infrastructure-notes/Proxy Notes.md

Proxy Notes

Restart the service

systemctl restart squid

Where are the logs?

cat /var/log/squid/access.log | grep 10.20.0.81

Splunk Query on Moose

Where are the proxy logs? index=web sourcetype="squid:access:json"

Is my traffic making it through the proxy? index=web sourcetype="squid:access:json" client_ip="10.2.2.17" request="reports.office365.com:443"

Troubleshoot Proxy Issues

Remove environmental variables and hit it with curl.

env -u http_proxy -u https_proxy -u HTTP_PROXY -u HTTPS_PROXY -u no_proxy -u NO_PROXY curl --verbose https://dynamodb.us-gov-east-1.amazonaws.com/

What variables are in the actual process environment (2289 process ID) tr '\000' '\n' < /proc/2289/environ cat /proc/2289/environ | tr '\000' '\n'

Check connections. See the TCP state diagram netstat -pant | egrep SYN_SENT Alternate command? ss -4 | egrep SYN SYN_SENT is the state waiting for the destination.

Look for the pid in the output and see if it matches your process.
ps -fp <pid from above>

See where the IPs are host <IP from previous SYN_SENT>

Splunk App Proxy Troubleshooting

Is this a Splunk app? Does it support a proxy? Is this a modular input like DGI HF Duo_splunkapp?

In XDR the Splunk-launch.conf file SHOULD be wiping out the proxy settings for all Splunk Apps. Each Splunk App should set the proxy within the App.

check the version of python splunk cmd /bin/which python3

Where are the OS proxy configurations?

cat /etc/profile.d/proxy.sh