Efficient Configuration Linux Proxy Server - Squid
2001-05-21 12:43
Publisher: Crystal Reading: 335
Fur
As a free network operating system, Linux is getting more and more popular with network enthusiasts. The host running on the Internet has a considerable part of Linux, and China has put Linux as a designated network operating system for the government. Various signs show that Linux is gradually ripening. In order to solve the contradiction between the Internet development and IP address resources, the use of proxy servers is getting wider. Squid is a relatively excellent proxy server software under Linux systems.
Editor's Note: This site has Squid Download
Proxy service
Agent service refers to this machine that has a single machine and other hosts on the Internet with a standard IP address, which provides proxy servers. When you have internal address, when you want to connect to the Internet, send this request to a proxy server with a standard IP address, and send this request through its standard IP address to the requested destination address. The server of the target address is then sent back to the proxy server, and the proxy server is neitated to send the information to the internal host. Several machines with internal addresses have formed an internal network, the role of the proxy server is to communicate internal networks and Internet, solve the problem of internal network access Internet. This agent is irreversible, the host on the Internet cannot access any machine with internal addresses, which in turn guarantees the security of internal data.
One advantage of agency software is that it can verify many things other than packets. Squid is tested on the payload of the packet, that is, the amount of land occupied by the TCP (or UDP) section through the firewall's packet. According to the information of the packet header (IP part in the packet) and the packet payload (TCP section), the agent firewall can determine where the packet will be sent, and what the packet request is requested, and these must be provided according to the packet What kind of action is decided to take.
For web users, Squid is a high-performance agent cache server that speeds up intranet to browse the speed of the Internet and improve the customer's access hit rate. Squid not only supports the HTTP protocol, but also supports protocols such as FTP, GOPHER, SSL, and WAIS. Unlike the general proxy cache software, Squid processes all client requests with a separate, non-modular, I / O driver process.
Squid will have a data element in memory while caching the result of DNS search. In addition, it also supports non-modular DNS queries to negatively caching failed requests. Squid supports SSL to support access control. Since ICP is used, Squid enables overlapping agent arrays to maximize the bandwidth.
Squid consists of a primary service program Squid, a DNS query program DNSSERVER, several rewriting requests, and executes authenticated programs, and several management tools. When Squid starts, it can derive a specified DNSERVER process, and each DNSServer process can perform a separate DNS query, which greatly reduces the time of the server waiting for DNS queries.
Another superiority of Squid is that it uses access control list (ACL) and access list (ARL). Access Control List and Access List By blocking specific network connections to reduce potential Internet illegal connections, you can use these lists to ensure that the host of the intranet cannot access threatened or inappropriate sites.
Compilation installation Squid
There are two Squid software packages: one is the RPM package used by Redhat, and the other is the source code package.
Installation of the RPM package: 1. Enter / MNT / CDROM / RedHat / RPMS.
2. Perform rpm -ivh squid-2.2.stable4-8.i386.rpm.
Source package installation:
1. Download Squid-2.2.stable4-src.tar.gz from http://www.squid-cache.org.
2. Copy the file to the / usr / local directory.
3. Unnock the file tar xvzf Squid-2.2.stable4-src.tar.gz, generate a new directory Squid-2.2.stable4 in the / usr / local directory, and rename the directory with mv squid-2.2.stable4 Squid Squid. .
4. Go to the Squid directory.
5. Execute ./configure, you can use ./configure -prefix = / Directory / You / Want to specify the installation directory. The default installation directory is / usr / local / squid.
6. Perform make all.
7. Perform make install.
8. After the installation is over, the Squid executable is in the bin subdirectory of the installation directory, in the ETC subdirectory.
Configure Squid
Profile squid.conf
Squid has a primary configuration file Squid.conf, located in the / etc / squid directory, users only need to modify the configuration file.
Squid.conf configuration file is divided into 13 parts, namely:
1. Network Options (related network options)
2. Options Which Affect The Neighbor Selection Algorithm (Decoction on Neighbor Selection Algorithms)
3. Options Which Affect The Cache Size (Define Cache Size Options)
4. Logfile Pathnames and Cache Directories (Define the path of the log file and the directory of cache)
5. Options for External Support Programs (External Support Options)
6. Options Foe Tuning The Cache (Adjusting Cache Options)
7. Timeouts (timeout)
8. Access Controls (Access Control)
9. Administrative Parameters (Management Parameters)
10. Options for the cache registration service (Cache Register Service Options)
11. HTTPD-Acceleratoe Options (httpd acceleration option)
12. Miscellaneous (Miscellaneous)
13. Delay pool parameters (Delay pool option)
Although Squid's configuration file is very large, users can modify the corresponding options according to their actual situation, and do not need to configure all options. The following describes several common options.
1. HTTP_PORT
Define the Squid listening to the port of the HTTP client connection request. The default is 3128, if the HTTPD acceleration mode is used, 80. You can specify a plurality of ports, but all specified ports must be on a command line. 2. Cache_mem
Specifies the ideal value that Squid can use, it is recommended to set 1/3 of memory.
3. Cache_dir Directory-Name MBytes Level1 Level2
Specifies the size of the SQUID to store the switching space of the object and its directory structure. You can estimate the number of subdirects required by the system with the following formula.
Known:
DS = available exchange space (unit KB) / exchange space
OS = Average size of each object = 20K
NO = Number of objects stored in each secondary subdirectory = 256
Unknown:
L1 = number of primary subscribers
L2 = number of secondary subdirectories
Calculation formula:
L1 X L2 = DS / OS / NO
Note that this is an unknown equation, there can be multiple solutions.
