A detailed explanation of squid configuration process based on Linux Gateway server _linux

Objective

Here, we want to configure a proxy Server that only provides proxy services to the internal network. It has the following functions it divides the user into two kinds of advanced users and ordinary users, and uses the network card Physical Address recognition method for the advanced users.

Ordinary users need to enter a username and password to normal use. Advanced users do not have access time and file type restrictions, while ordinary users can access only at work and some other restrictions.

Installation

Installing from the source

Source with a stable version, perform the following command to install

sudo apt-get install squid Squid-common

Source Code Compilation Installation

Of course, you can also go to the official website to download the latest version to compile the installation:

Where stable stable, DEVEL editions are usually provided to developers to test programs, assuming that the latest stable version of squid-2.5.stable2.tar.gz is downloaded to unlock the compressed package with the following command:

Tar Xvfz squid-2.5.stable.tar.gz

Packages compressed in bz2 may be smaller in size, and the corresponding commands are:

Tar xvfj squid-2.5.stable.tar.bz2

Then, enter the appropriate directory to configure and compile the source code as follows:

CD Squid-2.5.stable2

The configuration command configure has many options, and if it is not clear, you can first view it with "-help." In general, the following options are used:

--prefix=/web/squid

Specify the installation location of Squid, if only this option, then the directory will have bin, sbin, man, conf directory, and the main configuration file at this time in the Conf subdirectory. For ease of management, it is best to use parameter--sysconfdir=/etc to configure this file location to/etc.

--enable-storeio=ufs,null

The file system used is usually the default UFS, but if you want to do a proxy server that does not cache any files, you need to add a null file system.

--enable-arp-acl

This can be managed directly through the client's MAC address in the rule settings to prevent customers from using IP spoofing.

--enable-err-languages= "Simplify_chinese"

--enable-default-err-languages= "Simplify_chinese"

The above two options tell Squid to incorporate and use Simplified Chinese error messages.

--enable-linux-netfilter

Allows you to use the transparent proxy feature of Linux.

--enable-underscore

Underscores are allowed in URLs that are parsed because Squid, by default, considers an underlined URL to be illegal and denies access to the address. The entire configuration compilation process is as follows:

./configure--prefix=/var/squid

--sysconfdir=/etc

--enable-arp-acl

--enable-linux-netfilter

--enable-pthreads

--enable-err-language= "Simplify_chinese"

--enable-storeio=ufs,null

--enable-default-err-language= "Simplify_chinese"

--enable-auth= "Basic"

--enable-baisc-auth-helpers= "NCSA"

--enable-underscore

Some of these options have special effects that will be described below. Finally, execute the following two commands to compile the source code into an executable file and copy it to the specified location.

Make

sudo make install

Basic Configuration

After the installation is complete, the next step is to configure the Squid operation (not the configuration at the previous installation). All projects are completed in squid.conf. Squid's own squid.conf include a very detailed description, equivalent to a user manual, the configuration of any questions can be referred to solve. In this example, the proxy server is also the gateway, the internal network interface eth0 IP address is 192.168.0.1, the external network eth1 IP address is 202.103.x.x. The following is a basic agent-required configuration option:

Http_port 192.168.0.1:3128

The default port is 3128, and of course it can be any other port, as long as it does not conflict with other services. For security purposes, SQUID will not listen for external network interfaces before adding IP addresses. The following configuration option is an e-mail message from the Server Manager that, when an error occurs, is displayed on the error page for easy user contact:

Cache_mgr Start@soocol.

The following parameters tell Squid cache file system, location, and caching policies:

Cache_dir Ufs/var/squid

Cache_mem 32MB

Cache_swap_low 90

Cache_swap_high 95

Here, Squid will use the/var/squid directory as a directory to hold cached data, each processing a cache size of 32 megabytes, when the cache space used to 95%, the new content will replace the old instead of directly added to the directory, until the space dropped to 90% to stop the activity. If you do not want Squid to cache any files, such as proprietary systems with limited storage space, you can use the null file system (which does not require those caching policies):

Cache_dir null/tmp

The following are some of the most important policy configurations for caching, the first line, the user's access record, which can be analyzed to understand the full address of all user visits:

Cache_access_log/var/squid/access.log

Cache_log/var/squid/cache.log

Cache_store_log/var/squid/store.log

This line of configuration is the parameter that appears in the newer version, telling Squid the name of the server displayed in the error page:

Visible_hostname No1.proxy

The following configuration tells Squid how to handle the user, processing the IP address of each request as a separate address:

Client_netmask 255.255.255.255

If it is a normal proxy server, the above configuration is sufficient. But many Squid are used to make transparent proxies. The so-called transparent agent, that is, the client is not aware of the existence of proxy servers, of course, do not need to do any proxy-related settings, thus greatly facilitate the system administrator. There are several options associated with the following:

Httpd_accel_host Virtual

Httpd_accel_port 80

Httpd_accel_with_proxy on

Httpd_accel_user_host_header on

On Linux, you can directly forward requests for WEB Port 80 directly to Squid port 3128 with Iptables/ipchains.

Squid takes over, and the user's browser still thinks it's accessing the other's 80 ports. For example, the following command:

Iptables-t nat-a prerouting-s 192.168.0.200/32-p tcp--dport 80-j REDIRECT 3128

is to redirect all access to port 80 for 192.168.0.200 to the 3128 port.

When all settings are complete, the key and important task is access control. Squid support a lot of management, use is very simple (this is also someone would rather use do not do any cache Squid, do not want to use the IPTA alone