Build a large web site architecture of the experimental environment (squid cache server) 1th/2 page _linux

Source: Internet
Author: User
Tags documentation ldap iptables squid proxy

Squid is an application-level agent, in order to ensure that the client host and server host network connectivity, the need for client software to do the appropriate settings before use, such as Internet Explorer set proxy server address, port and so on.
Web caching is necessary for a large, busy network, an article on the IBM Web site that provides a detailed analysis of the benefits that Web caching brings to Internet users:
http://www-900.ibm.com/developer ... achinga/index.shtml

Here we will introduce the contents of squid.

§§ Installation Run Squid

Redhat 7.3 with squid rpm package squid-2.4.stable6-1.7.2.i386.rpm, here we directly use RPM to install Squid:

[root@rh73/mnt/cdrom/redhat/rpms]# RPM-IVH squid-2.4.stable6-1.7.2.i386.rpm

Preparing ... ########################################### [100%]

1:squid ########################################### [100%]

After installing the Squid configuration file in the/etc/squid/directory, simply configure the/etc/squid/squid.conf to make it work.

The default installed Squid profile is more than 2000 lines of text, and in fact you don't have as many settings. Open the configuration file with the editor, locate the Http_access settings section, and
Http_access Deny All

One line is changed into

Http_access Allow all

Then start squid:
/etc/rc.d/init.d/squid start

Now your Squid proxy server is ready to use. Set the proxy option for the Internet software to the client, take Internet Explorer 6.0 as an example, set the Connection property in the Internet property settings, and click the LAN Settings button.

In the pop-up dialog box, select "Use Proxy server for LAN" and fill in the Address bar with Proxy server address, here is: 192.168.100.254, port is squid default 3128.

Confirm. When you use Internet Explorer to surf the Internet, you use the squid agent. You can see the Squid log file to observe the client host through Squid access situation:

[root@rh73 ~]# tail-f/var/log/squid/access.log


In this case, the above settings only work with Internet Explorer. If you follow the previous chapters on the Linux access server to achieve the function of NAT, in addition to IE browser access to HTTP, FTP service is in the Squid agent, other access to the Internet operations, such as sending and receiving email,telnet, or through the NAT to complete the visit. When you clear the browser's proxy settings, you can revert to NAT to access the Internet.

§§ set Squid

The previous configuration is unrestricted to allow all internal users to use the proxy on the Internet, which is obviously not a good access policy. As we said, the proxy method has very rich support for the control of the user's rights. Here's a look at how squid achieves a variety of rights control.

Let's take a look at several configuration options and access control features for squid.conf:

Squid customization is done by setting up its configuration file squid.conf, squid.conf files are usually in the/etc/squid directory. This configuration file has a lot of content, but each of its options is described in detail. The following are several common configuration parameters:

Http_port

First, change the Http_port, which specifies that Squid listens to the client's request port, and the default value is 3128. To use the agent function, it is recommended that this port value be used with the IP address of the machine running Squid, which can be modified as follows:

Http_port 192.168.100.254:3128

The above statement indicates that SQUID bindings are on the IP address 192.168.100.254 and the port is 3128. The port can be set to any value, but make sure that no other program uses the same port. The/etc/services file lists the commonly used ports, and if you want to set other ports for squid, you can refer to the contents of this file to prevent duplicate settings.

Visible_hostname 192.168.100.254

The name of the host running squid, which can be written on the IP address of the machine.

[Email]cache_mgrpangty@usa.net[/email]

The e-mail address of the administrator. When an error occurs, the values of the Visible_hostname and Cache_mgr options appear in the associated location within the error prompt page.

Cache_mem MB

Defines cache memory, generally defined as 1/3 of the size of physical memory. The default setting is 8MB.

Cache_dir Type directory-name fs-specific-data [options]

Defines the hard disk cache space to store copies of visited pages or other resources. Type refers to the storage type, which is generally set to UFS. Directort-name represents the location of the cache, and the default setting is Cache_dir ufs/var/spool/squid 100 16 256. 100 of these represent the maximum cache space of 100m;16 and 256 representing the number of levels and level two directories in the cache directory.

Access control
Control the user's access rights and other functions are used squid access control characteristics to achieve. Squid access control has two elements: ACL and access list. Access lists allow or deny certain users access to a particular service.