4. Maximum_Object_size
Great than this value will not be stored. If you want to increase your access speed, reduce this value; if you want to maximize the saving bandwidth, reduce the cost, add this value.
5. DNS_NAMESERVERS
Define the domain name server used when the Squid is dominated by domain name.
6. ACL
Define a list of access controls. Define syntax:
ACL ACLNAME ACLTYPE STRING ...
ACL ACLNAME ACLTYPE "File" ...
7. HTTP_ACCESS
A type of user access is allowed or disabled according to an access control list.
Run Squid
After configuring and saving Squid.conf, you can start, stop and restart Squid:
/etc/rc.d/init.d/squid start
/etc/rc.d/init.d/squid stop
/etc/rc.d/init.d/squid restart
You can check if the Squid service is started normally by the PS command:
PS -A |GREP SQUID
If the following information appears:
6573? 00:00:00 Squid
6574? 00:00:00 Squid
Then the Squid service has been started normally.
Client configuration
Set a terminal to the internal address and set the Terminal DNS server to the DNS service of the proxy server, making a route between the internal address and the standard address. Set the proxy server address as the Squid proxy server in the browser, you can use the proxy server.
An instance
Suppose there is such an application environment, a dial server in the network provides a dial-up access service for users, and running a Squid implementation proxy server, its IP address is 192.168.2.32. Dial-up users get an internal IP, the address range is 192.168.2.1-192.168.2.30.
1. Configure squid.conf
HTTP_PORT 80
Cache_MEM 32 MB
Cache_swap_low 90
Cache_swap_high 95
Maximum_Object_size 4096 KB
Cache_dir / var / spool / squid 100 16 256
Cache_access_log /var/log/squid/access.log
Cache_log /var/log/squid/cache.log
Cache_store_log /var/log/squid/store.log
Cache_dns_program / usr / lib / squid / dnsserverdns_nameservers 192.168.2.32
unlinkd_program / usr / lib / square / unlinkd
ACL ALL SRC 0.0.0.0.0.0.0.0
ACL ALLOW_IP SRC 192.168.2.1/255.255.255.0
ACL Manager Proto Cache_Object
ACL Localhost Src 192.168.2.32/255.255.255.255
ACL SSL_PORTS Port 443 563
ACL SAFE_PORTS Port 80 21 443 563 70 210 1025-65535
ACL CONNECT METHOD Connect
HTTP_ACCESS Allow Manager Localhost
HTTP_ACCESS DENY Manager
HTTP_ACCESS DENY! SAFE_PORTS
HTTP_ACCESS DENY CONNECT! SSL_PORTS
HTTP_ACCESS Allow Localhost
HTTP_ACCESS ALLOW ALLOW_IP
Cache_effective_user squid
Cache_effective_group Squid
The following two options are used to define the Squid acceleration mode. Use virtual to specify a virtual host mode. The 80 port is a request port to accelerate. When using this mode, the Squid cancels the cache and ICP function. If you need these features, you must set an HTTPD_ACCEL_WITH_PROXY option.
HTTPD_ACCEL_HOST VIRTUAL
HTTPD_ACCEL_PORT 80
The following two options must be set to ON in transparent proxy mode. In this mode, Squid is both a web requesting accelerator and a cache proxy server.
HTTPD_ACCEL_WITH_PROXY ON
HTTPD_ACCEL_USES_HOST_HEADER ON
When setting the transparent agent, you must open the package forwarding function, but also combine ipchains:
Echo 1> / Proc / Sys / Net / IPv4 / IP_FORWARD
/ sbin / ipchains -a input -j accept -i lo
/ sbin / ipchains -a forward -s 192.168.2.1/24 -d 0/0 -j Masq
2. User authentication settings
By default, the Squid itself does not have any authentication programs, but user authentication can be implemented through an external authentication program. The following authentication procedures: LDAP authentication, SMB authentication, MySQL-based authentication, SOCK5-based password authentication and RADIUS-based authentication. The following describes the authentication of the common NCSA implementation, and NCSA is one of the authentication programs from the Squid source code package, and the implementation steps are as follows:
* Enter / usr / local / squid / auth_modules / ncsa directory, execution:
Make
Make Install
* After completing success, the executable of NCSA_AUTH will generate the executable of the NCSA_AUTH, and the generated executable will be generated in the / usr / bin directory.
* Modify the relevant options for the Squid.conf file.
ACL AUTH_USER Proxy_Auth Required
HTTP_ACCESS Allow Auth_user
Authenticate_Program / USR / local / Squid / Bin / NCSA_AUTH
/ usr / local / Squid / etc / passwd
* Tool software with Apache htpasswd generates a password file under / usr / local / squid / etc and adds appropriate user information. The password file contains information of a user, ie user name and password per line. For example, generate a password file passwd with htpasswd and add users me: htpasswd -c / usr / local / squid / etc / passwd me
* Restart Squid, password authentication take effect.
3. Client settings
The IP address of the proxy server is set to 192.168.2.32 in the options of the client browser, and the HTTP port is 80. To set a transparent agent, the client does not need to specify the proxy server in the browser, and set the gateway to 192.168.2.32, and the client is equipped to configure DNS.
Now, the host of the internal network can access the Internet by proxy.
Conclude
Squid is simple and flexible, support cache, and a variety of protocols, simplicity, configure and simple, support, and multiple protocols. With IPChains Squid solutions, you can get seamless access to the Internet through cache high performance. Last description, Squid is not only available on Linux systems, but also on AIX, Digital UNIX, FreeBSD, HP-UX, IRIX, NetBSD, NEXTSTEP, SCO, and Solaris, etc.
Source: Computer World