Squid Access Control Example

first, squid and ACL introduction

A proxy server is another server between the browser and the Web server. With this server, the browser does not go directly to the Web server to retrieve the Web page but makes a request to the proxy server, the information is sent to the proxy server, the proxy server to retrieve the information required by the browser and sent to the customer's browser.

Modern enterprise application proxy Server, in addition to improve the speed of access, at the same time, it in the actual application process is usually the enterprise as a "security gateway", according to the agent rules set by the enterprise to filter and block the illegal requests and information of some users, so as to achieve the purpose of protecting the enterprise network. In the proxy service of Enterprise open source system, this article will introduce the security access control rules, configure the Certified Proxy service and reverse proxy service to ensure the security of enterprise network.

Introduction to open source proxy server squid

Squid can work in many operating systems, such as AIX, Digital, UNIX, FreeBSD, HP-UX, Irix, Linux, NetBSD, Nextstep, SCO, Solaris, OS/2, etc. For web users, squid is a high-performance proxy cache server, unlike the usual proxy cache software, Squid uses a single, non-modular, I/O-driven process to process all client requests. Squid consists of a major service program squid, a DNS query program for DNS server, several rewrite requests and a program that performs authentication, and several administrative tools. When squid is started, it can derive a pre-specified number of DNS server processes, and each DNS server process can perform a separate DNS query, which greatly reduces the time that the server waits for DNS queries.

Users can install the RPM package for the software from the Red Hat Enterprise Linux distribution kit and use #/etc/rc.d/init.d/squid start or use the #service squid Start command to open the service.

Use secure access control to restrict online behavior for enterprise users

Using the Access control feature, you can control caching at specific intervals during access, access to a specific site, or a set of sites, and so on. Squid access control has two elements: an ACL element and an access list. Access lists can allow or deny access to this service by some users. The following describes the ACL elements and how access lists are used.

ACL element

The syntax for this element definition is as follows:

acl aclname acltype string1...acl aclname acltype  "File" ... When you use a file, the file format contains one entry for each line. The acltype can be any one of SRC, DST, Srcdomain, Dstdomain, Url_regex, Urlpath_regex, time, port, Proto, method. SRC: Indicates the source address. The:acl aclname src ip-address/netmask ...  client IP address can be specified in the following ways ACL ACLNAME SRC  addr1-addr2/netmask ...  address range DST: Indicates the destination address, which is the IP address of the server requested by the client. The syntax is: acl aclname dst ip-address/netmask ...srcdomain: Indicates the domain to which the customer belongs, and squid will query DNS against the client IP in reverse. The syntax is: acl aclname srcdomain foo.com ...dstdomain: Indicates the domain to which the requesting server belongs, as determined by the URL requested by the customer. The syntax is: acl aclname dstdomain foo.com ...time: Indicates the access time. The syntax is as follows: acl aclname time [day-abbrevs] [h1:m1-h2:m2][hh:mm-hh:mm] The abbreviated term of the date refers to the following: S: Refers to the Sundaym: refers to the Mondayt: refers to the tuesdayw: refers to the Wednesdayh: refers to the THURSDAYF: refers to the Fridaya: refers to the Saturday in addition, H1:M1 must be less than h2:m2, The expression is [hh:mm-hh:mm]. PORT: Specifies the access port. Multiple ports can be specified, for example: acl aclname port 80 70 21 ...acl aclname port 0-1024  ...  Specify a portScope Proto: Specifies the usage protocol. Multiple protocols can be specified: Acl aclname proto http ftp ...method: Specifies the request method. For example: acl aclname method get post ...url_regex:url regular expression match, syntax is: acl aclname url_ Regex[-i] patternurlpath_regex:url-path the regular expression matches, omitting the protocol and host name. Its syntax is: Acl aclname urlpath_regex[-i] pattern

In the process of using the above ACL elements, the following points should be noted:

Acltype can be any name that is defined in the ACL.

