Linux Agent Services Raiders - Squid 2003-11-13 Agent provides two services: First, let users who cannot access Internet access Internet, because allowing a larger computer to directly connect to network more secure Easy to manage; second, let users who have been able to access the Internet can access faster or more, because the proxy server can cache the access to the web page to the local, when someone visits the same page again, the agent can send local page directly There is no need to waste network bandwidth. Of course, it can also be both. We use the most widely used Squid as an example to discuss proxy servers under Linux. It refers to the server-side application here, does not include client configuration. The advantages of Squid are powerful, simple to configure, rich in documents; the disadvantage is that the protocols currently support are not a wide enough, and the super-large application is slightly tested, but these shortcomings are slowly improved. Squid is still the best choice for beginners and ordinary applications. Here, we have to configure a Proxy Server that provides proxy service for internal networks. It divides users from two advanced users and ordinary users. For advanced users who use NIC physical address identification, ordinary users need to enter usernames and passwords. Advanced users have no access time and file type, and ordinary users can access and some other restrictions only when they work. The installation can get the source code installation package of the software from the Squid site www.squid-cache.org, including both GZ and BZ2 compression. You can also use Linux release, such as RPM packets provided by Red Hat. RPM mode is easy to install, the command is as follows: $ rpm -ivh squid-2.x.stalbx.i386.rpm But the author believes that even if the Squid has been installed in the system, you should first remove the latest source code package first. . Because open source software constantly corrects issues, providing updated features, using the latest version to ensure maximum performance and security, and source code can be fully customized. However, the Stable stabilization, the DEVEL version is usually provided to the developer test program, assumes that the latest stable Squid-2.5.stable2.tar.gz is downloaded with the following command: $ TAR XVFZ Squid-2.5.stable .tar.gz compressed package with BZ2 mode may be smaller, the corresponding command is: $ tar xvfj squid-2.5.stable.tar.bz2 then enter the corresponding directory to configure and compile the source code, the command is as follows: $ CD Squid-2.5.stable2 Configuration Command Configure has a lot of options, if you don't know, you can view "-help" first. Typically, the options used have the following: --prefix = / web / squid # Specify the installation location of Squid, if this option is specified, then there will be Bin, Sbin, Man, Conf and other directories in this directory. And the primary configuration file is at the conf subduction at this time. To facilitate management, it is best to configure this file location to / ETC with parameters -sysconfdir = / etc. --Enable-storeio = ufs, NULL # The file system used is usually the default ufs, but if you want to do a proxy server that does not cache any file, you will need to add a null file system. --Nable-ARP-ACL # This can be managed directly through the client's MAC address in the rule settings to prevent customers from using IP spoof.
--enable-err-languages = "simplify_chinese" --enable-default-err-languages = "Simplify_Chinese" # The above two options tell Squid to encrypt and use Simplified Chinese error messages. --Enable-linux-netfilter # Allows Linux transparent agent features. --Nable-underscore # is allowed to appear underlined in the URL, because Squid is considered to be illegal by default, and the URL of the underline is illegal and refused to access the address. The entire configuration compilation process is as follows: ./configure --prefix = / var / squid --sysconfdir = / etc --enable-arp-acl --enable-linux-netfilter --Nable-pthreads --enable-err-language = "Simplify_chinese" --enable-storeio = ufau, null --enable-default-err-language = "simplify_chinese" --enable-auth = "Basic" --enable-baisc-auth-helpers = "ncsa" --enable -underscore Some options have special effects, which will be described below. Finally, two commands are executed, and the source code is compiled into the executable and copy to the specified location. After the basic configuration is completed, the operation of the Squid is configured (not the configuration in front installation). All projects are completed in Squid.conf. Squid comes with Squid.conf includes a very detailed description, which is equivalent to a user manual, and any questions if you have any questions can be resolved. In this example, the proxy server is also a gateway, the IP address of the internal network interface ETH0 is 192.168.0.1, and the IP address of the external network interface Eth1 is 202.103.x.x. Below is a basic agent needs configuration options: http_port 192.168.0.1:3128 The default port is 3128, of course, any other port, as long as it does not have a conflict with other services. For security reasons, in front of the IP address, Squid will not listen to the external network interface. The following configuration option is the server manager's email. When the error occurs, the address is displayed on the error page, easy to contact: cache_mgr netsnake@963.net The following parameters tell the Squid Cached File System, Location, and Cache Policy : Cache_dir ufs / var / squid cache_mem 32MB cache_swap_low 90 cache_swap_high 95 Here, Squid will use the / var / squid directory as a directory of saving cache data, each processing cache size is 32 megabytes, when the cache space is 95% When the new content will replace the old and not directly add to the directory until the space falls to 90% to stop this activity.
