Build an experimental environment for a large website architecture (Squid Cache Server) page 1/2

Source: Internet
Author: User
Tags ldap squid proxy

Squid is an application-level proxy. After the client host and server host are connected over the network, you must set the client software before using Squid, for example, set the proxy server address and port for Internet Explorer.
The WEB Cache function is necessary for a large and busy network. An article on the IBM website details the benefits of WEB Cache for Internet users:
Http://www-900.ibm.com/developer... achinga/index.shtml

Next we will introduce the content of squid.

§ Install and run squid

Redhat 7.3 comes with Squid rpm package squid-2.4.STABLE6-1.7.2.i386.rpm, here we use rpm directly to install Squid:

[Root @ rh73/mnt/cdrom/RedHat/RPMS] # rpm-ivh squid-2.4.STABLE6-1.7.2.i386.rpm

Preparing... ######################################## ### [100%]

1: squid ####################################### #### [100%]

The installed Squid configuration file is in the/etc/squid/directory. You only need to configure/etc/squid. conf to make it work.

By default, the installed Squid configuration file contains more than two thousand lines of text. In fact, you do not have to set that much. Open the configuration file in the editor, find the http_access Settings section, and
Http_access deny all

Change one row

Http_access allow all

Then start Squid:
/Etc/rc. d/init. d/squid start

Now your Squid Proxy Server is ready for use. Use Internet Explorer 6.0 as an example. Set the "connection" attribute in Internet property settings and click "LAN Settings.

In the displayed dialog box, select "use proxy server for LAN" and enter the proxy server address in the address bar. The default port is 192.168.100.254 and the default port is 3128 for squid.

Confirm. In this case, you use Internet Explorer to access the Internet by using the squid proxy. You can view the squid log file to observe the access situation of the client host through squid:

[Root @ rh73 ~] # Tail-f/var/log/squid/access. log

Here, the above settings only apply to Internet Explorer. If you implement the NAT Function on the Linux Access Server according to the previous chapter, except for accessing the http and ftp services in the IE browser, the squid proxy is used for other Internet access operations, such as sending and receiving emails, telnet, or access through NAT. After you clear the proxy settings of the browser, you can restore the access to the Internet through NAT.

§ Set squid

The preceding configuration allows all internal users to use the Internet on the proxy without restrictions. Obviously, this is not a good access policy. As we have said, the proxy method provides a wealth of support for user permission control. The following describes how squid implements diversified permission control.

Let's take a look at several configuration options and access control features of squid. conf:

Squid is customized by setting its configuration file squid. conf. The squid. conf file is usually in the/etc/squid directory. This configuration file contains a lot of content, but each of its options is described in detail. Below are several common configuration parameters:

Http_port

First, change http_port. This option specifies the port for Squid to listen to customer requests. The default value is 3128. To use the proxy function, we recommend that you use this port value together with the IP address of the machine running Squid. You can change it to the following:

Http_port 192.168.100.254: 3128

The preceding statement indicates that Squid is bound to the IP address 192.168.100.254 and port 3128. The port can be set to any value, but make sure that no other program uses the same port. The/etc/services file lists common ports. If you want to set other ports for squid, you can refer to the content of this file to prevent repeated settings.

Visible_hostname 192.168.100.254

Enter the IP address of the host running squid.

[Email] cache_mgrpangty@usa.net [/email]

Administrator email address. When an access error occurs, the values of the visible_hostname and cache_mgr options are displayed in the relevant positions on the error prompt page.

Cache_mem 16 MB

Defines the cache memory, which is generally 1/3 of the physical memory size. The default value is 8 MB.

Cache_dir Type Directory-Name Fs-specific-data [options]

Define the hard disk cache space to store copies of accessed pages or other resources. Type refers to the storage Type, which is generally set to ufs. Directort-Name indicates the cache location. The default setting is cache_dir ufs/var/spool/squid 100 16 256. 100 represents the maximum cache space of 100 MB; 16 and 256 represent the number of level-1 and level-2 directories under the cache directory.

Access Control
The access control feature of squid is used to control user access permissions. Squid Access Control has two elements: ACL and access list. The access list allows or denies access to a specific service by some users.

