Linux Proxy server Settings _unix Linux

Source: Internet
Author: User
Tags parse error regular expression domain list port number

Objective:
This paper mainly introduces the use of Squid and Squidguard configuration Proxy server in Linux, with the WWW Proxy service as an example to explain how to filter harmful sites and restrict users ' access to the Internet.

I. INTRODUCTION
Squid is the most popular proxy server software under Linux, it is powerful, support for Http,ftp,gopher,ssl and WAIS, and other protocols agent; Simple to set, the proxy server can be run with a slight change in the configuration file. And squid has the page caching function, it receives the user's download request, and automatically processes the downloaded data. That is, when a user wants to download a homepage, it sends a request to squid to download it for it, then squid connects to the requested Web site and requests the home page, and then passes the home page to the user while retaining a backup, when another user applies for the same page, Squid passes the saved backup to the user immediately, making the user feel very fast.
Squidguard is the Assistant software for squid, which completes the function of filtering, redirection and access control. It is a free software, features strong, easy to install, easy to configure, and processing speed. Features include: Restricting access to some users based on a list of Web servers or URLs, blocking access to Web servers and URLs on the blacklist, blocking access to URLs that are matched by certain users to regular expressions, and prohibiting IP access in URL paths that enforce the use of domain name access Redirect blocked URLs to a smart CGI information page, redirect unauthorized users to a registration page, have access rules based on date, week, day, and different rules for different user groups. However, you cannot filter, check text in documents, and JavaScript or VBScript scripting languages in HTML.

Two. Installation
1. Install Squid:
Download from www.squid-cache.org squid-2.4.stable2-src.tar.gz exists under local/usr/local/squid/src.
Before compiling squid, create a user and group dedicated to running squid, where a group and user named Squid are set up and the user directory is set to/usr/local/squid
#su Squid
 $CD/USR/LOCAL/SQUID/SRC
 $tar Xvzf squid-2.4.stable2-src.tar.gz
$ CD Squid-2.4.stable2
$./configure
 $make
 $make Install
(Installed by default to the/usr/local/squid directory)

2. Install Berkeley DB 2.x:
From http://www.sleepycat.com download db-2.7.7.tar.gz coexist in/usr/local/squidguard/src/directory
 $su
#cd/usr/local/squidguard/src/
#tar Xvzf db-2.7.7.tar.gz
#cd db-2.7.7
#cd Build_unix
#.. /dist/configure
#make
#make Install
(Installed by default to the/usr/local/berkeleydb directory)
Note: Squidguard does not support Berkeley DB 3.x version

3. Install Squidguard
From http://ftp.ost.eltele.no/pub/www/proxy/squidGuard/squidGuard-1.1.4.tar.gz download packages coexist in local/usr/local/squidguard/src/
#cd/usr/local/squidguard/src/
#tar Xvzf squidguard-1.1.4.tar.gz
#cd squidGuard-1.1.4
#./configure--with-sg-config=/usr/local/squidguard/squidguard.conf
--with-sg-logdir=/usr/local/squidguard/logs
--with-sg-dbhome=/usr/local/squidguard/db
#make
#make test//Test OK for the next installation
#make Install

Three. Configuration
1. Configuration squid:
 Modify Squid profile/usr/local/squid/etc/squid.conf:
http_port 8080
#squid的代理端口, squid must run as root when using a port below 1024
http_access Allow All
 #允许所有的用户通过代理进行http访问
redirect_program/usr/local/squid/bin/squidguard-c/usr/local/squidguard/squidguard.conf
#squid启用squidGuard进行过滤和转发
 Other parameters:
CACHE_MEM: Set the amount of memory used by the proxy service, generally recommended as one-third of physical memory
cache_dir: Specifies the path to the cache directory, which defaults to/usr/local/squid/cache.
Maximum_object_size: Specifies the size of the maximum object that squid can receive. Squid defaults to 4M, can be set according to their own needs.
Cache_dir: Sets the cache location, size. The general format is as follows:
Cache_dir/usr/local/squid/cache 100 16 256
/usr/local/squid/cache represents the location of the cache, 100 represents the maximum cache for 100M;16 and 256 represents the first and two levels of directories.
Cache_effective_user: Set up a valid user using the cache. The default is user nobody, and if there is no user nobody in the system, it is best to build one or run squid with a non-root user. This is run as squid.
Cache_effective_group: Set up a valid user group to use the cache. The default group is Nogroup, and if there are no group Nogroup in the system, it is best to build a group. This is the Squid group.
(The rest of the parameters with the default value can!) )

2. Configure Squidguard:
 Modify Squidguard configuration file/usr/local/squidguard/squidguard.conf file:

logdir/usr/local/squidguard/logs #日志目录定义
dbhome/usr/local/squidguard/db #db目录定义

time Testtime { #时间规则定义
weekly MTWHF 05:00-10:30
weekly as08:00-19:00
date *-*-0108:00-16:30
date 2001.10.01-2001.10.09


SRC Admin { #源组定义
ip192.168.100.18


SRC client{
ip192.168.100.20 192.168.100.21 192.168.100.22
ip192.168.200.0/24


dest Porn { #目标组定义
domainlist Porn/domains
urllistporn/urls
expressionlist porn/expressions


acl { #访问规则定义
admin within Testtime {
pass!porn All
} else {
pass All
}

client {
pass!in-addr!porn All
}

default {
pass None
redirecthttp://admin.foo.com
(# can also be redirected to a CGI page that contains some information, as follows:
http://admin.foo.com/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s& targetgroup=%t&url=%u)
}


# VI Db/porn/domains
(Domain list file: Primarily blocking some defined sites)
co.za
sex.com
(as above, it can block such as hack.co.za, sex.com, www.sex.com, whatever.sex.com, but unlike. *[^.] sex.com, mismatched ssex.com)

# VI Db/porn/urls
(URL list file, mainly blocking some sites and some columns)
qihui.com/sex
valen.sohu.com/album
(such as blocking Http://qihui.com/sex, Http://qihui.com/sex/whatever, Ftp://qihui.com/sex, http://www.qihui.com/sex, etc.)

