Configure the squid forward proxy under the soft route between hosts and CentOS6.0

Last Update:2013-12-27 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Lab environment preparation:

This experiment uses three virtual machines. In CentOS6.0, squid is enabled as the proxy Internet server, windows server2003 is used as the soft route, and redhat5.0 is used as the client. The final goal is to reach the squid proxy server through the soft route, then, you can access the Internet through the proxy server. The ip address settings for each network segment are not described here.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; height: 428px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" image "border =" 0 "alt =" image "width =" 605 "height =" 486 "src =" http://www.bkjia.com/uploads/allimg/131227/0223591K3-0.png "/>

Soft Routing Between Hosts

1: Enable software routing on win2k3 first

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; height: 486px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" image "border =" 0 "alt =" image "width =" 620 "height =" 510 "src =" http://www.bkjia.com/uploads/allimg/131227/0223593263-1.png "/>

Of course, you can also use a linux host for soft routing. To enable this function, set ip_forward to 1.

2: Add a default route to the client. If the client wants to connect to the outside, it must go out through the eth0 Nic of our soft route. Therefore, we need to add such a default route entry, if you want to get out of the data, tell it to use the eth0 Nic of the soft route. See the above topology)

Ping192.168.10.1 is successful, but when ping192.168.10.2 is found, it does not respond. Why? Does our soft route forward data? 192.168.10.2 have we received the ping packet? The answer is that the soft route forwards both the data 192.168.10.2 and the data packet. Then, the packet is forwarded and the data packet is received. Why can't I ping it?

To find the answer, let's first look at the route table of the proxy server. There are two direct connection routes and one default route. Does it know how to use the 172.16.0.0/16 network segment? It does not know, because there is no route entry in the route table. Even if it receives a packet from the 172.16.0.0 segment, it does not know how to respond. maybe you want to ask, isn't it a default route? This default route is the gateway of the Internet. Does it know how to use a network segment of the Intranet ?)

We can add a route entry on the proxy server to tell it how to go to the CIDR Block 172.16.0.0.

Then return to the client to ping, and the camera will immediately pass through.

At this point, we try to ping the external Nic of the proxy server. Note that the prompt is displayed as the destination host cannot be reached. What is the reason for this?

We can find the same problem on the soft route server again. Why? By viewing its route table, we can see the cause of the problem. Is there any entry in its route table for the network segment 192.168.1.0? No, so of course the data packet cannot reach the destination.

Next, let's tell it how to route the route entry to the 192.168.1.0 CIDR block. We create a route entry in the static route table and tell it to go to the 192.168.1.0 CIDR Block through the eth2 Nic of the proxy server, that is, 192.168.10.2, because in the route table of the proxy server, it knows that 192.168.1.0 is its direct connection network segment.

After adding a route entry, we can go to the client to see if all the network segments can communicate. OK, and prepare some pass for the environment!

Agent service installation:

Http://www.squid-cache.org/versions/the latest stable condition is 3.1
Here I have directly installed yum. The installed version is 3.1.4.

Preparations before the squid service starts:

Confirm that the host has a complete domain name, And the squid service requires the linux host to have a complete domain name.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" image "border =" 0 "alt =" image "height =" 50 "src =" http://www.bkjia.com/uploads/allimg/131227/0223591M1-14.png "/>

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" image "border =" 0 "alt =" image "height =" 27 "src =" http://www.bkjia.com/uploads/allimg/131227/02235941c-15.png "/> open route forwarding

Add the following content to vi/etc/squid. conf:
Acl our_network src 172.16.0.0/16 192.168.10.0/24 # define a valid network segment
Http_access allow our_network # allow all data in this network segment to pass through
# And finally deny all other access to this proxy
Http_access deny all # The Last One rejects all
# Squid normally listens to port 3128
Http_port 192.168.1.109: 8080 # The default port is 3128. Of course, it can also be any other port, as long as it does not conflict with other services. For the sake of security, adding an IP address in front of Squid will not listen to external network interfaces.