To use the control function, you must first set the ACL. The ACL declaration format is as follows:

Acl acl_element_name type_of_acl_element values_to_acl

The following lists some important ACL types (type_of_acl_element)

L src: Source Address (Client IP address)

L dst: Destination Address (that is, the server IP address)

L srcdomain: Source Name (client name)

L dstdomain: Target name (server name)

L time: the time of the day and the day of the week

L url_regex: URL rule expression matching

L urlpath_regex: URL-path rule expression matching, skipping the protocol and Host Name

L proxy_auth: User Authentication through external programs

L maxconn: Maximum number of connections from a single IP Address

Note:
1. acl_element_name can be any name defined in the ACL.

2. No two ACL elements can use the same name.

3. Each ACL consists of list values. When a match is detected, multiple values are connected by logic or operations. In other words, if any value of an ACL is matched, the ACL is matched.
4. Not all ACLs can use all types in the access list.

5. Write different ACLs in different rows. Squid combines them in a list.

We can use many different access lists. We usually use http_access: to allow HTTP access. This is the main access control list.

The access list Rules consist of keywords similar to 'allow' or 'deny' to allow or deny service to specific or a set of ACL elements.

Note:

1. These rules perform matching detection in the order they are arranged. Once a matching rule is detected, the matching detection ends immediately.

2. An access list can contain multiple rules.

3. If no rule matches the access request, the default action corresponds to the last rule in the list.

4. All elements in an access entry are logically connected to the operation:

Http_access Action Declaration 1 AND Declaration 2 AND declaration OR.

Http_access Action Declaration 3

Multiple http_access statements are connected by or, but each element of an access entry is connected by an operation.

5. Remember that the rules in the list always follow the top-down order.

Let's take a look at how to use acl and http_access. First, change the configuration of squid. conf to the original state, that is, change http_access allow to http_access deny all. Below are some common access control items:

Authentication by IP Address

Only terminals with addresses 192.168.100.10 and 192.168.100.100 can use a proxy.

In the access control Configuration section of squid. conf, add

Acl authorizedip src 192.168.100.10

Acl authorizedip src 192.168.100.100

Then go to the http_access Section

Add

Http_access allow authorizedip

If you need to set a lot of IP addresses that are not continuous, do you need to write a lot of acl xxx x. x? There is a simple way to write these IP addresses in a file, such as/etc/squid/authorizedip.txt, one per line. Write in squid. conf as follows:

Acl authorizedip src "/etc/squid/authorizedip.txt"

Time-Based Control

For more information about time period settings, see squid. description in conf, specifically, S-Sunday, M-Monday, T-Tuesday, W-Wednesday, H-Thursday, F-Friday A-Saturday, you can also leave it empty. The time format is H1: M1-H2: M2, the request is earlier than the following.

# Define an access period: from eight o'clock A.M. to five o'clock P.M. from Monday to Friday, during which alloweduser is allowed to access the Internet

Acl accept_time time MTWHF8: 00-17: 00

Http_access allow alloweduser accept_time

Http_access deny alloweduser

Access a specific URL

Although we do not want everyone to use a proxy to access the Internet freely, there are several websites that can be accessed by internal terminals. Add Access Control in squid. conf:

Acl alloweddomain dstdomain .linuxforum.net .linuxaid.com.cn

Http_access allow alloweddomain

Similarly, if there are many parameters, you can write the allowed address names to a text:

Acl alloweddomain dstdomain "/etc/squid/alloweddomain.txt"

Alloweddomain.txt is a list of permitted sites, with one row.

Filter URLs Based on keywords

Some websites (pornographic websites and advertising websites) are annoying. You can easily block these websites by setting the acl:

Acl denyurl url_regex sex boylink xxx city69 asiaadult sehu

Http_access deny denyurl

This setting filters out URLs with the sex boylink xxx city69 asiaadult sehu keywords.

As before, you can also write these keywords into a text

Acl denyedurl url_regex "/etc/squid/sex.txt"

Http_access deny denyurl

User-based authentication

Squid itself does not support user authentication. It provides user authentication through external programs. users need to enter a valid user name and password before accessing squid. You can use proxy_auth ACL and authenticate_program to implement this function. The user name and password must be verified before access is permitted. The following lists some verification programs that Squid can use:

NCSA: user name and password in the NCSA Style

LDAP: Linux Lightweight Directory Access Protocol (Linux Lightweight Directory Access Protocol)

SMB: services using the SMB protocol, such as SAMBA or Windows NT

MSNT: use Windows NT domain verification

PAM: Linux-based load-able verification module

Getpwam: Use the Linux Password

To use the verification function, you must use the authenticate_program option to specify the verification program to be used. Make sure that the selected verification program has been installed and can work well. By default, these verification programs are stored in the/usr/lib/squid/directory.

