Squid's RPM file has been
RedHat 7.1 bundled, when installing the system, if you choose in the NetWorks option
If it is automatically installed on the system. You can check if Squid has been installed in your system with the following command:
RPM -Q Squid
The latest version of Squid can be
Squid home page or it
Mirror site is obtained. Squid can be installed on the system with the following command:
RPM-IVH Squid-2.3.stable4-10.i386.rpm
Configure the custom SquidSquid to be implemented by editing its profile squid.conf, Squid.conf files are usually in / etc / squid directory
under. This configuration file is much content, but it has a detailed description of each of its options.
The first thing to modify is http_port, this option specifies the port of the Squid listening to the customer request, the default value is 3128. To use a proxy
Function, this port value is used with the IP address of the machine running Squid, you can modify it as follows:
HTTP_PORT 192.168.0.1:8080 The above statement indicates that the Squid is bound to the IP address 192.168.0.1, the port is 8080. Port can be set to any value, but to confirm
No other programs use the same port. The port settings for other service requests can also be set to a similar configuration.
Access control uses access control characteristics, which can control the cache based on a specific time interval, access specific sites or a set of sites, and the like. Squid Access Control has two elements: ACL elements and access lists. Access lists can allow or reject certain users access to this service.
Some important ACL element types are listed below
SRC: Source address (ie client IP address) DST: Destination address (ie server IP address) SRCDOMAIN: source name (ie client name) DSTDOMAIN: Target name (ie server name) Time: Day in the day and within one week One day URL_REGEX: URL rules express match URLPATH_REGEX: URL-PATH rule expression match, slightly protocol and hostname Proxy_auth: User authentication via external program MAXCONN: Single IP's maximum connection to use control functions, you must set ACL rules first And applied. The format of the ACL declaration is as follows:
ACL ACL_ELEMENT_NAME TYPE_OF_ACL_ELEMENT VALUES_TO_ACL Note:
ACL_ELEMENT_NAME can be any name defined in the ACL. Any two ACL elements cannot be used with the same name. Each ACL consists of a list value. When matching detection, multiple values are connected by logical or computational connections; in other words, the value of any ACL element is matched, the ACL element is matched. Not all ACL elements can use all types of access lists. Different ACL elements are written in different rows, and Squid will combine them in a list. We can use many different access entries. The following lists the several we will use:
HTTP_ACCESS: Allows HTTP access. This is the main access control entry. NO_CACHE: Defines the response to the cache request. The rules of the access list are constructed of some keywords like 'allow' or 'Deny' to allow or reject to provide services to a particular or set of ACL elements.
Note:
These rules are matched in accordance with their alignment order. Once the matching rules are detected, the matching detection ends immediately. An access list can be composed of multiple rules. If there is no rule matches the access request, the default action will correspond to the last rule in the list. All elements in an access entry will be connected to the logical and computational connection: http_access action declaration 1 and declaration 2 and declaration or.http_access action declares more than 3 Multiple http_access declarations or computational connections, but each access entries connection. Remember that the rules in the list always follow the upward order. Back to configuring Squidsquid defaults to do any user access control. To allow an access, you must make a custom rule. Enter the following text before http_access deny line in Squid.conf:
ACL MYNETWORK 192.168.0.1/255.255.255.0Http_Access Allow MyNetworkMynetwork is the ACL name, the next row is a rule for specific ACLs (ie mynetwork). 192.168.0.1 Indication is a subnet mask 955.255.255.0 in the network. MyNetwork is mainly to give a set of machines on the network, and these rules allow these
Machine access HTTP service. The above modifications can make Squid work very well in http_port. After the modification is complete, Squid
You can start with the following command:
Service Squid Start Note:
Squid can also automatically run when the system is started, and the method is to open Squid in the NTSYSV or Setup (System Services Menu). in
After any changes to the configuration file, the currently running Squid process must be restarted. You can do it with the following command:
Service Squid Restart or /etc/rc.d/init.dc/rc.d/init.d/squid restart
Configuring the client Since the client's request is sent to a specific port of the proxy server, the client should also configure the corresponding configuration. Before going on next step, please
Confirm that the client to access the proxy server has been connected in the LAN and has assigned a valid IP address. Please confirm that they can ping
Running the Linux server of Squid.
Configuration under Internet Explorer:
Click on the tool on the menu -> Internet Option Select the connection and click LAN settings to select the IP address and port of the above proxy server to enter the proxy server.
Configuration under Netscape Navigator:
Click on the editor (edert) -> Advanced -> Proxy server (PREERENCED). Select Manually Configure the Agent Server (MANUAL Proxy Configuration). Click to view (View) and enter the IP address and port of the above proxy server.