# The following parameters tell Squid the cached file system, location, and Cache Policy:
Cache_dir ufs/var/spool/squid 100 16 256 # (cache space, the first unit is M. We recommend that you use a larger partition to partition. 16. Generate 16 folders under the cache and create another 256 folder)
Cache_mem 100 MB # if there is no other service dedicated to the proxy server, you can set it to more than half of the memory. If there are other services, it should not exceed 1/3 of the physical memory.
Maximum_object_size 20 MB # objects exceeding the file size will not be cached
Maximum_object_size_in_memory 20 MB # maximum file size that can be cached in memory
Cache_swap_low 90
Cache_swap_high 95 # Here, Squid uses the/var/spool/squid directory as the directory for storing cached data. The cache size for each processing is 100 MB, when the cache space reaches 95%, the new content will replace the old one and not be added directly to the directory until the space drops to 90%. If you do not want Squid to cache any files, such as some vpcs with limited storage space, you can use a null file system without any caching policies ):

In the following several cache policy configurations, the most important is the first line, that is, the user's access record. You can analyze it to understand the detailed addresses of all user access:
Access_log/var/log/squid/access. log # (the parameter for versions earlier than 3.0 is cache_access_log, which specifies the log file path for storing access records of the client)
Cache_store_log/var/log/squid/store. log # record which websites are cached
Cache_log/var/log/squid/cache. log # cache logs
Visible_hostname CentOS6.0.allan.cn # Tell Squid the server name displayed on the error page (the host name must be written to/etc/hosts and/etc/sysconfig/network for exact locating)

If you only use a common proxy server, the above configurations are sufficient.

/Etc/squid-z initialize, and then confirm whether the cache space directory is created

Check whether the squid. conf configuration file is incorrect.

If the configuration file is correct, we can start the squid service.

Now return to the client and set Internet access through proxy in IE browser

Pay attention to the firewall when you find that you can access the Internet through the proxy server)

Note that in linux, the firefox proxy is set to "edit-Preferences" instead of "Tools.

The method for determining IP and MAC addresses is to use a machine as an example (if only the corresponding ip addresses are allowed to access the internet, there is a problem here, as long as the company knows such a rule, then he can manually specify any ip address in this segment to access the Internet. Therefore, we will use the IP address and MAC address to make the reservation more secure)
Acl mac_acl arp ***** # specify a mac
Acl ip_acl src ***** # specify an ip address
Http_access allow mac_acl ip_acl # both the ip address and Mac address are met, and it is not equal to binding an ip mac address.
However, for multiple machines, this method is more troublesome. Of course, this method is worth doing to make it safer. remember that the acl application is also ordered. In this example, http_access allow single single_mac must be placed before http_access deny our_network. Otherwise, it will be invalid even if you allow it directly.

Squid command application summary:

1: Check the syntax and configuration of squid. conf.
/Etc/squid-k parse
If squid. conf has a syntax or configuration error, a prompt will be returned. If no result is returned, congratulations, you can try to start squid.
2: Start squid at the front end and output the startup process.
/Etc/squid-N-d1
3: Start squid to run in the background.
/Etc/squid-s
At this time, you can view the system process in ps-A, and you can see two squid processes.
4: Stop squid
/Etc/squid-k shutdown
5. Reboot the modified squid. conf file.
/Etc/squid-k reconfigure // load the new configuration file, which is estimated to be used more often. When you find that your configuration is not satisfactory, you can modify squid at any time. conf, and then do not forget your squid. conf troubleshooting, and then execute this command to let squid repeat your squid. conf to run.
6:/usr/local/squid/sbin/squid-k rotate # Round-Robin logs rotate LOG files. The so-called rotation means that when the LOG grows too large, rename a group of new files to start using
7. Add the squid to the system startup Item.
Edit/etc/rc. d/rc. local
Add the following lines:/etc/squid-s

Summary of the differences between the types of proxy servers:

Forward Proxy:To provide Proxy services for the client, you must specify the proxy service address on the client. We can set the proxy server of the client through the Group Policy)
Transparent Proxy:A special forward proxy does not need to be set on the client, but must work on the gateway. the transparent proxy and forward proxy settings are basically the same, but there is a slight difference in some places. I will not describe them here. If you want to know more, please go to Baidu)

Reverse Proxy:When does reverse proxy need to be used to provide Proxy Cache services for servers? For example, for a large website such as Sina and Netease, it generally rents reverse proxy services in provincial capitals to work for it, for example, if we access Sina or Netease in Guangdong, the resolved IP address will be the IP address of the local reverse proxy server in Guangdong, therefore, no matter which province we open the Sina or Netease website, we will find that the speed of opening the webpage is very fast, so reverse proxy is used to reduce the burden on the Real WEB server, we say this service is a reverse proxy server)

The following sections are extracted from the Internet for reference and learning if you need in-depth research.