In order to use the control function, ACLs must be set first. The format of the ACL declaration is as follows:

ACL Acl_element_name type_of_acl_element Values_to_acl


Some important ACL types are listed below (type_of_acl_element)

L SRC: Source address (i.e. client IP address)

L DST: Destination address (that is, server IP address)

L Srcdomain: Source name (that is, client name)

L Dstdomain: Target name (that is, server name)

L Time: The moment of the day and the day of the week

L Url_regex:url Rule Expression matching

L Urlpath_regex:url-path rule Expression matching, omitting protocol and host name

L Proxy_auth: User authentication through external programs

L Maxconn: Maximum number of connections for single IP


Note:
1. Acl_element_name can be any name defined in the ACL.

2. No two ACL elements can be used with the same name.

3. Each ACL is made up of list values. When a match is detected, multiple values are connected by logic or operations; in other words, if the value of any ACL is matched, the ACL is matched.
4. Not all ACLs can use all types in the access list.

5. Different ACLs are written in the peer, Squid will combine them in a list.

We can use a number of different access lists. What we often use is http_access: Allow HTTP access, which is the primary access control list.

The rules for accessing lists consist of a number of keywords such as ' allow ' or ' deny ' to allow or deny service to a particular or set of ACL elements.


Note:

1. These rules are matched and detected according to their order, and once a matching rule is detected, the match detection ends immediately.

2. An access list can be composed of more than one rule.

3. If no rules match the access request, the default action corresponds to the last rule in the list.

4. All elements in an access entry are connected by logic and operation:

http_access Action declaration 1 and declaration 2 and declaration OR.

Http_access Action Statement 3

Multiple http_access declarations are connected by or between operations, but the elements of each access entry are connected to an operation.

5. Keep in mind that the rules in the list always follow the order from top to bottom.

Let's look at how to use ACLs and http_access. First of all, change the squid.conf configuration back to the original, that is, modify http_access allow all to http_access deny all. Several common access controls are given below:


Based on IP authentication

Only terminals with address 192.168.100.10 and 192.168.100.100 can use the proxy

Add in the Access Control configuration section of squid.conf

ACL authorizedip src 192.168.100.10

ACL authorizedip src 192.168.100.100

And then to the Http_access section.

Add before the http_access deny all line

Http_access Allow Authorizedip

If you need to set the IP address is very many, and not continuous, is not to write a lot of ACL xxx xxx x.x.x.x? There is a simple way to write these IP addresses in a file, such as/etc/squid/authorizedip.txt, one for each line. And then write it in squid.conf.

ACL authorizedip src "/etc/squid/authorizedip.txt"

Based on Time control

For time period settings, refer to the instructions in squid.conf, specifically S-sunday, M-monday, T-tuesday, W-wednesday, H-thursday, F-friday a-saturday, such as The fruit is allowed in seven days, or it can not be written. The time format is h1:m1-h2:m2, requiring that the front is less than the back.

# define an Access time period: Eight o'clock in the morning to five o'clock in the afternoon from Monday to Friday each week, allowing Alloweduser users to surf the Internet during this time period

ACL accept_time time mtwhf8:00-17:00

Http_access Allow Alloweduser accept_time

Http_access Deny Alloweduser

Access to a specific URL address

Although we do not want all people to use the proxy free access to the Internet, but there are several sites that can be access to internal terminals. Add access control to squid.conf:

ACL Alloweddomain dstdomain. linuxforum.net. linuxaid.com.cn

Http_access Allow Alloweddomain

Similarly, if you have a lot of arguments, you can also write these allowed address names into a text:

ACL alloweddomain dstdomain "/etc/squid/alloweddomain.txt"

Alloweddomain.txt is a list of allowed access to the site, one per line.

Filter URLs based on keywords

Some sites (pornographic sites, ad sites) are annoying, and by setting ACLs it is easy to block out these sites:

ACL denyurl url_regex sex boylink xxx city69 asiaadult Sehu

Http_access Deny Denyurl

This setting will filter the URL addresses of these keywords with sex boylink xxx city69 asiaadult Sehu.

As before, you can also write these keywords into a text

ACL denyedurl Url_regex "/etc/squid/sex.txt"

Http_access Deny Denyurl

User-based authentication

Squid itself does not support user authentication, it is through the external program to provide user authentication function, users need to enter a valid user name and password before access. This functionality can be implemented using Proxy_auth ACLs and Authenticate_program, which force verification of user names and passwords before allowing access. The following is a list of the validators that can be used:

NCSA: User name and password file with NCSA style

LDAP: Using the Linux Lightweight Directory Access Protocol (Linux Lightweight Directory Access Protocol)

SMB: Services that use the SMB protocol, such as SAMBA or Windows NT

MSNT: Domain validation using Windows NT

PAM: A loadable verification module using Linux

GETPWAM: Using Linux password files

You must specify what validator to use with the Authenticate_program option, and make sure that the selected validator is installed and working well. By default, these validators are placed under the/usr/lib/squid/directory.