If you don't want Squid to cache any file, such as some of the stored space limited proprietary systems, you can use the NULL file system (such a caching policy): Cache_Dir Null / TMP, the next few about the cache policy configuration, more important It is the first line, that is, the user's access record can be analyzed by analyzing the detailed address of all users access: cache_access.log /var/squid/access.log cache_log /var/squid/cache.log cache_store_log / var / squid / store. Log The following is the parameter that appears in a newer version, tells Squid's server name displayed in the error page: Visible_hostname no1.proxy: telling Squid how to handle the user, the IP address for each request, as a separate address: Client_mask 255.255.255.255 If it is a normal proxy server, the above configuration is sufficient. But many Squid are used to do transparent agents. The so-called transparent agent is that the client does not know the existence of a proxy server, and of course no need to make any related to the agent, which greatly facilitates the system administrator. There are several options related to the following: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_user_host_header on on Linux, you can direct Web request will be forwarded directly to the Squid port 80 port 3128, taken over by Squid with iptables / ipchains, but the user's browser still believe It is accessible to the 80 port of the other party. For example, the following command: iptables -t nat -a preording -s 192.168.0.200/32 -p TCP - Dport 80 -J Redirect 3128 is an access to the 80 port of the 80 port 192.168.0.200 to the 3128 port. After all settings are complete, the key and important tasks are access control. Squid support has a lot of management, it is also very simple to use (this is also preferred to use the Squid that does not do any cache, nor is it reason to use iptables alone. Squid can identify users through IP addresses, hostnames, MAC addresses, user / password authentication, etc., can also be accessed by domain name, domain suffix, file type, IP address, port, URL matching, etc., can also use time interval pairs. The user is managed, so the access control is the focus of the Squid configuration. Squid uses ACL (Access Control List, Access Control List) to divide the access type, controlled with http_access deny or allow.
Define two sets of users Advance and Normal depending on the requirements, as well as all unmetrified user groups All and Badusers that do not allow Internet access, the configuration code is as follows: ACL Advance 192.168.0.2-192.168.0.10 / 32 ACL Normal SRC 192.168.0.11- 192.168.0.200/32 acl baduser src 192.168.0.100/32 acl baddst dst www.somebadsite.com acl all src 0.0.0.0/0 http_access deny baduser http_access allow advance http_access allow normal can be seen, the basic format of the ACL as follows: acl list Name control mode control target, such as ACL ALL SRC 0.0.0.0.0, its name is all, the control mode is the SRC source IP address, the control target is 0.0.0.0.0 IP address, that is, all undefined users. For security reasons, this list is always prohibited. The following list represents senior users, including all computers from 192.168.0.2 to 192.168.0.0.2-192.168.0.10: ACL Advance 192.168.0.2-192.168.0.20 / 32 The following Baduser list only contains a computer, its IP address is 192.168.0.100 : ACL BADUSER 192.168.0.100/32 ACL After writing, the following should be managed separately, the code is as follows: http_access deny Baduser http_access allowed the top A few lines of code Tell Squid Not Allowing the Baduser group to access the Internet, but Advance, The NORMAL group allows (there is no detailed permissions). Since Squid is read in order to read rules, Baduser will be prohibited, then Normal is allowed. If two rule sequences are reversed, because Baduser is in the Normal range, Squid first allows all Normal, then prohibiting Baduser will not work. It is important to note that Squid will use allow-deny-allow-deny ... such a order of order. For example, when a user accesses the proxy server, Squid sequentially tests all rule lists defined in Squid, and Squid will use the rules opposite the last one when all rules do not match. As mentioned above, assuming that a user's IP address is 192.168.0.201, what happens to be accessed through this proxy server? We will find that he can access it normally because Squid is not a definition from 192.168.0.201, and the last one is Deny, then Squid's next processing rule is Allow, so 192.168 .0.201 Instead, it is obvious that it is obviously not what we hope. So in all Squid.conf, the last rule is always http_access deny all, and all ALL is "SRC 0.0.0.0" as defined above. Advanced control said before, Squid's control function is very powerful, as long as it understands the behavior of Squid, it is basically able to meet all control requirements. Here's how Squid is controlled step by step.