Advanced application access control
After all the settings are complete, the key and important task is access control. Squid supports many management methods and is easy to use. Squid can identify users by IP address, host name, MAC address, user/password authentication, etc, you can also control user access through domain name, domain suffix, file type, IP address, port, URL matching, etc. You can also use time intervals to manage users, therefore, access control is the focus of Squid configuration. Squid uses ACLAccess Control List and Access Control List) to divide access types and use http_access deny or allow to Control access types. Define two groups of user managers and staff as needed, and deny the website address baddst on behalf of all unspecified user groups and denyusers that are not allowed to access the Internet. The configuration code is as follows:
Acl manager src 192.168.10.1-192.168.10.20/24
Acl staff src 192.168.10.20-192.168.10.254/24
Acl denyuser src 192.168.10.100/24
Acl baddst www.qq.com
Acl all src 0.0.0.0/0
Http_access deny denyuser
Http_access allow manager
Http_access allow staff
Http_access deny baddst
Http_access deny all

The code above tells Squid that the denyuser group is not allowed to access the Internet, but the manager and staff groups are allowed. Because Squid reads rules in order, denyuser is disabled first, and then the manager and staff are allowed. If the order of the two rules is reversed, because deny is in the stff range, Squid allows all the staff, denyuser is disabled.
Note that Squid will use allow-deny-allow-deny ...... Apply rules in this order. For example, when a user accesses the proxy server, Squid sequentially tests the list of all rules defined in Squid. If none of the rules match, Squid uses the opposite rule. Therefore, in all squid. conf, the last rule is always http_access deny all, and all is the previously defined "src 0.0.0.0 ".

Advanced Control
As mentioned above, Squid's control function is very powerful. As long as you understand the behavior of Squid, it can basically meet all the control requirements. Next, let's take a step-by-step look at how Squid controls and manages it. IP addresses are used to identify unreliable users. What is better than IP addresses is the NIC's MAC physical address. To use MAC address recognition in Squid, you must add the "-- enable-arp-acl" option during compilation. Then, you can use the following statements to identify users:
Acl manager arp 00: 01: 02: 1f: 2c: 3e # A fixed manager User Group uses the MAC address to directly use the user's MAC address through the MAC physical address, while the MAC address is generally not easy to modify, even if some common users change their IP addresses to advanced users, this method is much more reliable than the IP address.
What should I do if I don't want users to access a website? There are two possible scenarios: one is that a host that does not allow access to a site, for example, the OK host is OK .sina.com.cn, while other Sina resources are allowed access, the ACL can be written as follows:
Acl OK dstdomain OK .sina.com.cn
Http_access deny OK
As you can see, except for OK, other such as www.sina.com.cn and news.sina.com.cn can be accessed normally.
In another case, the whole website is not accessible. You only need to write the domain name that the website has. The configuration is as follows:
Acl qq dstdomain .tcccent.com.cn
Http_access deny qq
Note that "." In front of tcccent indicates that all hosts ending with this domain name are inaccessible. Otherwise, only the host tcccent.com.cn cannot be accessed.
If you want to disable access to an IP address, such as 202.118.2.182, you can use dst to control it. The Code is as follows:
Acl badaddr dst 202.118.2.182
Http_access deny badaddr
Of course, this dst can also be a domain name, which is converted to an IP address by the Squid query DNS server.
Another widely used control is file type. If you do not want normal users to download MP3, AVI, and other files through the proxy server, you can restrict them. The Code is as follows:
Acl mmxfile urlpath_regex \. mp3 $ \. avi $ \. exe $
Http_access deny mmxfile
Many readers should be familiar with regex, because this statement uses a standard rule expression, also called a regular expression ). The signature matches all URL requests ending with the signature,. avi, and so on. You can also use the-I parameter to ignore case sensitivity. For example, the following code:
Acl mmxfile urlpath_regex-I \. mp3 $
In this case, both the listener and. MP3 will be rejected. Of course, the-I parameter applies to anything that may need to be case sensitive, such as the previous domain name control.
What should I do if I want normal users to access the Internet only during work hours and work days every week? Take a look at the following ACL definition:
Acl worktime time MTWHF --
Http_access deny! Worktime
First, define the allowed internet access time to a fixed period of time in the morning and afternoon from Monday to Friday every week. Then, use http_access to define that all requests that are not in this period are not allowed.
To ensure the bandwidth of an advanced user, you can use Squid to control the concurrent connections of each user so as not to affect others. The Code is as follows:
Acl conncount maxconn 3
Http_access deny conncount normal
Http_access allow normal
In this way, a common user can only initiate three connections at a fixed time, and the connection will be rejected from the fourth one.
In short, Squid ACL Configuration is flexible and powerful. For more control methods, see squid. conf. default.
6. Authentication
User/password authentication provides more convenience for Squid management. The most common authentication method is NCSA. From Squid 2.5, NCSA certification is included in basic, rather than the previous independent authentication module. Next, let's take a look at the specific operations to implement authentication.
First, the configuration options during compilation should include the following Configuration:
-- Enable-auth = "basic" -- enable-basic-auth-helpers = "NCSA"

