between $30 to $50, so, the best case: you should pay at least $80 for one of your certificates to be sent to a university.
• In TOEFL iBT you’re placed inside a cubicle with a computer which you interact and answer all the 4 skill questions, i.e. reading, writing, listening and speaking. It could be hard for those who are not that much comfortable with a computer, specially those who are afraid of machines taking the time or are not touch typists. In the other hand, in IELTS, you’re placed inside a big hall with almost 1000 other participants! At the beginning they read ya the instructions that are mostly about DOs and Don’ts for about 10 minutes. Instructions like “If you look left, it’s cheating, If you look right, it’s cheating, if you look at anywhere but your paper, it’s cheating!”, damn, you feel like a kindergartner! And there is this Doctor at the session, whom whenever raise his hand and says “Stop the test”, everybody should put their pencil down and stop the test! They deliberately try to make ya more anxious, from reading you the rules, to the cameras that show you your picture on the wall to show off that they can see ya whenever they want and not forgetting to mention, how many times they repeat: “We know this test is important to you, we know how important it is to you!”.
• It happens 2 or 3 times at least during the test that the doctor just finds something suspicious and starts jabbering out loud and you have to listen to all of that. If he’s disciplining a girl about how she should keep her head straight to her paper, the others have to listen to him clear and loud, it might be a good lesson for all of them!
• The listening section is not a standard test in my humble opinion, because first of all, you hear something, but then in the answer sheet, the phrase you see is paraphrased, it’s not exactly what you heard, but you have to enter the 2 or 3 words missing exactly as you heard them in the listening! Considering the fact that what is put in the answer sheet is itself paraphrased, you should be allowed to write a paraphrased version of the answer, not the exact verbatim words. In some questions, the answers are dependent on each other, i.e. if you don’t hear one phrase, you won’t be able to answer several questions! For example in a question that asks for directions, if you don’t hear the first answer which says for instance you have to go up and then turn left to reach Point A, then you won’t be able to answer the next part, because you simply don’t know from where you should start or where in the map you are.
• TOEFL iBT has only multiple choice questions, it means if you understand something, you’d most probably choose the right answer in the choices you got. IELTS in the other hand almost has no multiple choice question, you have to fill in the blanks with your own beautiful handwriting!
• The speaking test is on a different day, it means it’s another hassle! Some people have their speaking test prior to their main (listening, reading & writing) test and they should check the website to find out whether their speaking is after the main test (most people are), or it’s before that. Lots of people forget, and I can see the good doctor’s face hearing this argument: “Forget? they should NOT, they are not ALLOWED to forget!”. No dear doctor, human is fallible, you could simply use their damn emails or cell phones to send them an email or a text message as a reminder. It’s 21st century and such technology isn’t considered so novel no longer! After all you’re charging us damn good, so, we might expect a little more than a bottle of mineral water and a pencil and eraser for the session!
• You’re supposed to talk in English with the invigilators, except 2 or 3 of them who are actually the test takers themselves and are mostly British, the other invigilators can’t speak English at all! I could only see one guy who could speak English whose accent was far worse than Mulla Mohammed Omar, if he’s ever captured!

On in all it’s real fun! The instructions they kept repeating only made it funnier to me. My first reading title was “Blue footed b00bies”, which was great! It took all the stress away and I thought the test is merely customized for me! Blue footed b00bies are kind of birds somewhere in the world (I really don’t care) who were so tamed and dumb at the time Spanish people entered their island, so, you could easily approach them, pick’em up and eat them! So, they’re called bubu I guess which means “stupid” in Spanish, later on it’s changed to b00bies by English people!

I do believe these 2 tests are money scams in the best case, coz I see no reason why some countries shouldn’t accept TOEFL and only go for IELTS or vice versa. But if I want to vote for one of them, as it’s apparent in my previous paragraphs, I’d definitely vote for TOEFL iBT, even though it might be a lot harder for the computer illiterate or those who are more willing to see a human face in the speaking test rather than a monitor. I also believe you shouldn’t put 1000 people in a huge hall and scare’em so much that they don’t even utter a hiss!