Squid is an application-level agent, in order to ensure that the client host and server host network connectivity, the need for client software to do the appropriate settings before use, such as Internet Explorer set proxy server address, port and so on.
Web caching is necessary for a large, busy network, an article on the IBM Web site that provides a detailed analysis of the benefits that Web caching brings to Internet users:
http://www-900.ibm.com/developer ... achinga/index.shtml
Here we will introduce the contents of squid.
§§ Installation Run Squid
Redhat 7.3 with squid rpm package squid-2.4.stable6-1.7.2.i386.rpm, here we directly use RPM to install Squid:
[root@rh73/mnt/cdrom/redhat/rpms]# RPM-IVH squid-2.4.stable6-1.7.2.i386.rpm
Preparing ... ########################################### [100%]
1:squid ########################################### [100%]
After installing the Squid configuration file in the/etc/squid/directory, simply configure the/etc/squid/squid.conf to make it work.
The default installed Squid profile is more than 2000 lines of text, and in fact you don't have as many settings. Open the configuration file with the editor, locate the Http_access settings section, and
Http_access Deny All
One line is changed into
Http_access Allow all
Then start squid:
Now your Squid proxy server is ready to use. Set the proxy option for the Internet software to the client, take Internet Explorer 6.0 as an example, set the Connection property in the Internet property settings, and click the LAN Settings button.
In the pop-up dialog box, select "Use Proxy server for LAN" and fill in the Address bar with Proxy server address, here is: 192.168.100.254, port is squid default 3128.
Confirm. When you use Internet Explorer to surf the Internet, you use the squid agent. You can see the Squid log file to observe the client host through Squid access situation:
[root@rh73 ~]# tail-f/var/log/squid/access.log
In this case, the above settings only work with Internet Explorer. If you follow the previous chapters on the Linux access server to achieve the function of NAT, in addition to IE browser access to HTTP, FTP service is in the Squid agent, other access to the Internet operations, such as sending and receiving email,telnet, or through the NAT to complete the visit. When you clear the browser's proxy settings, you can revert to NAT to access the Internet.
§§ set Squid
The previous configuration is unrestricted to allow all internal users to use the proxy on the Internet, which is obviously not a good access policy. As we said, the proxy method has very rich support for the control of the user's rights. Here's a look at how squid achieves a variety of rights control.
Let's take a look at several configuration options and access control features for squid.conf:
Squid customization is done by setting up its configuration file squid.conf, squid.conf files are usually in the/etc/squid directory. This configuration file has a lot of content, but each of its options is described in detail. The following are several common configuration parameters:
First, change the Http_port, which specifies that Squid listens to the client's request port, and the default value is 3128. To use the agent function, it is recommended that this port value be used with the IP address of the machine running Squid, which can be modified as follows:
The above statement indicates that SQUID bindings are on the IP address 192.168.100.254 and the port is 3128. The port can be set to any value, but make sure that no other program uses the same port. The/etc/services file lists the commonly used ports, and if you want to set other ports for squid, you can refer to the contents of this file to prevent duplicate settings.
The name of the host running squid, which can be written on the IP address of the machine.
The e-mail address of the administrator. When an error occurs, the values of the Visible_hostname and Cache_mgr options appear in the associated location within the error prompt page.
Defines cache memory, generally defined as 1/3 of the size of physical memory. The default setting is 8MB.
Cache_dir Type directory-name fs-specific-data [options]
Defines the hard disk cache space to store copies of visited pages or other resources. Type refers to the storage type, which is generally set to UFS. Directort-name represents the location of the cache, and the default setting is Cache_dir ufs/var/spool/squid 100 16 256. 100 of these represent the maximum cache space of 100m;16 and 256 representing the number of levels and level two directories in the cache directory.
Control the user's access rights and other functions are used squid access control characteristics to achieve. Squid access control has two elements: ACL and access list. Access lists allow or deny certain users access to a particular service.