Take NCSA authentication as an example to modify the selected verification program in the squid. conf file:

Authenticate_program/usr/lib/squid/ncsa_auth/etc/squid/passwd

Acl alloweduser proxy_auth pangty

Http_access allow alloweduser

Here,/etc/squid/passwd is the list of users and passwords. This file can be generated using htpasswd in the apache Software Package. Its content may be like this:

Pangty: wCQhCeZOOF3vk

Pangty is the user name, and ":" is followed by the user's password.

Note: After you modify the squid. conf configuration, You need to restart squid or tell squid to reload the configuration file. Run the following command:

Restart squid:

[Root @ rh73 ~] #/Etc/rc. d/init. d/squid restart

Do not reload, Just load the new configuration file:

[Root @ rh73 ~] #/Etc/rc. d/init. d/squid reload

The above are common configurations of squid, which is sufficient for general applications. If you need more feature support, please read the following content.

§ More functions are required

Display Chinese error message

By default, squid displays an English prompt when an error occurs. The prompt information of squid has been translated into many languages, so that it can easily display Chinese information:

[Root @ rh73 ~] # Cd/etc/squid/

[Root @ rh73 ~] # Rm-f errors

[Root @ rh73/etc/squid] # ln-s/usr/lib/squid/errors/Simplify_Chinese/errors

/Usr/lib/squid/errors contains prompts of squid versions in various languages, which are stored in different subdirectories by directory.

Supports MAC-based control and access to URLs with underlines

Because the IP address of a computer can be changed at any time, even if you set an ACL to restrict computers with only some IP addresses to access the Internet, others can still shut down the computer, change to the IP addresses that allow Internet access and then access the Internet. In addition, we used DHCP to manage the IP addresses of computers on the internal network. Each computer may obtain different IP addresses each time. Therefore, the IP address alone to control Internet access permissions is not suitable for all occasions, while the MAC address is relatively stable. Generally, the MAC address of the NIC cannot be changed, therefore, MAC address-based user control is very suitable for solving these two problems.

In addition, when we access the Internet, sometimes we will encounter such a website address: http://www.hello _ world.com, in the URL of the website contains the underline, in this case, the squid package provided by Red Hat Linux may report that the website cannot be accessed.

These functions need to be re-compiled by adding corresponding compilation options to squid source code. Next, let's take a look at how to use rpm to recompile the software package source code to obtain the necessary functions.

When I wrote this article, the Red Hat Linux website released the squid upgrade package. We can get its latest source code rpm package from the Internet:

Ftp://updates.redhat.com/7.2/en/... ABLE6-6.7.3.src.rpm

Before compilation, some software packages must be installed first, which may include rpm-build and sgml-tools. The former can be found on the Red Hat Linux CD, the latter can be downloaded from here:

Ftp://ftp.freesoft.cei.gov.cn/.m... s-1.0.9-12.i386.rpm

Install the squid source code package

[Root @ rh73 ~] # Rpm-ivh squid-2.4.STABLE6-6.7.3.src.rpm

The installed source code package is in the/usr/src/redhat/SOURCES directory. We are concerned with another file/usr/src/redhat/SPECS/squid. spec. The squid compilation option is provided here. Modify the % configure part of the file as follows:

% Configure \

-- Exec_prefix =/usr -- bindir =/usr/sbin -- libexecdir =/usr/lib/squid \

-- Localstatedir =/var -- sysconfdir =/etc/squid \

-- Enable-poll -- enable-snmp -- enable-removal-policies = "heap, lru "\

-- Enable-storeio = "aufs, coss, diskd, ufs "\

-- Enable-delay-pools -- enable-linux-netfilter \

-- With-pthreads \

-- Enable-underscores \

-- Enable-arp-acl \

-- Enable-err-language = Simplify_Chinese \

-- Enable-auth-modules = "LDAP, NCSA, PAM, SMB, MSNT" # -- enable-icmp

-- Enable-underscores adds support for underlined URLs, and -- enable-arp-acl adds support for MAC address authentication.

