Use squid to do Proxy Server method _ Proxy Server

When it comes to proxy servers, the first thing we can think of is a dedicated Proxy server Web site that, in some cases, speeds up access to the Internet. In fact, in the need to access the external LAN, we can set up the agent, the number of visits to save the page in the cache, thereby "improve" the network speed. More importantly, we can use the proxy server to control access rights. In Windows, there are many such software, such as: WinGate, sygate, etc., however, this article to discuss is to give you full freedom under the Linux squid.
Linux Proxy Server Software is not only squid, but in most Linux versions have it.

Into the "Agent"

First, let's take a look at how the proxy server works. The proxy server is actually a TCP/ip-based software that listens on a TCP port for example: 4444, other clients (that is, those windows that want to use the proxy to surf the Internet) to configure the application software, such as: IE. You need to fill in the port of the proxy server, which is 4444 of the previous precedent, so the proxy server knows the address you want to access. If you are a legitimate user, it will get the page you want, and then pass the 4444 port to you, the Internet you will not feel the presence of proxy server.

and the real meaning of the proxy server is: First, because it is to download the Web page to the local use, so the higher the frequency of the site will be faster; second, if you do not have access to a site and it has, you can access the site through it; third, it can control your access.

Today, through the narrow band to the Internet, I am afraid still accounted for the majority of proxy server speed up the role is very obvious.

A friend familiar with Linux may know that under Linux there are ipchains can do routers, as well as control access rights, but IPChains's disadvantage is not to support DNS resolution, if you want to control the client access through it, you must specify the destination of one by one IP, If anyone uses IPChains to access the Internet, he must be crazy, because the IP address on the Internet is not only as much as the stars in the sky, but also as the stars change at any time. Squid is different, it can specify which domain suffixes cannot be accessed, such as:. TW,. NET, so that the domain name on IP mapping to the ISP to do.

Configuration examples

In this example, we use a common brand machine to do proxy server, installed two network cards, the first eth0 is the local area network, the second eth1 is a simple internet share, operating system is Redhat Linux 6.1,ipchains and squid are all brought by the system itself.

Like most Linux software, squid works through a configuration file, its default profile is/etc/squid/squid.conf, the original file is up to dozens of pages long, giving detailed configuration instructions, where the real use is probably just a small part. Look at the following configuration file, in fact, many options are at a glance:

Http_port 4444

#代理服务器监听的端口

Cache_dir/var/cache/squid 100 16 32

#缓存目录 size (megabytes) number of subdirectories of the first level subdirectory number of second-level subdirectories

Cache_access_log/var/log/squid/access.log

Cache_log/var/log/squid/cache.log

ACL all src 0.0.0.0/0.0.0.0

ACL head src 192.168.0.2/255.255.255. 255 192.168.0.3/255.255.255.255

ACL normal src 192.168.0.21-192.168. 0.99/255.255.255.255

ACL denysite dstdomain TW net

ACL Denyip DST 61.136.135.04/255.255. 255.255

ACL Dnsport Port 53

Http_access Allow head

Http_access Deny Denysite

Http_access Deny Denyip

Http_access Allow normal

Http_access Deny Dnsport

Example analysis

The above content, is a basic squid need all the configuration, is not very simple?!

From the above we can see that the proxy server uses 4444 of this port for listening, cache directory is 100MB, Users with IP addresses of 192.168.0.2 and 192.168.0.3 have access to all sites, while users with IP addresses 192.168.0.21~99 cannot access sites with the suffix tw and net, nor access sites with IP addresses 61.136.135.04 ( If DST 61.136.135.04/255.255.255.255 becomes DST 61.136.135.04/255.255.255.0, it refers to the 61.136.135.0 network).

It is obvious that Squid uses ACLs to define user groups and uses Http_access to control the permissions of the user group. ACL can be followed by SRC (source address), DST (destination address), Proto (protocol), Port (port), Srcdomain (source domain), Dstdomain (target domain), squid control function is very powerful, you can even use ACL aclname Time to specify when the user group takes effect. Note, however, that when using Http_access to set permissions for different groups of users, Squid is performed from top to bottom, and if you want to turn off a group's access to certain sites, you must place the corresponding sentence of the deny in front of the group.

In addition, the squid documentation specifically points out that if there is no corresponding access setting, the default permissions are the opposite of the last line, in the example where an IP-192.168.0.5 client is not defined but has access to the external network, so set http_access deny on the last line All is very necessary.

After the setup is complete, you can run squid directly to start it, and if the configuration file is wrong, squid will give the appropriate hints. Then use IPChains to set the forwarding rules for packages, such as allowing only clients to send and receive letters using POP3 (110), SMTP (25), DNS (53), and browsing Web pages only by using proxies, so the network is much more secure.