In order to use the control function, ACLs must be set first. The format of the ACL declaration is as follows:
ACL Acl_element_name type_of_acl_element Values_to_acl
Some important ACL types are listed below (type_of_acl_element)
L SRC: Source address (i.e. client IP address)
L DST: Destination address (that is, server IP address)
L Srcdomain: Source name (that is, client name)
L Dstdomain: Target name (that is, server name)
L Time: The moment of the day and the day of the week
L Url_regex:url Rule Expression matching
L Urlpath_regex:url-path rule Expression matching, omitting protocol and host name
L Proxy_auth: User authentication through external programs
L Maxconn: Maximum number of connections for single IP
1. Acl_element_name can be any name defined in the ACL.
2. No two ACL elements can be used with the same name.
3. Each ACL is made up of list values. When a match is detected, multiple values are connected by logic or operations; in other words, if the value of any ACL is matched, the ACL is matched.
4. Not all ACLs can use all types in the access list.
5. Different ACLs are written in the peer, Squid will combine them in a list.
We can use a number of different access lists. What we often use is http_access: Allow HTTP access, which is the primary access control list.
The rules for accessing lists consist of a number of keywords such as ' allow ' or ' deny ' to allow or deny service to a particular or set of ACL elements.
1. These rules are matched and detected according to their order, and once a matching rule is detected, the match detection ends immediately.
2. An access list can be composed of more than one rule.
3. If no rules match the access request, the default action corresponds to the last rule in the list.
4. All elements in an access entry are connected by logic and operation:
http_access Action declaration 1 and declaration 2 and declaration OR.
Http_access Action Statement 3
Multiple http_access declarations are connected by or between operations, but the elements of each access entry are connected to an operation.
5. Keep in mind that the rules in the list always follow the order from top to bottom.
Let's look at how to use ACLs and http_access. First of all, change the squid.conf configuration back to the original, that is, modify http_access allow all to http_access deny all. Several common access controls are given below:
Based on IP authentication
Only terminals with address 192.168.100.10 and 192.168.100.100 can use the proxy
Add in the Access Control configuration section of squid.conf
ACL authorizedip src 192.168.100.10
ACL authorizedip src 192.168.100.100
And then to the Http_access section.
Add before the http_access deny all line
Http_access Allow Authorizedip
If you need to set the IP address is very many, and not continuous, is not to write a lot of ACL xxx xxx x.x.x.x? There is a simple way to write these IP addresses in a file, such as/etc/squid/authorizedip.txt, one for each line. And then write it in squid.conf.
ACL authorizedip src "/etc/squid/authorizedip.txt"
Based on Time control
For time period settings, refer to the instructions in squid.conf, specifically S-sunday, M-monday, T-tuesday, W-wednesday, H-thursday, F-friday a-saturday, such as The fruit is allowed in seven days, or it can not be written. The time format is h1:m1-h2:m2, requiring that the front is less than the back.
# define an Access time period: Eight o'clock in the morning to five o'clock in the afternoon from Monday to Friday each week, allowing Alloweduser users to surf the Internet during this time period
ACL accept_time time mtwhf8:00-17:00
Http_access Allow Alloweduser accept_time
Http_access Deny Alloweduser
Access to a specific URL address
Although we do not want all people to use the proxy free access to the Internet, but there are several sites that can be access to internal terminals. Add access control to squid.conf:
ACL Alloweddomain dstdomain. linuxforum.net. linuxaid.com.cn
Http_access Allow Alloweddomain
Similarly, if you have a lot of arguments, you can also write these allowed address names into a text:
ACL alloweddomain dstdomain "/etc/squid/alloweddomain.txt"
Alloweddomain.txt is a list of allowed access to the site, one per line.
Filter URLs based on keywords
Some sites (pornographic sites, ad sites) are annoying, and by setting ACLs it is easy to block out these sites:
ACL denyurl url_regex sex boylink xxx city69 asiaadult Sehu
Http_access Deny Denyurl
This setting will filter the URL addresses of these keywords with sex boylink xxx city69 asiaadult Sehu.