Using access controls multiple access controls and their rules provide a flexible mechanism for client access control. The examples used below are given:
Allows the machine in the list to access the Internet. acl allowed_clients src 192.168.0.10 192.168.0.20 192.168.0.30http_access allow allowed_clientshttp_access deny! allowed_clients This rule allows only IP address and 192.168.0.30 machine 192.168.0.10,192.168.0.20 access the Internet, the IP address of the other machines have been rejected access. Limit the access period. acl allowed_clients src 192.168.0.1/255.255.255.0acl regular_days time MTWHF 10: 00-16:! 00http_access allow allowed_clients regular_dayshttp_access deny allowed_clients The rules allow subnet 192.168.0.1 to all clients in the Monday to Friday, 10:00 am Access the Internet at 4:00 pm. Assign different access hours for different clients. acl hosts1 src192.168.0.10acl hosts2 src 192.168.0.20acl hosts3 src 192.168.0.30acl morning time 10: 00-13: 00acl lunch time 13: 30-14: 30acl evening time 15: 00-18: 00http_access allow host1 morninghttp_access allow Host1 EVENINGHTTP_ACCESS ALLOW HOST2 LUNCHTTP_ACCESS ALLOW HOST3 EVENINGHTTTTTP_ACCESS DENY All In this rule, host Host1 can access the Internet in Morning and Eventing, host Host2 and Host3 can only access the Internet in Lunch and Eventing time, respectively. Note: All elements in an access entry are connected to the way as follows: http_access action statement1 and staement2 and statement or. Multiple HTTP_ACCESS declarations are used or operated and the elements in each access entry are used with operations Connection, see below: http_access allow Host1 Morning EVENING Unable to perform at the time of time Morning and time EVENING, this expression will not return true value (TRUE), so this entry will not cause any action. Site Shield Squid can block some specific sites or sites with certain specific words.
Can be implemented by the following rules:. Acl allowed_clients src 192.168.0.1/255.255.255.0acl banned_sites url_regex abc.com * () (* comhttp_access deny banned_siteshttp_access allow allowed_clients shield may be used to contain a particular word (for example, dummy, fake) site acl allowed_clients src 192.168.0.1/255.255.255.0acl banned_sites url_regex dummy fakehttp_access deny banned_siteshttp_access allow allowed_machibes in practical applications, without the need to shield or words to all sites are listed above, you can save it in a file (Please see the banned.list file in the / etc directory) ACL will read the required information from this file to block the disabled site. ACL ALLOWED_CLIENTS SRC 192.168.0.1/25555.255.0acl banned_sites url_regex "/ etc / banned.list "http_access deny banned_siteshttp_access allow allowed_clients optimization Squid can limit the number of client connections by using maxconn element. to use this option, you must first allow client_db. acl mynetwork 192.168.0.1/255.255.255.0acl numconn maxconn 5http_access deny mynetwork numconn Note: MaxConn ACL uses less than (LESS-THAN) comparison. This ACL rule will be matched when the number of connections is greater than the set value. This is the main reason for the ACL does not allow rules to use. Cache data For static pages, cache data It is possible to immediately return to the client that issues a request. It is not necessary to cache CGI-BIN or Servlet, which can be disabled with ACL element NO_CACHE. ACL Cache_PREVENT1 URL_REGEX CGI-BIN /? ACL Cache_PREVENT2 URL_REGEX servletno_cache deny cache_prevent1no_cache deny cache_prevent2 Customer Error Feedback Information You can use the Deny_INFO option of the reject rule from the error feedback information. Squid default error message is placed in the / etc / squid / errors directory. This directory can be specified with the ERROR_DIRECTORY option. You can also customize existing error feedback information. acl allowed_clients src 192.168.0.1/255.255.255.0acl banned_sites url_regex abc.com * () (*. comhttp_access deny banned_sitesdeny_info ERR_BANNED_SITE banned_siteshttp_access allow allowed_clients in the above example, when a user tries to access forbidden sites, will display a custom Information. The file name in the err_banned_site option must be in the directory of the above error message. Error message must be HTML format. Some options are listed above, you can see the FAQ document on the Squid homepage to get the use of ACLs Many information. All log files of log Squid are stored in the / var / log / squid directory, with cache logs, access logs, and store.log files. Text
Access.log records information about client requests, connection activities, each http & icp query, client IP address, request method, requested URL and so on. These data can be used to analyze access. Many programs such as
SARG,
Calamaris,
Both Squid-Log-Analyzer can be used to analyze these data and generate an analysis report for HTML format. These reports can be in a group of users, a group
IP addresses or a set of accessible sites, etc. are generated.
These record files can also be the following:
Cache_access_log for access.log
Cache_log for cache.log
Cache_store_log for store.log (Store Manager)
PID_FileName Squid Process ID File Name
The default configuration of the verification mode Squid allows any users to access without the verification process. Squid provides user authentication through an external program
Function (for example, only valid users to access the Internet), this requires a valid username and password. Can use proxy_auth
ACL and Authenticate_Program are implemented to enforce user names and passwords before allowing access. Some Squids are listed below
The verification program that can be used:
LDAP: Using Linux LightWeight Directory Protocol NCSA: Using NCSA style Username and Password SMB: Using SMB Protocol, such as Samba or Windows NT MSNT: Using Windows NT Verification PAM: Using Linux The portable verification module getPWAM: You must specify the authentication program that you must specify using the Linux password file. You can use the Authenticate_Program option to complete. Please confirm that the selected verification program is installed and
good job.
Modify Squid.conf file selected verification program
Authenticate_Program / USR / local / bin / pam_auth
ACL PASS Proxy_Auth RequiredAnEnetwork SRC 192.168.0.1/255.255.255.0.1/255.255.255.0.1/255.255.255.0htttp_access Deny! myneetWorkHttp_Access ALLOW Passttp_access Deny Allow Pass Representation, using the PAM authentication program, all users must verify before getting access licenses.
Some options such as Authenticate_TTL and Authenticate_ip_ttl can be used to change the actions of the verification program, such as re-entering a username and password.
References This article only enters the horn of the iceberg in Squid, more references can be found in the following site:
Squid Home, www.squid-cache.org squid documentation project, squid-docs.sourceforge.net visolve.com for proxy authentication, home.iae.nl/users/devet/squid/proxy_auth
(Posted from: www.linuxfocus.org, Author:. D.S Oberoi translation: Free Neil)
