Objective
Here, we want to configure a proxy Server that only provides proxy services to the internal network. It has the following functions it divides the user into two kinds of advanced users and ordinary users, and uses the network card Physical Address recognition method for the advanced users.
Ordinary users need to enter a username and password to normal use. Advanced users do not have access time and file type restrictions, while ordinary users can access only at work and some other restrictions.
Installation
Installing from the source
Source with a stable version, perform the following command to install
sudo apt-get install squid Squid-common
Source Code Compilation Installation
Of course, you can also go to the official website to download the latest version to compile the installation:
Where stable stable, DEVEL editions are usually provided to developers to test programs, assuming that the latest stable version of squid-2.5.stable2.tar.gz is downloaded to unlock the compressed package with the following command:
Tar Xvfz squid-2.5.stable.tar.gz
Packages compressed in bz2 may be smaller in size, and the corresponding commands are:
Tar xvfj squid-2.5.stable.tar.bz2
Then, enter the appropriate directory to configure and compile the source code as follows:
CD Squid-2.5.stable2
The configuration command configure has many options, and if it is not clear, you can first view it with "-help." In general, the following options are used:
--prefix=/web/squid
Specify the installation location of Squid, if only this option, then the directory will have bin, sbin, man, conf directory, and the main configuration file at this time in the Conf subdirectory. For ease of management, it is best to use parameter--sysconfdir=/etc to configure this file location to/etc.
--enable-storeio=ufs,null
The file system used is usually the default UFS, but if you want to do a proxy server that does not cache any files, you need to add a null file system.
--enable-arp-acl
This can be managed directly through the client's MAC address in the rule settings to prevent customers from using IP spoofing.
--enable-err-languages= "Simplify_chinese"
--enable-default-err-languages= "Simplify_chinese"
The above two options tell Squid to incorporate and use Simplified Chinese error messages.
--enable-linux-netfilter
Allows you to use the transparent proxy feature of Linux.
--enable-underscore
Underscores are allowed in URLs that are parsed because Squid, by default, considers an underlined URL to be illegal and denies access to the address. The entire configuration compilation process is as follows:
./configure--prefix=/var/squid
--sysconfdir=/etc
--enable-arp-acl
--enable-linux-netfilter
--enable-pthreads
--enable-err-language= "Simplify_chinese"
--enable-storeio=ufs,null
--enable-default-err-language= "Simplify_chinese"
--enable-auth= "Basic"
--enable-baisc-auth-helpers= "NCSA"
--enable-underscore
Some of these options have special effects that will be described below. Finally, execute the following two commands to compile the source code into an executable file and copy it to the specified location.
Make
sudo make install
Basic Configuration
After the installation is complete, the next step is to configure the Squid operation (not the configuration at the previous installation). All projects are completed in squid.conf. Squid's own squid.conf include a very detailed description, equivalent to a user manual, the configuration of any questions can be referred to solve. In this example, the proxy server is also the gateway, the internal network interface eth0 IP address is 192.168.0.1, the external network eth1 IP address is 202.103.x.x. The following is a basic agent-required configuration option:
Http_port 192.168.0.1:3128
The default port is 3128, and of course it can be any other port, as long as it does not conflict with other services. For security purposes, SQUID will not listen for external network interfaces before adding IP addresses. The following configuration option is an e-mail message from the Server Manager that, when an error occurs, is displayed on the error page for easy user contact:
Cache_mgr Start@soocol.
The following parameters tell Squid cache file system, location, and caching policies:
Cache_dir Ufs/var/squid
Cache_mem 32MB
Cache_swap_low 90
Cache_swap_high 95
Here, Squid will use the/var/squid directory as a directory to hold cached data, each processing a cache size of 32 megabytes, when the cache space used to 95%, the new content will replace the old instead of directly added to the directory, until the space dropped to 90% to stop the activity. If you do not want Squid to cache any files, such as proprietary systems with limited storage space, you can use the null file system (which does not require those caching policies):
Cache_dir null/tmp
The following are some of the most important policy configurations for caching, the first line, the user's access record, which can be analyzed to understand the full address of all user visits:
Cache_access_log/var/squid/access.log
Cache_log/var/squid/cache.log
Cache_store_log/var/squid/store.log
This line of configuration is the parameter that appears in the newer version, telling Squid the name of the server displayed in the error page:
Visible_hostname No1.proxy
The following configuration tells Squid how to handle the user, processing the IP address of each request as a separate address:
Client_netmask 255.255.255.255
If it is a normal proxy server, the above configuration is sufficient. But many Squid are used to make transparent proxies. The so-called transparent agent, that is, the client is not aware of the existence of proxy servers, of course, do not need to do any proxy-related settings, thus greatly facilitate the system administrator. There are several options associated with the following:
Httpd_accel_host Virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_user_host_header on
On Linux, you can directly forward requests for WEB Port 80 directly to Squid port 3128 with Iptables/ipchains.
Squid takes over, and the user's browser still thinks it's accessing the other's 80 ports. For example, the following command:
Iptables-t nat-a prerouting-s 192.168.0.200/32-p tcp--dport 80-j REDIRECT 3128
is to redirect all access to port 80 for 192.168.0.200 to the 3128 port.
When all settings are complete, the key and important task is access control. Squid support a lot of management, use is very simple (this is also someone would rather use do not do any cache Squid, do not want to use the IPTA alone