Squid Configuration Guide and Problems

Squid Configuration Guide and problems-Linux general technology-Linux technology and application information, the following is a detailed description. Basic Configuration
Configure squid. conf. For the installation configuration path, see the INSTALL file in the installation directory.

After the installation is complete, configure the run of Squid (not the previous configuration ). All projects are completed in squid. conf. The Squid. conf provided by squid contains a very detailed description, which is equivalent to a user manual. You can refer to this document for any questions about the configuration.

In this example, the proxy server is also a gateway, and the IP address of the internal network interface eth0 is 192.168.10.11.

Http_port 192.168.10.11: 3128



The default port is 3128. Of course, it can also be any other port, as long as it does not conflict with other services. For the sake of security, adding an IP address in front of Squid will not listen to external network interfaces.

The following configuration option is an email from the Server Manager. When an error occurs, the address is displayed on the error page for easy contact:

Cache_mgr rubilly@gmail.com



The following parameters indicate the file system, location, and Cache Policy cached by Squid:

Cache_dir ufs/usr/local/squid/var/cache 100 16 256 (the default path of the system is recommended for convenient permission change)
Cache_mem 32 MB
Cache_swap_low 90
Cache_swap_high 95



Here, Squid uses the/var/squid directory as the directory for storing cached data. The cache size for each processing is 32 MB. When the cache space reaches 95%, the new content will replace the old one instead of being directly added to the directory until the space drops to 90% again. If you do not want Squid to cache any files, such as some proprietary systems with limited storage space, you can use a null File System (which does not require those cache policies ):

Cache_dir null/tmp --------- not required



In the following several cache policy configurations, the most important is the first line, that is, the user's access record. You can analyze it to understand the detailed addresses of all user access:

Access_log/usr/local/squid/var/logs/access. log
Cache_log/usr/local/squid/var/logs/cache. log
Cache_store_log/usr/local/squid/var/logs/store. log



The following line of configuration is a parameter that appears in a newer version, telling Squid the server name displayed on the error page:

Visible_hostname No1.proxy



The following configuration tells Squid how to process the user and process the IP address of each request as a separate address:

Client_netmask 255.255.255.255.255



For normal proxy servers, the above configurations are sufficient. However, many squids are used as transparent proxies. The so-called transparent proxy means that the client does not know the existence of the proxy server, and of course no proxy-related settings are required, which greatly facilitates the system administrator. Related options include:

Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_user_host_header on



In Linux, you can use iptables/ipchains to directly forward requests to Web port 80 to Squid port 3128, which is claimed by Squid, the user's browser still thinks it accesses port 80 of the other party. For example, the following command:

Iptables-t nat-a prerouting-s 192.168.0.200/32-p tcp -- dport 80-j REDIRECT 3128



That is, all access destined for port 80 of 192.168.0.200 is redirected to port 3128.

After all the settings are complete, the key and important task is access control. Squid supports many management methods and is very easy to use (this is why some people prefer to use Squid without any caching, and do not want to use iptables independently ). Squid can identify users by IP address, host name, MAC address, user/password authentication, etc, you can also control user access through domain name, domain suffix, file type, IP address, port, URL matching, etc. You can also use time intervals to manage users, therefore, access control is the focus of Squid configuration. Squid divides Access types with ACL (Access Control List) and controls them with http_access deny or allow. Define two groups of users (advance and normal) as needed, and all user groups that are not specified, and badusers that are not allowed to access the Internet. The configuration code is as follows:

Acl all src 0.0.0.0/0.0.0.0
Acl luzhigang src 192.168.10.5/255.255.255.255
Acl test src 192.168.10.6/255.255.255.255
Acl hc src 202.122.39.114/255.255.255.255
Acl manager proto cache_object
Acl localhost src 127.0.0.1/255.255.255.255
Acl to_localhost dst 127.0.0.0/8
Acl SSL_ports port 443 563
Acl Safe_ports port 80 # http
Acl Safe_ports port 21 # ftp
Acl Safe_ports port 443 563 # https, snews
Acl Safe_ports port 70 # gopher
Acl Safe_ports port 210 # wais
Acl Safe_ports port 1025-65535 # unregistered ports
Acl Safe_ports port 280 # http-mgmt
Acl Safe_ports port 488 # gss-http
Acl Safe_ports port 591 # filemaker
Acl Safe_ports port 777 # multiling http
Acl CONNECT method CONNECT



Http_access allow luzhigang
Http_access allow test
Http_access allow hc
Http_access allow manager localhost
Http_access deny manager
# Deny requests to unknown ports
Http_access deny! Safe_ports
# Deny CONNECT to other than SSL ports
Http_access deny CONNECT! SSL_ports




The basic ACL format is as follows:

Acl list name Control Mode Control Target







The code above tells Squid that the baduser group is not allowed to access the Internet, but the advance and normal groups are allowed (detailed permissions are not yet specified ). Because Squid is a sequential read Rule, baduser is disabled first and normal is allowed. If the order of the two rules is reversed, because baduser is in the normal range, Squid allows all normal rules, then disabling baduser does not work.

Note that Squid will use allow-deny-allow-deny ...... Apply rules in this order. For example, when a user accesses the proxy server, Squid sequentially tests the list of all rules defined in Squid. If none of the rules match, Squid uses the opposite rule. In the preceding example, assume that a user's IP address is 192.168.0.201. What happens when he tries to access the Internet through this proxy server? We will find that it can be accessed normally, because Squid searches all the access lists and does not have any definition related to 192.168.0.201, then it starts to apply the rules, and the last one is deny, the default processing rule for Squid is allow, so 192.168.0.201 can access the Internet. This is obviously not what we want. Therefore, in all squid. conf, the last rule is always http_access deny all, and all is the previously defined "src 0.0.0.0 ".

Note:
1. Be sure to pay attention to directory permissions. Set the cache_inclutive_user value in the. conf file. The default value is nobody.
Then, use chown-R nobody: nobody/folder to set folder permissions.
2. Pay attention to the problem of built-in firewall in linux. I initially used the default port or port 8000. After I started it, I found that the proxy function was not available, finally, I found the problem was that my linux Firewall only opened port 80 and ftp, telnet port, and finally changed the squid proxy port to 80.

Squid-z
Squid start
Squid-k parse # Check whether the configuration is correct and there is no output, proving that the configuration is basically correct !!!
Squid-zX # You can add an X parameter to check the specific initialization project.
If you cannot start squid because of DNS, run the following command to start squid:
Squid-D