Start to compile and generate a new RPM package:

[Root @ rh73 ~] # Rpm-ba squid. spe

This command re-compiles the new rpm package based on the configuration of squid. spec. The compilation process depends on the performance of the machine. It may take several minutes to dozens of minutes. If there are no errors, the generated new rpm package is in the/usr/src/redhat/RPMS/i386/directory: squid-2.4.STABLE6-6.7.3.i386.rpm

Install the new rpm package:

[Root @ rh73 ~] # Rpm-Uvh/usr/src/redhat/RPMS/i386/squid-2.4.STABLE6-6.7.3.i386.rpm

Note that the-U parameter is used here because an earlier version of squid has been installed. The-U parameter indicates that this operation is an upgrade to the original version of the software package. Now your squid can support MAC address authentication and underlined URL addresses. 8)

Configure squid. conf to support MAC address authentication. Add the following content to squid. conf:

Acl allowedmac arp00: 10: DC: 8F: 5B: FF

Http_access allow allowedmac

The above is just an example of common ACL settings. For more information about ACL, visit the Access Controls section in the FAQ document on the squid homepage:

Http://www.squid-cache.org/Doc/FAQ/FAQ-10.html

§ Configure transparent proxy

Transparent proxy is the perfect combination of NAT and proxy. It is called transparent because you do not feel the existence of proxy in this way, just like using NAT, there are no special settings for clients accessing the Internet. Squid supports transparent proxy through configuration.

Many articles will talk about transparent proxy (iptables + squid or ipchains + squid) content when talking about Internet sharing. I personally think there are no requirements for small-sized networks, such as content filtering, and so on, there is no need to use squid. Simply using NAT is enough, and the requirements for servers running NAT are even lower. For example, a machine with 486 + 4 MB of memory is used, if you do not need a customized Linux system or even a hard disk, you only need a floppy disk.

If you use the source code to compile and install squid, specify the -- enable-linux-netfilter option in the compilation options. The squid in Red Hat Linux supports transparent proxy. You can directly modify the/etc/squid. conf file and set necessary parameters:

Httpd_accel_host virtual

Httpd_accel_port 80

Httpd_accel_with_proxy on

Httpd_accel_uses_host_header on

Run/etc/rc. d/init. d/squid reload to make the setting take effect, modify the fw. sh script, and add the following line at the end:

Iptables-a prerouting-t nat-I eth1-p tcp -- dport 80-j REDIRECT -- to-port 3128

This will redirect all access requests from LAN users to access the www Service through the Linux access server to squid processing working on port 3128. Run the fw. sh script to make the settings take effect. That's easy!

You may still remember the NAT rules in fw. sh:

Iptables-a postrouting-t nat-s 192.168.100.0/24-o eth0-j SNAT -- to-source 61.156.35.114

Because PREROUTING rules are always applied before POSTROUTING rules, you do not have to worry about squid being blocked by NAT rules.

Note: you cannot use the squid user account-based verification function when using transparent proxy!

For more information about transparent proxy, visit The HOWTO document about transparent proxy on TLDP (The Linux Documentation Project:

Http://www.tldp.org/HOWTO/mini/TransparentProxy.html

§ A configuration instance of squid. conf

A squid configuration file that supports transparent proxy and MAC address control of users' Internet access permissions is provided. This configuration also supports Filtering for specific websites (such as pornographic websites:

# Define the server address and port

Http_port 192.168.100.254: 3128

# Define the server name

Visible_hostname 192.168.100.254

# Define the Administrator email address

Cache_mgr [email] pangty@usa.net [/email]

# Define cache memory space and cache directory

Cache_mem 16 MB

Cache_dir ufs/var/spool/squid 100 16 256

# Transparent proxy

Httpd_accel_host virtual

Httpd_accel_port 80

Httpd_accel_with_proxy on

Httpd_accel_uses_host_header on

# Define an acl

#Sexurl.txt lists the keywords for filtering pornographic website addresses. Each keyword occupies one line, such as xchina.

#Maclist.txt lists the MAC addresses of hosts that allow Internet access. Each address occupies one line, for example, 00: 50: 56: C0: 00: 08.

Acl all src 0.0.0.0/0.0.0.0

Acl sexurl url_regex "/etc/squid/sexurl.txt"

Acl allowedmac arp "/etc/squid/maclist.txt"

# Define an Access Policy

Http_access deny sexurl

Http_access allow allowedmac

Http_access deny all

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.