Any two ACL elements cannot use the same name.

Each ACL is made up of list values. When a match is detected, multiple values are connected by a logical OR operation; in other words, the value of any ACL element is matched, and the ACL element is matched.

Not all ACL elements can use all of the types in the access list.

Different ACL elements are written in a non-peer, squid combines these elements in a single list.

Http_access Access Control List

Allows or disables access to a class of users based on access control lists. If an access does not match an item, the default is "non" for the last item to be applied. For example, the last one is to allow, the default is to prohibit. The last entry should usually be set to "Deny all" or "Allow all" to avoid security risks.

Use this access control list to be aware of the following issues:

These rules are matched in the order in which they are sorted, and once a matching rule is detected, the matching test ends immediately.

Access lists can consist of multiple rules.

If no rules match the access request, the default action corresponds to the last rule in the list.

All elements in an access entry will be connected by logic and operation (see below):

Http_access Action Declaration 1 and declaration 2 and

Multiple http_access declarations are connected with or between operations, but each access element is connected by an operation.

The rules in the list always follow the top-down order.

Second, the ACL actual case

Disclaimer: All of the following access control configurations must be added at ACL all SRC 0.0.0.0/0.0.0.0 and http_acess deny all or http_access allow all. Because process squid is read in order by the configuration file.

(1) Allow network segment 61.0.3.188/24 and all client Access Proxies within 172.190.96.33/24, and allow client Access Proxies listed in file/etc/squid/guest. Otherwise, the client will deny access to the local proxy server:

ACL clients src 61.0.3.188/24 172.190.96.33/24acl guests src "/etc/squid/guest" ACL all src 0.0.0.0/0.0.0.0http_access all ow clientshttp_access allow guestshttp_access deny all

Where the contents of the file "/etc/squid/guest" are:

172.168.10.3/24210.113.24.8/1610.0.1.24/25

(2) allow the domain name to access the local proxy server for two domains of Job.net, gdfq.edu.cn, and other domains will deny access to the local proxy server:

ACL permitted_domain src job.net gdfq.edu.cnacl all src 0.0.0.0/0.0.0.0http_access allow permitted_domainhttp_access Deny All

(3) Use regular expressions to deny clients access to Web sites that contain keywords such as "sexy" through a proxy server:

ACL deny_url url_regex–i sexyhttp_access deny Deny_url

(4) Deny the client through the proxy server access to the file specified IP or domain name of the Web site, where the file/etc/squid/deny_ip has denied access to the IP address, file/etc/squid/deny_dns with Access denied domain name:

ACL deny_ip DST "etc/squid/deny_ip" ACL deny_dns DST "Etc/squid/deny_dns" Http_access deny Deny_iphttp_access deny Deny_ Dns

(5) Allow and deny the specified user access to the specified website, which allows the customer 1 to access the site Http://www.sina. Com.cn, while denying customers 2 access to the site http://www.163.com:

ACL client1 src 192.168.0.118acl client1_url url_regex ^http://www.sina.com.cnacl client2 src 192.168.0.119acl client2_ URL Url_regex ^http://www.163.comhttp_access allow client1 client1_urlhttp_access deny Client2 Client2_url

(6) Allow all users to access the proxy server within the specified time (from 8:30 to 20:30 from Monday to Thursday), allowing only specific users (system administrators, whose network segment is: 192.168.10.0/24) to access the proxy server in the afternoon of Friday, Other in Friday from one o'clock in the afternoon to six o'clock deny access to the proxy server:

ACL allclient src 0.0.0.0/0.0.0.0acl Administrator 192.168.10.0/24acl common_time time Mtwh 8:30-20:30acl manage_time Tim E F 13:00-18:00http_access allow allclient common_timehttp_access allow Administrator manage_timehttp_access deny manage _time

(7)/etc/squid.conf, the system software package provides, the recommended minimum configuration as follows, the user can be customized according to the actual situation

