Server: IP 192.168.88.39
, DNSSERVER 218.106.182.69 operating system RH9 core 2.4.20-8
When testing, run the Apache Web Server
Access control is actually only one of the features of Squid, and other functions cannot be shielded when compiling. The cache function is masked in this test.
In Squid, use Access Control List (ACL) to manage rules, including ACL Elements and Access List.
ACL Element includes SRC, DST, MYIP, SRCDOMAIN, DSTDOMAN, MEIP, and more, referring to Annex 1, is the ACL category specified by Squid, mainly to set ACLNAME, setting format as follows:
ACL ACLNAME ACLTYPE STRING1 ... ACL ACLNAME ACLTYPE "File"
Where ACLNAME is the name of the List, which can be freely defined by the user, and aclType is also the setting of the ACL Element definition String as the user, or can be called from the outside through File. Squid does not allow an aclName corresponding to different aclType.
Access List is a list of rules, such as http_access, etc. If a rule contains multiple aclName, then they are logical and relationships, that is, this rule matches only when all ACLNAMEs in this rule matches. The relationship between the respective ACLs in the same rule and the relationship between each rule can be used to represent the following description.
HTTP_ACCESS ALLOW | DENY ACL AND ACL AND ...
Oral
HTTP_ACCESS ALLOW | DENY ACL AND ACL AND ...
Oral
The last rule (default rule) will be executed when the request does not meet any user-defined rules. Therefore, it is recommended to set the default rule to:
ACL ALL SRC 0.0.0.0.0.0.0.0
HTTP_ACCESS DENY ALL
1, download Squid http://www.squid-cache.org/Versions/v2/2.5/, configure (specify the installation path and other parameters), make, make install
2. After the installation is successful, there should be the following directory in the installation directory: Bin, ETC, Libexec, Man, Sbin, Share, Var
There is a Sbon executive program, the SHARE path is auxiliary data such as the text. The VAR directory is running the log. The ETC is a configuration file. The following test cases are all related rules in Squid.conf under ETC. Realize it.
3, basic rule settings: (Squid.conf)
#defaults
ACL ALL SRC 0.0.0.0.0.0.0.0
HTTP_ACCESS DENY ALL
The above two rules ensure that the HTTP Access Deny All rule will be applied when the request is not possible to match any user-defined rules, so the HTTP request is rejected.
4, login with root, run ./squid -z
In this test, since the cache function is not used, in the configuration: cache_dir null / tmp, and compiles the parameters --enable-storeio = UFS, NULL
5, web filtration test
Test case A:
Rule description:
1) Allow HTTP and FTP protocols
2) Allow connections to 80 ports and 21 ports
3) Allow IP of 192.168.88.0/24 network segment
4) Shield 192.168.89.0/24 network segment IP
Then add the rules in the Squid.conf files as follows, and then restart the Squid.
#Acl Manager Proto HTTP FTP
ACL ALLOWEDIP SRC 192.168.88.0.24acl Safeports Port 80 21 443
ACL Connect Method Connect http_access de Ney! Safeports http_access allow allowedip
At this point, the client IP is set to 192.168.88.30
Enter http://192.168.88.31 in IE, you can pop up the Apache default page. FTP can be connected normally.
If the client IP is changed to 192.168.89.30, the HTTP and FTP requests failed.
in conclusion:
HTTP_ACCESS ALLOWEDIP and HTTP_ACCESS DENY ALL rules take effect
The client IP address (segment) can be filtered with Squid.
Test case B:
ACL SAFEPORTS Port 80 21 443 rules will be changed to ACL Safeports Port 80 443
At this point, the client IP is set to 192.168.88.30, the HTTP request is successful, the FTP request failed
Conclusion: Port access control can be performed using Squid.
Test case C:
Add the following rules in Squid.conf:
ACL BADIP DST "/ USR / local / Squid / etc / somebadip" http_access de Neny Badip
The target address listed in the file / usr / local / squid / etc / somebadip is shielded.
Note: In this example, saved in the file is some of the IP addresses of some sites. If you want to use domain names, apply DSTDOMAIN instead of DST in the rule.
Conclusion: You can use Squid to filter the target address filtering
The above is simply tested Squid's source address filtering, destination address filtering, port filtering and other functions.
In practical applications, more complex features can be achieved, such as increasing test cases A
ACL ALLOWEDUSERS Proxy_Auth Required
HTTP_ACCESS ALLOWEDUSERS
That is, the IP of the 88 network segment can pass directly, and the rest of the user needs to be certified.
Conclusion: With different logical portfolios, the SQUID can be used to meet the requirements of Web filtration.
1. Squid checks DNS at startup, so ensuring that the setting of DNS is correct.
2. Before running Squid for the first time, you must run Squid -z first to create a cache, even if it is set to NULL in this example, it is also necessary to ensure that the Cache path exists. (Squid will be CHDIR to the path after running, as if CoredUmp_dir is opened, the Cachedir path can not exist. Not attempted.)
3, if you can't start Squid, it is usually because the permissions are not pairs (especially when running in non-root users), please check the permissions of the paths such as ... / Squid / Var / Logs ... / Squid / VAR / Cache. View syslog, cache.log.
4. To ensure that the writing and logic set by the rules is legal.
5, front desk running: squid -ncd1
