Proxy server configuration and application
Http://linuxaid.com.cn Bye2000 This article is copyrighted by LinuxAID and the author
5.2 User Authentication Settings default, Squid itself does not have any authentication programs, but we can implement user authentication through an external authentication program. Generally speaking, there are the following authentication procedures: 1. LDAP certification: You can access the following resources to get more useful information. http://www.geocities.com/researchtriangle/thinktank/5292/projects/ldap/http://home.iae.nl/Users/devet/squid/proxy_auth/contrib/ldap_auth.tar.gz2.smb authentication: Yes Implement NT and SAMBA-based authentication. For more information, please visit the following resources. Http://www.hacom.nl/~richard/software/smb_auth.html3. User authentication based on mysql. http://home.iae.nl/Users/devet/squid/proxy_auth/contrib/mysql_auth.c4. Based on SOCK5 password user authentication. Http://nucleo.freeservers.com/5. User authentication based on RADIUS. Http://home.iae.nl/Users/devet/squid/proxy_auth/contrib/auth.pl But we generally use NCSA authentication and NT and Samba-based user authentication with SMB_AUTH. Let's take a specific implementation of these two authentication methods. 5.2.1 NCSA User Certification Realization NCSA is one of the authentication programs from the Squid source code package. Here we describe NCSA installation and configuration as an example of Squid-2.3.stable2 version. 1. Download Squid source code package Squid-2.3.stable2-src.tar.gz from www.squid-cache.org and put it in the / tmp directory. 2. Using TAR: TAR XVZF Squid-2.3.stable2-src.tar.gz% make% make install3. Then, go to the /TMP/Squid-2.3.stable2/Auth_Modules/ncsa directory. After the% make% make install is successfully compiled, the executable of NCSA_AUTH will generate. 4. Copy generated execution file NCSA_AUTH to / usr / bin directory CP NCSA_AUTH / USR / BIN / BIN5. Modify the relevant options in Squid.conf as follows: Authenticate_Program / USR / local / Squid / Bin / NCSA_AUTH / USR / BIN / passwd 6. Definition related user class ACL Auth_User Proxy_Auth Required Note, the Required keyword indicates access to all legitimate users. 7. Set http_accesshttp_access allow auth_user Note that if you specify multiple user classes that allow access to access, you should put the user class to be authenticated in the first one. As shown below: Error configuration: http_access allow auth_user all manager correctly: http_access allow auty_user manager all8. Tool software with Apache HTPasswd generated a password file under / usr / local / squid / etc and adds appropriate user information. Generally speaking, the password file contains a user's user information, ie user name and password per line. Generate a password file passwd with htpasswd and add user BYE. htpasswd -c / usr / local / squid / etc / passwd Bye then restarts Squid, password authentication has taken effect.
5.2.2 SMB User Certification Implementation Domestic Introduction and Using NCSA Realizing User Certification, I haven't seen NT-based user authentication using SMB_AUTH and Samba, I haven't seen it, let's take a look at Squid. NT-based user authentication. The highest version of the current SMB_AUTH is SMB_AUTH-0.05, you can download it in the following address. Of course, SMB_AUTH is also included in Squid source code packs, but is 0.02. http://www.hacom.nl/~richard/software/smb_auth-0.05.tar.gzsmb_Auth Home Address is http://www.hacom.nl/~richard/software/smb_auth.html. 1. System requirements: Squid 2.0 or higher. Install Samba2.0.4 or later. You don't need to run the Samba service because SMB_AUTH only uses Samba client software. 2. Download SMB_AUTH-0.05.tar.gz and copy to /tmp.3.tar xvzf SMB_Auth-0.05.tar.gz4. Modify the SambapRefix and InstallBin parameters in Makefile according to your requirements. SambapRefix specifies your Samba installation path, installbin indicates the installation path of SMB_AUTH. We specify: sambaprefix = / usr, installbin = / usr / bin.5.make6.make install, successfully generated executable SMB_AUTH.7 in the installbin specified path. Follow these steps to set the main domain you want to use for authentication Controller: First establish a "proxy" file in the NetLog shared directory, which only contains a "allow" string, which is generally, the NetLog directory is located in the / WinNT / System32 / REPL / IMPORT / Scripts directory; then Setting all you want to access Squid users and user groups with the power to read the file. 8. Modify the relevant options in Squid.conf as follows: Authenticate_Program / USR / local / Squid / bin / smb_auth your_domain_name9. Definition related User class ACL Auth_User Proxy_Auth Required Note that the Required keyword indicates access to all legal users. 10. Set http_accesshttp_access allow auth_user Note that if you specify multiple user classes that allow access to access, you should put the user class to be authenticated in the first one. As shown below: Error configuration: http_access allow auth_user all manager correct configuration: http_access allow auth_user manager all If everything is correct, then restart Squid, password authentication has taken effect. Description: SMB_AUTH Call Method: 1.smb_Auth -w Your_Domain_name Specifies your domain name with your_domain_name. SMB_AUTH will broadcast the main domain controller. 2.SMB_AUTH -W Your_Domain_name -b
If you are in a busy network environment, you can increase this value appropriately. 2.Authenticate_ttl Description: Set the validity period of a certification, the default is 3,600 seconds. 3.Proxy_auth_realm Description: Set the domain name displayed to the user when the user login authentication is set. 5.3 Transparent agent settings About transparent agent concept We have passed in the first quarter, let's take a look at how to achieve a transparent agent in Squid. The implementation of the transparent agent needs to be above Linux 2.0.29, but Linux 2.0.30 does not support this feature, so we don't have to worry about this issue. Below we use ipchains squid to achieve transparent agents. It is necessary to explain before the beginning is that we can only implement the transparent agent that supports HTTP, but it is not too worrying, because we use the agent, the purpose is to use Squid's cache to improve the web access speed, as to provide internal illegal IP Access to address and improve network security, we can solve it with ipchains. Realization: redHat6.x Squid2.2.x ipchains5.3.1 Linux related configuration OK your kernel has been configured: [*] NetWork FireWalls [] socket filtering [*] unix domain sockets [*] TCP / IP networking [] IP: multicasting [] IP: advanced router [] IP: kernel level autoconfiguration [*] IP: firewalling [] IP: firewall packet netlink device [*] IP: always defragment (required for masquerading) [*] IP : Transparent proxy support If not, please recompile the kernel. Generally, these features have been default over the redhat6.x or more. Squid.conf 5.3.2squid configuration options related to the relevant option, as follows: http_port 3218httpd_accel_host virtualhttpd_accel_port 80httpd_accel_with_proxy onhttpd_accel_uses_host_header on DESCRIPTION: 1.http_port 3128 In this example, we assume that the squid HTTP listener port 3128, i.e., lack of squid Provincial set value. Then, redirect all packages (ie, the target port 80) from the client Web request to 3128 port. 2.Httpd_accel_host virtualhttpd_accel_port 80 These two options are originally used to define Squid acceleration mode. Here we use virtual to specify a virtual host mode. The 80 port is a request port to accelerate. When using this mode, Squid cancels the cache and ICP function, if you need these features, this must set the httpd_accel_with_proxy option. 3. Httpd_accel_with_proxy on this option is ON to be set in transparent proxy mode. In this mode, Squid is both a web requesting accelerator and a cache proxy server. 4. Httpd_accel_uses_host_header ON In transparent agent mode, if you want your proxy server's cache function to work correctly, you must set this option to ON. When set to ON, Squid will add the stored object to the hostname instead of an IP address as an index. This is especially important when you want to build a proxy server array. 5.3.3 Ipchains' related configuration Ipchains The role starting here is port redirection.