As before, you can also write these keywords into a text
ACL denyedurl Url_regex "/etc/squid/sex.txt"
Http_access Deny Denyurl
Squid itself does not support user authentication, it is through the external program to provide user authentication function, users need to enter a valid user name and password before access. This functionality can be implemented using Proxy_auth ACLs and Authenticate_program, which force verification of user names and passwords before allowing access. The following is a list of the validators that can be used:
NCSA: User name and password file with NCSA style
LDAP: Using the Linux Lightweight Directory Access Protocol (Linux Lightweight Directory Access Protocol)
SMB: Services that use the SMB protocol, such as SAMBA or Windows NT
MSNT: Domain validation using Windows NT
PAM: A loadable verification module using Linux
GETPWAM: Using Linux password files
You must specify what validator to use with the Authenticate_program option, and make sure that the selected validator is installed and working well. By default, these validators are placed under the/usr/lib/squid/directory.
Take NCSA certification as an example, modify the Squid.conf file Selection validator:
ACL Alloweduser Proxy_auth pangty
Http_access Allow Alloweduser
Where/etc/squid/passwd is a list of users and passwords, this file can be generated with the htpasswd of the Apache package, which may be the content:
Pangty is the username, followed by the user's password.
Note: After modifying the squid.conf configuration, you will need to reboot the squid or tell squid to reload the configuration file to work. This executes:
[root@rh73 ~]#/etc/rc.d/init.d/squid Restart
Not reset, only new configuration files are loaded:
[root@rh73 ~]#/etc/rc.d/init.d/squid Reload
The above is squid's commonly used configuration options, which for the general application is enough, if you need more feature support, please read the following content.
§§ needs more features.
Display Chinese error message
The default, squid in the event of error is displayed in English prompts information, squid hints have been translated into many languages, can be very convenient for him to display Chinese information:
[Root@rh73 ~]# Cd/etc/squid/
[Root@rh73 ~]# rm-f errors
/usr/lib/squid/errors below are the various language versions of Squid that are listed under different subdirectories by directory.
Supports Mac based control and access to underlined URLs
Because your computer's IP address can be changed at any time, even if you set an ACL limit that only certain IP computers can access the Internet, others can still access the Internet after the computer shuts down to these IP addresses that allow Internet access. In addition, we use DHCP to manage the IP address of the computer on the internal network, each computer gets the IP address may be different, so, simply through the IP address to control the Internet access is not suitable for all occasions, and the MAC address is relatively stable, The MAC address of the general Nic can not be changed, so the user control based on MAC address is very suitable to solve the problems caused by these two situations.
In addition, when we visit the Internet, we sometimes encounter such a Web site address:http://www.hello_world.com, there is an underscore in the URL address of the website, when Red Hat Linux comes with a squid package that may report that it cannot access the site.
These features need to recompile squid source code to increase the corresponding compilation options to implement. Let's take a look at how to recompile the package source code using RPM to get the necessary functionality.
When the article was written here, Red Hat Linux website released the squid upgrade package, we can get its latest source code RPM package from the Internet:
Before you start compiling, there are some packages that need to be installed first, which may include Rpm-build, Sgml-tools, which can be found on Red Hat Linux discs, which can be downloaded from here:
ftp://ftp.freesoft.cei.gov.cn/.m ... s-1.0.9-12.i386.rpm
Install Squid's source code package
[root@rh73 ~]# RPM-IVH squid-2.4.stable6-6.7.3.src.rpm
After the installation of the source code package in the/usr/src/redhat/sources directory, we are concerned about another file/usr/src/redhat/specs/squid.spec, which has squid related compile options, modify the file% The Configure section is as follows:
--enable-poll--enable-snmp--enable-removal-policies= "Heap,lru" \
--enable-storeio= "Aufs,coss,diskd,ufs" \
--enable-auth-modules= "ldap,ncsa,pam,smb,msnt" #--enable-icmp
--enable-underscores is to increase support for underlined web sites,--ENABLE-ARP-ACL is to increase support MAC address way of authentication.