Take NCSA certification as an example, modify the Squid.conf file Selection validator:

authenticate_program/usr/lib/squid/ncsa_auth/etc/squid/passwd

ACL Alloweduser Proxy_auth pangty

Http_access Allow Alloweduser

Where/etc/squid/passwd is a list of users and passwords, this file can be generated with the htpasswd of the Apache package, which may be the content:

Pangty:wcqhcezoof3vk

Pangty is the username, followed by the user's password.

Note: After modifying the squid.conf configuration, you will need to reboot the squid or tell squid to reload the configuration file to work. This executes:

Heavy squid:

[root@rh73 ~]#/etc/rc.d/init.d/squid Restart


Not reset, only new configuration files are loaded:

[root@rh73 ~]#/etc/rc.d/init.d/squid Reload

The above is squid's commonly used configuration options, which for the general application is enough, if you need more feature support, please read the following content.

§§ needs more features.

Display Chinese error message

The default, squid in the event of error is displayed in English prompts information, squid hints have been translated into many languages, can be very convenient for him to display Chinese information:

[Root@rh73 ~]# Cd/etc/squid/

[Root@rh73 ~]# rm-f errors

[root@rh73/etc/squid]# ln-s/usr/lib/squid/errors/simplify_chinese/errors

/usr/lib/squid/errors below are the various language versions of Squid that are listed under different subdirectories by directory.

Supports Mac based control and access to underlined URLs

Because your computer's IP address can be changed at any time, even if you set an ACL limit that only certain IP computers can access the Internet, others can still access the Internet after the computer shuts down to these IP addresses that allow Internet access. In addition, we use DHCP to manage the IP address of the computer on the internal network, each computer gets the IP address may be different, so, simply through the IP address to control the Internet access is not suitable for all occasions, and the MAC address is relatively stable, The MAC address of the general Nic can not be changed, so the user control based on MAC address is very suitable to solve the problems caused by these two situations.

In addition, when we visit the Internet, we sometimes encounter such a Web site address:http://www.hello_world.com, there is an underscore in the URL address of the website, when Red Hat Linux comes with a squid package that may report that it cannot access the site.

These features need to recompile squid source code to increase the corresponding compilation options to implement. Let's take a look at how to recompile the package source code using RPM to get the necessary functionality.

When the article was written here, Red Hat Linux website released the squid upgrade package, we can get its latest source code RPM package from the Internet:

ftp://updates.redhat.com/7.2/en/... able6-6.7.3.src.rpm

Before you start compiling, there are some packages that need to be installed first, which may include Rpm-build, Sgml-tools, which can be found on Red Hat Linux discs, which can be downloaded from here:

ftp://ftp.freesoft.cei.gov.cn/.m ... s-1.0.9-12.i386.rpm

Install Squid's source code package

[root@rh73 ~]# RPM-IVH squid-2.4.stable6-6.7.3.src.rpm

After the installation of the source code package in the/usr/src/redhat/sources directory, we are concerned about another file/usr/src/redhat/specs/squid.spec, which has squid related compile options, modify the file% The Configure section is as follows:

%configure \

--EXEC_PREFIX=/USR--bindir=/usr/sbin--libexecdir=/usr/lib/squid \

--localstatedir=/var--sysconfdir=/etc/squid \

--enable-poll--enable-snmp--enable-removal-policies= "Heap,lru" \

--enable-storeio= "Aufs,coss,diskd,ufs" \

--enable-delay-pools--enable-linux-netfilter \

--with-pthreads \

--enable-underscores \

--ENABLE-ARP-ACL \

--enable-err-language=simplify_chinese \

--enable-auth-modules= "ldap,ncsa,pam,smb,msnt" #--enable-icmp

--enable-underscores is to increase support for underlined web sites,--ENABLE-ARP-ACL is to increase support MAC address way of authentication.


