Build a Linux Secure Squid Proxy Server (figure)

Article Title: Build a Linux Secure Squid Proxy Server (figure ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
This article describes how to use a very famous and common Squid Proxy Server in Linux, and focuses on how to use the access control policy provided by it to ensure the legitimate use of the proxy server.
　　
The proxy server is used to obtain network information from a proxy network user. It is a transfer station for network information. With the widespread use of proxy servers, a series of security problems emerge. Because the access control policy of the proxy server is not configured in detail, users can freely access many pornographic and reactionary illegal sites through the proxy server, these actions are often difficult to track and cause great inconvenience to management.
　　
Squid is the agent server software for caching Internet Data in Linux. It receives user download requests and automatically processes the downloaded data. That is to say, when a user wants to download a home page, he can send an application to Squid to download it instead of Squid. Then Squid connects to the requested website and requests the home page, the home page is sent to the user and a backup is retained. When another user applies for the same page, Squid immediately transmits the saved backup to the user, making the user feel that the speed is quite fast. Currently, Squid can proxy HTTP, FTP, GOPHER, SSL, and WAIS protocols. It cannot proxy POP3, NNTP, and other protocols. Squid can work in many operating systems, such as AIX, Digital, Unix, FreeBSD, HP-UX, Irix, Linux, NetBSD, Nextstep, SCO, Solaris, OS/2, etc.
　　
　　 Install and configure Squid Server
　　
Generally, there are two ways to install Squid: one is to obtain the RPM package of the software from Red Hat Linux 9; second, install from Squid's official site point http://www.squid-cache.org/download the software source code to compile and install. The latest stable version of the current online for the squid-2.5.STABLE10, the following version as an example to introduce the two installation methods.
　　
Working principle of Squid Server
　　
　　 1. Install the RPM package
　　
First, check whether squid has been installed:
　　
# Rpm-qa | grep squid
　　
Red Hat Linux9 comes with the Squid installation package. Place the first installation disc into the optical drive and mount the disc partition:
　　
# Mount/mnt/cdrom
　　
Then, go to the/mnt/cdrom/Red Hat/RPMS directory:
　　
# Cd/mnt/cdrom/Red Hat/RPMS
　　
Finally, execute the installation:
　　
# Rpm-ivh squid-2.5.STABLE1-2.i386.rpm
　　
Of course, we can also install the software when starting to install the system.
　　
　　 2. Install the source code package
　　
Slave.
　　
First, copy the file to the/tmp directory:
　　
# Cp squid-2.5.STABLE10.tar.gz/tmp.
　　
Then, unlock the file:
　　
# Tar xzvf squid-2.5.STABLE10.tar.gz
　　
After unzipping, generate a new directory squid-2.5.STABLE10 in/tmp and rename the directory to squid for ease of using the mv command:
　　
# Music squid-2.5.STABLE10 squid
　　
Switch to the squid directory:
　　
# Cd squid
　　
Then run/configure to specify the installation directory with./configure -- prefix =/directory/you/want. The default installation directory is/tmp/squid:
　　
#./Configure
　　
Finally, execute make all and make install:
　　
# Make all
　　
# Make install
　　
After the installation is complete, the executable file of Squid is located in the bin subdirectory of the installation directory, and the configuration file is located in the etc subdirectory.
　　
The Squid software provides users with many configuration and management documents related to configuration, application, library, log, etc. Squid has a main configuration file squid. conf. In the Red Hat environment, all Squid configuration files are located in the/etc/squid subdirectory. In this directory, the system also provides a default configuration file named squid. conf. default, however, in actual applications, the default configuration file has some problems, so before using Squid, you must first modify the relevant content of the configuration file.
　　
The following describes the structure of the squid. conf file and some common options. The squid. conf configuration file can be divided into 13 parts. Although the Squid configuration file is huge, the size of the configuration file has reached more than 3000 lines. However, if you only provide Proxy services for a small or medium network and are only preparing to use one server, the configuration problem will become relatively simple, you only need to modify several options in the configuration file to meet the application requirements. These common options are:
　　
　　 1. http_port
　　
This option defines the port that Squid listens to the HTTPD client connection request. The default value is 3128. If the HTTPD acceleration mode is used, the value is 80. Multiple ports can be specified, but all the specified ports must appear on a command line for the program to correctly identify.