After make install, copy "helpers/basic_auth/NCSA/ncsa_auth" to the user's executable directory, for example, if/usr/bin fails to find the execution file in this directory, use make all instead of make during compilation, or directly execute make in this directory ), then we need to use the Apache password management program htpasswd to generate the file corresponding to the user name/password, just like the following line of code:
Htpasswd-c/var/squid/password guest
After you enter the password of the guest user twice, a guest user is generated. If you need to add users later, just remove the-c parameter from the preceding command and run it again.
Squid 2.5 has a major change in authentication processing. Here we will only discuss the processing method of Version 2.5. For versions 2.4 and below, see squid. conf. default. In version 2.5, squid. conf includes the following options:
# This option specifies the authentication method basic), the required program ncsa_auth) and
Password)
Auth_param basic program/usr/bin/ncsa_auth/var/squid/password row 1092
# Specify the number of authentication processes
Auth_param basic children 5
# Fields displayed in the browser when the user/Password dialog box is entered
Auth_param basic realm My Proxy Caching Domain
# Basic Authentication Validity Period
Auth_param basic credentialsttl 2 hours
# Normal users must pass authentication before accessing the Internet
Acl normal proxy_auth REQUIRED # cannot be placed in front of the advance group
Http_access allow normal
The authentication can be completed through the above configuration. Some readers may ask: What should I do if authentication is only for common users while advanced users access the Internet directly? In fact, these two types of users can coexist. As mentioned above, Squid is used to process http_access sequentially. Therefore, if normal users are processed first during http_access, authentication is required for the current user, regardless of whether the user belongs to an advanced user; on the contrary, if advanced users are processed first, only common users that need to be authenticated are left.
For example, the following configuration code:
...
Http_access allow normal (authentication required)
Http_access allow advance does not require authentication)
...
Whether it is a noauth user or not, user name/password verification is required.
The correct method is to switch the two locations. The Code is as follows:
...
Http_access allow advance
Http_access allow normal
...
Advanced users are not affected.
7. Below we will summarize the entire squid. conf:
# Server Configuration
Http_port 192.168.0.1: 3128
Cache_mgr admin@gdlc.org
Cache_dir null/tmp
Cache_access_log/var/spool/squid/access. log
Cache_log/var/spool/squid/cache. log
Cache_store_log/var/spool/squid/store. log
Visible_hostname 192.168.0.1
Client_mask 255.255.255.255.255
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_user_host_header on
# User category
Acl advance arp 00: 01: 02: 1f: 2c: 3e 00: 01: 02: 3c: 1a: 8b...
Acl normal proxy_auth REQUIED
Acl all src 0.0.0.0
# Behavior Classification
Acl mmxfile urlpath_regex \. mp3 $ \. avi $ \. exe $
Acl conncount maxconn 3
Acl worktime time MTWHF --
Acl sinapage dstdomain OK .sina.com.cn
Acl qq dstdomain .tcccent.com.cn
# Processing
Http_access allow advance
Http_access deny conncount normal
Http_access deny! Worktime
Http_access deny mmxfile
Http_access deny OK
Http_access deny qq
Http_access allow normal
After configuration, the advance group can access the Internet without any restrictions, while the normal group can only access the Internet during working hours, and cannot download multimedia files or access certain websites, you cannot send more than three requests.
This article introduces the basic capabilities of Squid. Of course, it is far more powerful than this. It can build a powerful proxy server array to help local Web servers improve performance and improve the security of local networks. Further control is needed to make full use of its functions.

This article is from the blog "Welcome to Allan Fan's blog". For more information, contact the author!

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Configure the squid forward proxy under the soft route between hosts and CentOS6.0

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support