Start compiling to generate a new RPM package:

[root@rh73 ~]# Rpm-ba Squid.spe

This command will recompile the generation of the new RPM package based on the Squid.spec configuration. The compilation process depends on the performance of the machine, which may take a few minutes to a few 10 minutes, if there is no error, the resulting new RPM package in the/usr/src/redhat/rpms/i386/directory: squid-2.4. stable6-6.7.3.i386.rpm

Install the new RPM package:

[Root@rh73 ~]# rpm-uvh/usr/src/redhat/rpms/i386/squid-2.4.stable6-6.7.3.i386.rpm

Note that the-u parameter is used here because we have previously installed an older version of squid, the-u parameter indicates that the operation is an upgrade to the original version of the package. Now your squid can support MAC address authentication and an underlined URL address. 8)

Configure SQUID.CONF to support MAC address authentication by adding such content to the squid.conf:

ACL Allowedmac ARP00:10:DC:8F:5B:FF

Http_access Allow Allowedmac

Just a few examples of commonly used ACL settings, the Access Controls section of ACLs that can access the FAQ document on the Squid home page for more information:

http://www.squid-cache.org/Doc/FAQ/FAQ-10.html

§§ Configuration Transparent Proxy

Transparent proxy is the perfect combination of NAT and agent, is called Transparent, because in this way of working you do not feel the presence of agents, and simply using NAT, there is no special setting for the client on the Internet. Squid can be configured to support transparent proxies.


A lot of articles talk about sharing the Internet will speak about transparent agent (iptables + squid or ipchains + squid) content, I personally think for the size of the network, there is no content filtering functions such as requirements, the use of squid is not necessary, The simple use of NAT is sufficient, and so the requirements of the server running NAT is lower, such as using a 486 + 4 m memory machine, if you use a specially customized Linux system, even the hard drive does not need, as long as a floppy disk can be.

If you are compiling the installed squid in source code, indicate the--enable-linux-netfilter option in the compile option. Red Hat Linux with squid support transparent agent, we can directly modify the/etc/squid/squid.conf file, set the necessary parameters:

Httpd_accel_host Virtual

Httpd_accel_port 80

Httpd_accel_with_proxy on

Httpd_accel_uses_host_header on

Run/etc/rc.d/init.d/squid reload make the settings take effect, and then modify the fw.sh script to add one line at the end:

Iptables-a prerouting-t nat-i eth1-p tcp--dport 80-j REDIRECT--to-port 3128

This will redirect access requests from all LAN users accessing the WWW service through the Linux access server to the Squid processing operating at Port 3128. Run the fw.sh script to make the settings take effect. It's that simple!

You may remember the rules about NAT in fw.sh:

Iptables-a postrouting-t nat-s 192.168.100.0/24-o eth0-j SNAT--to-source 61.156.35.114

Because prerouting rules are always applied before the postrouting rule, you don't have to worry about squid being shielded by NAT rules.

Note: When using a transparent proxy, you cannot use squid based on the user account authentication function at the same time!


To learn more about transparent proxies, visit the howto documentation on transparent proxies on TLDP (the Linux documentation Project):

http://www.tldp.org/HOWTO/mini/TransparentProxy.html

§§ a squid.conf configuration instance

Now give a squid profile that supports transparent proxies and uses MAC addresses to control user access, which also supports filtering for specific Web sites, such as pornography:

#定义服务器地址和端口

Http_port 192.168.100.254:3128

#定义服务器名字

Visible_hostname 192.168.100.254

#定义管理员邮件地址

Cache_mgr [Email]pangty@usa.net[/email]

#定义缓存内存空间和缓存目录

Cache_mem MB

Cache_dir UFS/VAR/SPOOL/SQUID 100 16 256

#支持透明代理

Httpd_accel_host Virtual

Httpd_accel_port 80

Httpd_accel_with_proxy on

Httpd_accel_uses_host_header on

#定义acl

#sexurl. txt lists keywords to filter the address of pornographic web sites, one line for each keyword, such as Xchina

#maclist. txt lists the MAC addresses of the hosts that allow Internet access, one row for each address, such as 00:50:56:c0:00:08

ACL all src 0.0.0.0/0.0.0.0

ACL sexurl Url_regex "/etc/squid/sexurl.txt"

ACL allowedmac ARP "/etc/squid/maclist.txt"

#定义访问策略

Http_access Deny Sexurl

Http_access Allow Allowedmac

Http_access Deny All

Current 1/2 page 12 Next read the full text
Related Article

Cloud Intelligence Leading the Digital Future

Alibaba Cloud ACtivate Online Conference, Nov. 20th & 21st, 2019 (UTC+08)

Register Now >

Starter Package

SSD Cloud server and data transfer for only $2.50 a month

Get Started >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.