　　
　　 2. cache_mem (bytes)
　　
This option is used to specify the ideal memory value that Squid can use. This part of memory is used to store the following objects: In-Transit Objects (incoming object), Hot objects (Hot object, that is, the object frequently accessed by Users), Negative-Cached objects (passive storage objects ).
　　
　　 3. cache_dir Directory-Name Mbytes Level1 Level2
　　
This option specifies the size of the swap space of the object and its directory structure. You can use multiple cache_dir commands to define multiple swap spaces, which can be distributed across different disk partitions. "Directory" specifies the top-level directory of the swap space. If you want to use the entire disk as the swap space, you can use this directory as the mount point to mount the entire disk. The default value is/var/spool/squid. Mbytes defines the total amount of available space.
　　
　　 Configure Access Control
　　
With the access control feature, you can control the cache, access to a specific site or a group of sites at a specific time interval. Squid Access Control has two elements: ACL element and access list. By using these methods, the system administrator can strictly and clearly define the access control policy of the proxy server.
　　
　　 1. ACL Element
　　
The syntax defined by this element is as follows:
　　
Acl aclname acltype string1...
　　
Acl aclname acltype "file "...
　　
When a file is used, the format of the file is that each line contains an entry. Acltype can be any name defined in the ACL. No two ACL elements can use the same name. Each ACL consists of list values, multiple values are connected by logic or operation. In other words, if the value of any ACL element is matched, the ACL element is matched. Not all ACL elements can use all types in the access list; different ACL elements are written in different rows. Squid combines these elements in a list.
　　
　　 2. http_access Access Control List
　　
Allows or disables access from a certain type of users based on the access control list. If no project is matched for an access request, the "Non" of the last project of the application is used by default ". For example, if the last one is allowed, it is disabled by default. Generally, the last entry should be set to "deny all" or "allow all" to avoid security risks. Note the following when using this access control list:
　　
● These rules are matched in the order they are arranged. Once a matching rule is detected, the matching detection is completed immediately;
　　
● The access list can be composed of multiple rules;
　　
● If no rule matches the access request, the default action corresponds to the last rule in the list;
　　
● All elements in an access entry are connected by logic and computation, as shown below:
　　
Http_access Action Declaration 1 AND Declaration 2 AND declaration OR
　　
Http_access Action Declaration 3
　　
● Multiple http_access statements are connected by or, but each element of an access entry is connected by an operation;
　　
● The rules in the list always follow the top-down order.
　　
　　 3. Use Access Control
　　
The preceding section details the ACL elements, the syntax of the http_access access control list, and the issues that need to be paid attention to during use. The following describes an example of how to use these access control methods.
　　
If all clients in the network segment 10.0.0.124/24 and 192.168.10.15/24 are allowed to access the proxy server, and the clients listed in the file/etc/squid/guest are allowed to access the proxy server, in addition, the client rejects access to the local proxy server. The procedure is as follows:
　　
Acl clients src 10.0.0.124/24 192.168.10.15/24
　　
Acl guests src "/etc/squid/guest"
　　
Acl all src 0.0.0.0/0.0.0.0
　　
Http_access allow clients
　　
Http_access allow guests
　　
Http_access deny all
　　
The content in the file "/etc/squid/guest" is:
　　
172.1610.3/24
　　
210.113.24.8/16
　　
10.0.1.24/25
　　
......
　　
If two domains with the domain name job.net and gdfq.edu.cn are allowed to access the local proxy server, other domains will reject access to the local proxy server. The procedure is as follows:
　　
Acl permitted_domain src job.net gdfq.edu.cn
　　
Acl all src 0.0.0.0/0.0.0.0
　　
Http_access allow permitted_domain
　　
Http_access deny all
　　
If a regular expression is used, the client is denied to access a website containing keywords such as "sexy" through the proxy server. The procedure is as follows:
　　
Acl deny_url url_regex-sexy
　　
Http_access deny deny_url
　　
If the client is denied to access the website with the specified IP address or domain name in the file through the proxy server, the file/etc/squid/deny_ip contains the IP address that is denied access, the/etc/squid/deny_dns file contains a domain name that denies access. The procedure is as follows:
　　
Acl deny_ip dst "etc/squid/deny_ip"
　　
Acl deny_dns dst "etc/squid/deny_dns"
　　
Http_access deny deny_ip
　　
Http_access deny deny_dns
　　
If, allow and deny the specified user access to the specified website, where client 1 is allowed to access the website http://www.sina.com.cn while client 2 is denied access to the website http://www.163.com. The procedure is as follows:
　　
Acl client1 src