Basic configurations of squid Proxy Server (2)

Last Update:2013-12-28 Source: Internet

Author: User

Tags squid proxy

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Squid transparent proxy

Transparent proxy is the perfect combination of NAT and proxy. It is called transparent because in this way, the user does not feel the existence of the proxy server and does not need to use a browser or other client tools, such as network express) for any settings, the client only needs to set the default gateway as the IP address of the Linux server. When the client accesses the Internet and requests data packets are forwarded by the Linux server, iptables on the Linux Server redirects the HTTP request of the client to the Squid Proxy Server. The proxy server replaces the client to access external information resources, then, return the obtained data to the client.

When you install the squid package that comes with the RedHat EnterpriseLinux 5 system CD, squid forwards packets to the outside by default, and all packages will be rejected. In this case, you only need to modify "http_access deny all" in the configuration file/etc/squid. conf to "http_access allow all" to connect the squid proxy LAN user to the Internet. For basic configurations of squid, refer to my blog on squid service installation and basic configurations.

First, install the DHCP service to assign IP addresses to users in the LAN.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531593X6-0.jpg "title =" topology 1.jpg "alt =" 215841852.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531591421-1.jpg "title =" 1.jpg" alt = "215922819.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531591S2-2.jpg "title =" 2.jpg" alt = "220034249.jpg"/>

After modifying the service configuration file, you need to restart the service: service dhcpd restart

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531594362-3.jpg "title =" 3.jpg" alt = "220046750.jpg"/>

Install Squid

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531594114-4.jpg "style =" float: none; "title =" 4.jpg" alt = "220136585.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/05315a952-5.jpg "style =" float: none; "title =" 5.jpg" alt = "220140953.jpg"/>

Because Squid can only Proxy tcp, mail, httpd, and other protocols, it cannot proxy DNS. Therefore, in order to enable normal DNS resolution for LAN users, SNAT is used mainly by iptables in Linux.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/053159B52-6.jpg "style =" float: none; "title =" 6.jpg" alt = "220237314.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531595253-7.jpg "title =" 7-1.jpg "alt =" 220332955.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/05315aC0-8.jpg "title =" 8.jpg" alt = "220403687.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531593493-9.jpg "style =" float: none; "title =" 9.jpg" alt = "220431352.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/05315a4V-10.jpg "style =" float: none; "title =" 10.jpg" alt = "220434817.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531592144-11.jpg "style =" float: none; "title =" 11.jpg" alt = "220438931.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/05315a005-12.jpg "style =" float: none; "title =" 12.jpg" alt = "220442799.jpg"/>

Iptables-t nat-a prerouting-s 192.168.2.0/24-ptcp-dport 80-j REDIRECT-to-port 3128

Use iptables to create a table nat and add it to PREROUTING. All data packets from the 192.168.2.0 CIDR block that use the tcp protocol access target port 80 will be redirected to port 3128. In this way, when a LAN User accesses httpd, the destination port is redirected to port 3128 when the packet is sent to the Linux server.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531596215-13.jpg "title =" 13.jpg" alt = "220524482.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/05315920T-14.jpg "title =" 14.jpg" alt = "220540236.jpg"/>

Test whether transparent proxy is implemented:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531594X7-15.jpg "title =" 15.jpg" alt = "220603409.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531593B7-16.jpg "title =" 16.jpg" alt = "220625800.jpg"/>

Access control application instance:

1. Disable access from clients whose IP address is 192.168.2.99.

Acl_badclientip1src 192.168.2.99

Http_access deny badclientip1

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531591596-17.jpg "title =" 17.jpg" alt = "2206500004.jpg"/>

2. Disable access from all clients in the subnet 192.168.2.0.

Acl badclientnet1 src 192.168.2.0/255.255.255.0

Http_access deny badclientnet1

3. Prohibit users from accessing websites with the IP address 115.239.210.26.

Acl badsrvip1 dst 115.239.210.26

Http_access deny badsrvip1

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531595941-18.jpg "title =" 18.jpg" alt = "2207172.16.jpg"/>

4. Users are prohibited from accessing websites with the domain name www.163.com.

Acl baddomain1 dstdomain-I www.163.com

Http_access deny baddomain1

5. Prohibit users from accessing websites with a domain name containing 163.com.

Acl badurl1 url_regex-I 163.com

Http_access deny badurl1

6. Prohibit users from accessing URLs with sex keywords in the domain name.

Acl badurl2 url_regex-I sex

Http_access deny badurl2

7. the maximum number of concurrent connections of clients with the IP address 192.168.16.200 is 5.

Acl clientip1 src 192.168.16.200

Acl conn5 maxconn 5

Http_access deny client1 conn1

8. Disable all clients in the subnet 192.168.2.0 from accessing the Internet from to from Monday to Friday.

Acl clientnet1 src 192.168.2.0/255.255.255.0

Acl worktime time MTWHF-

Http_access deny clientnet1 worktime

9. Prohibit the client from downloading *. mp3, *. exe, *. zip, and *. rar files.

Acl badfile1 urlpath_regex-I \. mp3 $ \. exe $ \. zip $ \. rar $

Http_access deny badfile1

10. Prohibit QQ from accessing the Internet through Squid proxy.

Acl qq url_regex-I tencent.com

Http_access deny qq

This article is from the blog "life is on duty, don't seek anything". I will not repost it!

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More