# VI Db/porn/expressions
(expression list file, mainly blocking some URL access that matches the expression)
 (^|[ \?+=/]) (. *) (Girl) (. *) ([\?+=/]|$) 
(The previous regular expression can block access to the girl site in the URL, such as: Www.girlzine.com, Girl.huabao.net, Www.huayu.net/girl, www.universiti.com/girl, etc.)

Note: Squidguard The syntax of the configuration file is very strict, if the configuration file syntax is incorrect, Squidguard can still run, but Squidguard has entered the emergency mode, the agent service does not have any blocking effect, all access through the agent can be passed, You can view Logs/squidguard log files to find errors, such as:
2001-12-20 17:08:44 [2430] Parse error in configfile/usr/local/squidguard/squidguard.conf line 8
2001-12-20 17:08:44 [2430] going into emergency mode
.......
Where the configuration file line 8th is wrong, squidguard into the emergency mode.
Details of the configuration are described in http://www.squidguard.org/

Four. Operation £ º
$ chmod 777/usr/local/squid/logs
(Sets the logs for all users to be writable.) In this way, not specific squid agent customers can normally access the proxy server, and can be in the logs directory, produce Access.log, Cache.log and other documents. )
$/usr/local/squid/bin/squid-z
 (hand-built Squid cache directory/usr/local/squid/cache. )
#/usr/local/squid/bin/squid
(Background execution squid.) If you want to perform squid at the front desk: If you want to perform squid execution command at the front desk:
$/usr/local/squid/bin/squid-ncd1
The order officially starts squid. If everything works, you'll see one line of output:
Ready to serve requests)
# PS Ax|grep Squid
20198? s0:00/usr/local/squid/bin/squid
20200. s0:27 (Squid)
20310. s0:00 (Squidguard)-c/usr/local/squidguard/squidguard.conf
20311. s0:00 (Squidguard)-c/usr/local/squidguard/squidguard.conf
20312. s0:00 (Squidguard)-c/usr/local/squidguard/squidguard.conf
20313. s0:00 (Squidguard)-c/usr/local/squidguard/squidguard.conf
20314. s0:00 (Squidguard)-c/usr/local/squidguard/squidguard.conf
(At this time Squidguard also enabled, after each modification configuration Squid-k reconfigure again, to kill squid to perform squid-k kill)
To view the Squidguard log file:
Init domainlist/usr/local/squidguard/db/porn/domains
2001-12-20 16:14:43 [2270] init domainlist/usr/local/squidguard/db/porn/domains
2001-12-20 16:14:43 [2270] init urllist/usr/local/squidguard/db/porn/urls
2001-12-20 16:14:43 [2270] init expressionlist/usr/local/squidguard/db/porn/expressions
2001-12-20 16:14:43 [2270] Squidguard 1.1.4 started (1008836083.022)
2001-12-20 16:14:43 [2270] recalculating alarm in 917 seconds
2001-12-20 16:14:43 [2270] Squidguard ready for requests (1008836083.044)
Indicates Squidguard has started normally

Five. Testing:
Configure the client, and then test the agent service:
On another Win2K, (for example, Internet Explore5.0), run IE, click Tools, click Internet Options, click the Connection tab, click LAN Settings, and in the LAN Settings window, in the address Fill in the Squid server IP address 192.168.100.16, in the "port" where the "8080" (modified squid agent to use the port number, that is, the squid.conf in the Http_port, the default value of 3128), determined to exit.
Next, change the IP to 192.168.100.20, browse some websites, such as sohu,163, and then try the domains and URLs defined, such as hack.co.za, Qihui.com/sex, will find the home page is redirected to http://admin.foo.com. And then try to browse the website about girl, not to go: (; in the Sohu search girl also be redirected; try using IP (some agents do not restrict IP, IP can bypass the restrictions of the agent access to some prohibited sites), unfortunately not! (because it is used in the Squidguard configuration file!) IN_ADDR, so you can force users to use domain name access instead of using IP access.
Again down, the IP to 192.168.100.18, and then time to testtime outside the time, browse the Web, try the results, and then change the time to Testtime to browse the web!
Finally, change the IP to 192.168.100.30, and browse the Web test.
(You can view the Access.log and Cache.log under logs to see if the agent is functioning properly and the site records are accessed)

Summarize:
Visible from the above, with squid and Squidguard established proxy server, configuration is relatively simple, and powerful, can effectively limit some users of the Internet access and filter some blacklist listed sites (such as pornographic sites, etc.).
Here is a simple introduction to the HTTP proxy example, other applications and features you can try.

(Source: Viphot)
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.