The IP address is used to identify the user very unreliable, better than the IP address is the MAC physical address of the NIC. To use the MAC address identification in Squid, you must add the "--Nable-ARP-ACL" option when compiling, then you can identify the following statements: ACL Advance ARP 00: 01: 02: 1F: 2C: 3E 00: 01: 02: 3C: 1A: 8B ... It uses the user's MAC address, and the MAC address is generally not easy to modify, even if there is a normal user to change his IP address to a senior user, this is not possible. The way is much more reliable than the IP address. If you don't want the user to access a website? It can be divided into two cases: one is a host that is not allowed to access a site, such as SINAPAGE host is sinapage4.sina.com.cn, and other Sina resources are allowed, then ACL can write this way : Acl sinapage dstdomain sinapage4.sina.com.cn ... HTTP_ACCESS DENY SINY ... This can be seen, except SINAPAGE4, other such as www.sina.com.cn, news.sina.com .CN can be accessed normally. Another situation is that the entire website is not allowed to access, then you only need to write the domain name shared by this website, configure the following: ACL QQ DSTDOMAIN .TENCENT.COM.CN Note Tencent ".", It is All hosts ending at the end of the domain name are not accessible, otherwise there is only one of Teniversity.com.cn that the host cannot be accessed. If you want to prohibit access to an IP address, such as 202.108.0.182, you can use DST to control, the code is as follows: ACL Badaddr DST 202.108.0.182 Of course, this DST can also be a domain name, and the Squid query DNS server converts it to IP . There is also a relatively wide control of the file type. If you do not want normal users to download MP3, AVI and other files through the proxy server, you can limit them, the code is as follows: acl mmxfile urlpath_regex /.mp3 full urlpath_regEX /.MP3$ /.avi $ /.EXE $ HTTP_ACCESS DENY MMXFILE See regex, many readers should Heart God will, because this statement uses a standard rule expression (called regular expression). It will match all URL requests ending with. MP3, .avi, you can also use the -i parameter to ignore case, such as the following code: ACL MMXFILE URLPATH_REGEX -I /.MP3, whether it is .mp3 or .mp3 will be Refuse. Of course, the -i parameter applies to any place that may require case sensitive, as the front domain name control. If you want to let ordinary users can only go online, and is the weekday work day, how should I handle with Squid? Take a look at the ACL definition below: ACL Worktime Time MTWHF 8: 30-12: 00 14: 00-18: 00 http_access de Neny! Worktime first defines the time of allowing the Internet is a week (Monday to Friday) morning and afternoon Fixed time period, then use http_access define all requests that are not in this period of time are not allowed.
Or to ensure the bandwidth of the senior user, I hope that each user's concurrent connection can not be too much, so as not to affect others, you can also control it through Squid, the code is as follows: ACL CONNCOUNT MAXCONN 3 http_access deny conncount normal http_access allow normal, the ordinary user is in one The fixed time can only initiate three connections at the same time, from the fourth beginning, the connection will be rejected. In short, Squid's ACL configuration is very flexible, powerful, more control methods can refer to Squid.conf.default. Certified User / Password Certification provides more convenient for Squid management, the most commonly used authentication method is NCSA. Starting from the Squid 2.5 version, NCSA authentication is included in BASIC, not the previously separate authentication module. Let's take a look at the specific operation of implementing authentication. First, the configuration option should include the following configuration: --Nable-auth = "Basic" --Nable-Basic-Auth-helpers = "NCSA" "Make Install", you need to put "Helpers / Basic_AUTH / NCSA / NCSA_AUTH" Copy to the user can perform the directory, such as / usr / bin (if this execution file is not found in this directory, use the Make All instead of Make, or execute make directly in this directory), then need to with Apache's password management program htpasswd generates files corresponding to the username / password, just like the following line code: htpasswd -c / var / squid / etc / password Guest After entering the password of the GUEST user, a guest user is generated. . If you need to add a user later, remove the above command to the -c parameter and then run. Squid 2.5 has a large change in certification processing, and only 2.5 version of the processing method, 2.4 and below, please refer to Squid.conf.Default. In version 2.5 Squid.conf, including the following related options: # This option points out the authentication method (Basic), the required program (NCSA_AUTH) and the corresponding password file (Password) Auth_Param Basic Program / USR / BIN / NCSA_AUTH / var / squid / etc / password # Specify the authentication program AUTH_PARAM BASIC Children 5 # Browser Display Enter User / Password Dialog Box Dominium AUTH_PARAM BASIC Realm My Proxy Caching Domain # Basic Authentication Effective Time Auth_Param Basic Credentialsttl 2 Hours # Normal users need to access Internet ACL NORMAL proxy_auth request http_access allow Normal to complete authentication work through the above configuration. Some readers may ask: Certification only for ordinary users, and advanced users are directly online, what should I deal with? In fact, these two users can coexist.
