Detailed explanation of squid configuration process based on Linux gateway Server

Preface

Here, we need to configure a Proxy Server that only provides Proxy services for internal networks. It has the following functions: it divides users into two types: advanced users and ordinary users. It uses the NIC physical address recognition method for advanced users,

For normal users, you must enter the user name and password. Advanced users do not have access time and file type restrictions, while normal users only have access at work and some other restrictions.

Install

Install from source

The source comes with a stable version. Run the following command to install it.

Sudo apt-get install squid-common

Source code compilation and Installation

Of course, you can download the latest version on the official website for compilation and installation:

Among them STABLE version, DEVEL version is usually provided to developers to test the program, assuming that the download of the latest STABLE version of The squid-2.5.STABLE2.tar.gz, use the following command to unbind the compressed package:

Tar xvfz squid-2.5.STABLE.tar.gz

The size of the compressed package in bz2 mode may be smaller. The corresponding command is:

Tar xvfj squid-2.5.STABLE.tar.bz2

Then, enter the corresponding directory to configure and compile the source code. The command is as follows:

Cd squid-2.5.STABLE2

The configure command has many options. If you are not clear about the options, use "-help" to view the options. Generally, the following options are used:

-- Prefix =/WEB/squid

Specify the installation location of Squid. If only this option is specified, the directory contains bin, sbin, man, conf, and other directories. The main configuration file is in the conf subdirectory. To facilitate management, it is best to use the -- sysconfdir =/etc parameter to set the file location to/etc.

-- Enable-storeio = ufs, null

The file system used is usually the default ufs, but if you want to create a proxy server that does not cache any files, you need to add a null file system.

-- Enable-arp-acl

In this way, you can manage the MAC address of the client directly in Rule settings to prevent IP spoofing.

-- Enable-err-extensions ages = "Simplify_Chinese"

-- Enable-default-err-ages = "Simplify_Chinese"

The above two options tell Squid to compile and use the simplified Chinese error message.

-- Enable-Linux-netfilter

Linux transparent proxy is allowed.

-- Enable-underscore

An underscore is allowed in the URL to be parsed. By default, Squid considers the URL with an underscore illegal and rejects access to the address. The configuration compilation process is as follows:

./Configure -- prefix =/var/squid

-- Sysconfdir =/etc

-- Enable-arp-acl

-- Enable-linux-netfilter

-- Enable-pthreads

-- Enable-err-language = "Simplify_Chinese"

-- Enable-storeio = ufs, null

-- Enable-default-err-language = "Simplify_Chinese"

-- Enable-auth = "basic"

-- Enable-baisc-auth-helpers = "NCSA"

-- Enable-underscore

Some of these options have special functions and will be described below. Finally, run the following two commands to compile the source code as an executable file and copy it to the specified location.

Make

Sudo make install

Basic Configuration

After the installation is complete, configure the run of Squid (not the previous configuration ). All projects are completed in squid. conf. The Squid. conf provided by squid contains a very detailed description, which is equivalent to a user manual. You can refer to this document for any questions about the configuration. In this example, the proxy server is also a gateway. the IP address of the internal network interface eth0 is 192.168.0.1, And the IP address of the external network connected to eth1 is 202.103.x.x. The following are the configuration options required for a basic Proxy:

Http_port 192.168.0.1: 3128

The default port is 3128. Of course, it can also be any other port, as long as it does not conflict with other services. For the sake of security, Squid will not listen to external network interfaces by adding an IP address. The following configuration option is an email from the Server Manager. When an error occurs, the address is displayed on the error page for easy contact:

Cache_mgr start @ soocol.

The following parameters indicate the file system, location, and Cache Policy cached by Squid:

Cache_dir ufs/var/squid

Cache_mem 32 MB

Cache_swap_low 90

Cache_swap_high 95

Here, Squid uses the/var/squid directory as the directory for storing cached data. The cache size for each processing is 32 MB. When the cache space reaches 95%, the new content will replace the old one instead of being directly added to the directory until the space drops to 90% again. If you do not want Squid to cache any files, such as some proprietary systems with limited storage space, you can use a null File System (which does not require those cache policies ):

Cache_dir null/tmp

In the following several cache policy configurations, the most important is the first line, that is, the user's access record. You can analyze it to understand the detailed addresses of all user access:

Cache_access_log/var/squid/access. log

Cache_log/var/squid/cache. log

Cache_store_log/var/squid/store. log

The following line of configuration is a parameter that appears in a newer version, telling Squid the server name displayed on the error page:

Visible_hostname No1.proxy

The following configuration tells Squid how to process the user and process the IP address of each request as a separate address:

Client_netmask 255.255.255.255.255

For normal proxy servers, the above configurations are sufficient. However, many squids are used as transparent proxies. The so-called transparent proxy means that the client does not know the existence of the proxy server, and of course no proxy-related settings are required, which greatly facilitates the system administrator. Related options include:

Httpd_accel_host virtual

Httpd_accel_port 80

Httpd_accel_with_proxy on

Httpd_accel_user_host_header on

In Linux, you can use iptables/ipchains to directly forward requests to WEB port 80 to Squid port 3128,

Taken over by Squid, and the user's browser still thinks it accesses port 80 of the other party. For example, the following command:

Iptables-t nat-a prerouting-s 192.168.0.200/32-p tcp -- dport 80-j REDIRECT 3128

That is, all access destined for port 80 of 192.168.0.200 is redirected to port 3128.

After all the settings are complete, the key and important task is access control. Squid supports many management methods and is very easy to use (this is also a Squid that someone would rather use without any caching than using ipta alone ).