Start compiling to generate a new RPM package:
[root@rh73 ~]# Rpm-ba Squid.spe
This command will recompile the generation of the new RPM package based on the Squid.spec configuration. The compilation process depends on the performance of the machine, which may take a few minutes to a few 10 minutes, if there is no error, the resulting new RPM package in the/usr/src/redhat/rpms/i386/directory: squid-2.4. stable6-6.7.3.i386.rpm
Install the new RPM package:
[Root@rh73 ~]# rpm-uvh/usr/src/redhat/rpms/i386/squid-2.4.stable6-6.7.3.i386.rpm
Note that the-u parameter is used here because we have previously installed an older version of squid, the-u parameter indicates that the operation is an upgrade to the original version of the package. Now your squid can support MAC address authentication and an underlined URL address. 8)
Configure SQUID.CONF to support MAC address authentication by adding such content to the squid.conf:
ACL Allowedmac ARP00:10:DC:8F:5B:FF
Http_access Allow Allowedmac
Just a few examples of commonly used ACL settings, the Access Controls section of ACLs that can access the FAQ document on the Squid home page for more information:
§§ Configuration Transparent Proxy
Transparent proxy is the perfect combination of NAT and agent, is called Transparent, because in this way of working you do not feel the presence of agents, and simply using NAT, there is no special setting for the client on the Internet. Squid can be configured to support transparent proxies.
A lot of articles talk about sharing the Internet will speak about transparent agent (iptables + squid or ipchains + squid) content, I personally think for the size of the network, there is no content filtering functions such as requirements, the use of squid is not necessary, The simple use of NAT is sufficient, and so the requirements of the server running NAT is lower, such as using a 486 + 4 m memory machine, if you use a specially customized Linux system, even the hard drive does not need, as long as a floppy disk can be.
If you are compiling the installed squid in source code, indicate the--enable-linux-netfilter option in the compile option. Red Hat Linux with squid support transparent agent, we can directly modify the/etc/squid/squid.conf file, set the necessary parameters:
Run/etc/rc.d/init.d/squid reload make the settings take effect, and then modify the fw.sh script to add one line at the end:
Iptables-a prerouting-t nat-i eth1-p tcp--dport 80-j REDIRECT--to-port 3128
This will redirect access requests from all LAN users accessing the WWW service through the Linux access server to the Squid processing operating at Port 3128. Run the fw.sh script to make the settings take effect. It's that simple!
You may remember the rules about NAT in fw.sh:
Iptables-a postrouting-t nat-s 192.168.100.0/24-o eth0-j SNAT--to-source 220.127.116.11
Because prerouting rules are always applied before the postrouting rule, you don't have to worry about squid being shielded by NAT rules.
Note: When using a transparent proxy, you cannot use squid based on the user account authentication function at the same time!
To learn more about transparent proxies, visit the howto documentation on transparent proxies on TLDP (the Linux documentation Project):
§§ a squid.conf configuration instance
Now give a squid profile that supports transparent proxies and uses MAC addresses to control user access, which also supports filtering for specific Web sites, such as pornography:
Cache_dir UFS/VAR/SPOOL/SQUID 100 16 256
#sexurl. txt lists keywords to filter the address of pornographic web sites, one line for each keyword, such as Xchina
#maclist. txt lists the MAC addresses of the hosts that allow Internet access, one row for each address, such as 00:50:56:c0:00:08
ACL all src 0.0.0.0/0.0.0.0
ACL sexurl Url_regex "/etc/squid/sexurl.txt"
ACL allowedmac ARP "/etc/squid/maclist.txt"
Http_access Deny Sexurl
Http_access Allow Allowedmac
Http_access Deny All