Acl all src 0.0.0.0/0.0.0.0acl manager proto cache_objectacl localhost  src 192.168.10.3/255.255.255.255acl ssl_ports port 443 563acl safe_ports  port 80          # httpacl safe_ports  port 21          # ftpacl safe_ports  port 443 563    # https, snewsacl safe_ports port  70          # gopheracl safe_ports port  210         # waisacl Safe_ports port  1025-65535 # unregistered portsacl safe_ports port 280          # http-mgmtacl Safe_ports port 488          # gss-httpacl safe_ports port 591         #  filemakeracl safe_ports port 777         #  multiling httpacl Safe_ports port 901          # swatacl purge method purgeacl connect method connect (... ) # only allow cachemgr access from localhosthttp_access allow manager  localhosthttp_access deny manager# only allow purge requests from  localhosthttp_access allow purge localhosthttp_access deny purge# deny  requests to unknown portshttp_access deny ! safe_ports# deny connect to other than ssl portshttp_access deny  connect ! Ssl_ports## insert your own rule (S) HEre to allow access from your clients#http_access allow localhost#  And finally deny all other access to this proxyhttp_access  deny all#default:# icp_access deny all# #Allow  ICP queries from  Eveyoneicp_access allow all

Here are some simple access controls, where the names behind the ACLs can be defined at their own discretion

1: Prohibit LAN IP 192.168.1.101 access to Internet

ACL client_101 src 192.168.1.101

Http_access Deny client_101

2: Prohibit LAN IP segment 192.168.1.0/24 access internet

ACL client_0/24 src 192.168.1.0/24

Http_access Deny CLIENT_0/24

3: Only allow access to baidu.com domain name

ACL goodsite domain–i. baidu.com

Http_access Allow Goodsite

4: Allow access to. com. net. org. cn domain Name

ACL goodsite domain–i. com. cn. NET. org

Http_access Allow Goodsite

5: Prohibit the client from downloading the file type that contains the. exe. mp3. avi.

ACL badfiletype urlpath_regex. mp3. exe. avi

Http_access Deny Badfiletype

6: Only allow client 192.168.1.101 maximum concurrent connections 3 digits

ACL client_101 src 192.168.1.101

ACL Maxconnect maxconn 3

Http_access deny client_101 Maxconnect

Configuring a certified proxy service to suppress illegal user use of proxy services

By default, squid itself does not have any authentication programs, but it can be authenticated by an external authentication program. There are generally the following authentication procedures: LDAP authentication, SMB authentication, MySQL-based authentication, SOCK5-based password authentication, and RADIUS-based authentication.

The following describes the common NCSA implementation of the certification, NCSA is the Squid source code package comes with one of the certification procedures, starting from Squid 2.5 contains the NCSA module. The Ncsa_auth file can be found in the/usr/lib/squid directory of the Red Hat Enterprise Linux distribution suite.

To use this authentication service, you first need to create the authentication user and password:

#htpasswd-C/usr/local/squid/etc/ps_file Guest

If you add the user later, then the-c parameter is removed.

Then, change the/etc/squid/squid.conf master configuration file, adding the following:

Configuring Authentication files and User files

Auth_param Basic Program/usr/lib/squid/ncsa_auth/usr/local/squid/etc/ps_file

Specify the number of processes for the authentication program

Auth_param Basic Children 5

Name of the proxy server

Auth_param Basic Realm Squid proxy-caching Web server

Certification valid for 2 hours

Auth_param Basic Credentialsttl 2 hours

Only authenticated Users can access

ACL normal Proxy_auth REQUIRED

Http_access Allow normal

Finally, restart the Squid service. In the browser with this agent, open any Web site, if the input user name and Password dialog box, it proves that the configuration was successful.

This article is from the "Little Water Drop" blog, please make sure to keep this source http://wangzan18.blog.51cto.com/8021085/1690504

Squid Access Control Example