Server Configuration: Squid configuration details

Article Title: Server Configuration: Squid configuration details. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Basic Configuration

After the installation is complete, configure the run of Squid (not the previous configuration ). All projects are completed in squid. conf. The Squid. conf provided by squid contains a very detailed description, which is equivalent to a user manual. You can refer to this document for any questions about the configuration.

In this example, the proxy server is also a gateway. the IP address of the internal network interface eth0 is 192.168.0.1, And the IP address of the external network connected to eth1 is 202.103.x.x. The following are the configuration options required for a basic Proxy:

Http_port 192.168.0.1: 3128

The default port is 3128. Of course, it can also be any other port, as long as it does not conflict with other services. For the sake of security, adding an IP address in front of Squid will not listen to external network interfaces. The following configuration option is an email from the Server Manager. When an error occurs, the address is displayed on the error page for easy contact:

Cache_mgr start@soocol.com

The following parameters indicate the file system, location, and Cache Policy cached by Squid:

Cache_dir ufs/var/squid cache_mem 32 MB cache_swap_low 90 cache_swap_high 95

Here, Squid uses the/var/squid directory as the directory for storing cached data. The cache size for each processing is 32 MB. When the cache space reaches 95%, the new content will replace the old one instead of being directly added to the directory until the space drops to 90% again.

If you do not want Squid to cache any files, such as some proprietary systems with limited storage space, you can use a null File System (which does not require those cache policies ):

Cache_dir null/tmp

In the following several cache policy configurations, the most important is the first line, that is, the user's access record. You can analyze it to understand the detailed addresses of all user access:

Cache_access_log/var/squid/access. log cache_log/var/squid/cache. log cache_store_log/var/squid/store. log

The following line of configuration is a parameter that appears in a newer version, telling Squid the server name displayed on the error page:

Visible_hostname No1.proxy

The following configuration tells Squid how to process the user and process the IP address of each request as a separate address:

Client_netmask 255.255.255.255.255

For normal proxy servers, the above configurations are sufficient. However, many squids are used as transparent proxies.

The so-called transparent proxy means that the client does not know the existence of the proxy server, and of course no proxy-related settings are required, which greatly facilitates the system administrator. Related options include:

Httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_user_host_header on

In Linux, you can use iptables/ipchains to directly forward requests to Web port 80 to Squid port 3128, which is claimed by Squid, the user's browser still thinks it accesses port 80 of the other party. For example, the following command:

Iptables-t nat-a prerouting-s 192.168.0.200/32-p tcp -- dport 80-j REDIRECT 3128

Page
That is, all access destined for port 80 of 192.168.0.200 is redirected to port 3128.

After all the settings are complete, the key and important task is access control. Squid supports many management methods and is very easy to use (this is why some people prefer to use Squid without any caching, and do not want to use iptables independently ).

Squid can identify users by IP address, host name, MAC address, user/password authentication, etc, you can also control user access through domain name, domain suffix, file type, IP address, port, URL matching, or use time intervals to manage users, therefore, access control is the focus of Squid configuration.

Squid divides Access types with ACL (Access Control List) and controls them with http_access deny or allow. Define two groups of users (advance and normal) as needed, and all user groups that are not specified, and badusers that are not allowed to access the Internet. The configuration code is as follows:

Acl advance 192.168.0.2-192.168.0.10/32 acl normal src 192.168.0.11-192.168.0.200/32 acl baduser src 192.168.0.100/32 acl baddst modify acl all src 0.0.0.0/0 http_access deny baduser http_access allow advance http_access allow normal

It can be seen that the basic format of ACL is as follows: the acl list name control method controls the target such as acl all src 0.0.0.0/0, its name is all, and the control method is src Source IP address, the control target is the IP address 0.0.0.0/0, that is, all undefined users. For security reasons, this list is always disabled at the end. The following list represents advanced users, including all computers with IP addresses ranging from 192.168.0.2 to 192.168.0.10:

Acl advance 192.168.0.2-192.168.0.20/32

The following baduser list contains only one computer, and its IP address is 192.168.0.100:

Acl baduser 192.168.0.100/32

After the ACL is completed, you need to manage them separately. The Code is as follows:

Http_access deny baduser http_access allow advance http_access allow normal

The code above tells Squid that the baduser group is not allowed to access the Internet, but the advance and normal groups are allowed (detailed permissions are not yet specified ). Because Squid is a sequential read Rule, baduser is disabled first and normal is allowed. If the order of the two rules is reversed, because baduser is in the normal range, Squid allows all normal rules, then disabling baduser does not work.

Note that Squid will use allow-deny-allow-deny ...... Apply rules in this order. For example, when a user accesses the proxy server, Squid sequentially tests the list of all rules defined in Squid. If none of the rules match, Squid uses the opposite rule.

In the preceding example, assume that a user's IP address is 192.168.0.201. What happens when he tries to access the Internet through this proxy server? We will find that it can be accessed normally, because Squid searches all the access lists and does not have any definition related to 192.168.0.201, then it starts to apply the rules, and the last one is deny, the default processing rule for Squid is allow, so 192.168.0.201 can access the Internet. This is obviously not what we want. Therefore, in all squid. conf, the last rule is always http_access deny all, and all is the previously defined "src 0.0.0.0 ".

Advanced Control

As mentioned above, Squid's control function is very powerful. As long as you understand the behavior of Squid, it can basically meet all the control requirements. Next, let's take a step-by-step look at how Squid manages its control.

It is unreliable to identify users through IP addresses. What is better than IP addresses is the MAC physical address of the NIC. To use MAC address recognition in Squid, you must add the "-- enable-arp-acl" option during compilation. Then, you can use the following statements to identify users:

Acl advance arp 00: 01: 02: 1f: 2c: 3e 00: 01: 02: 3c: 1a: 8b...

It directly uses the user's MAC address, while the MAC address is generally not easy to modify. Even if a common user changes his IP address to an advanced user, it cannot pass, so this method is much more reliable than the IP address.

What should I do if I don't want users to access a website? There are two possible scenarios: one is that a host that does not allow access to a site, for example, the OK host is OK .sina.com.cn, while other Sina resources are allowed access, the ACL can be written as follows:

Acl sinapage dstdomain OK .sina.com.cn ...... http_access deny OK ......

Page
In another case, the whole website is not accessible. You only need to write the domain name that the website has. The configuration is as follows:

Acl qq dstdomain .tcccent.com.cn

Note that "." In front of tcccent indicates that all hosts ending with this domain name are inaccessible. Otherwise, only the host tcccent.com.cn cannot be accessed.

If you want to disable access to an IP address, such as 202.118.2.182, you can use dst to control it. The Code is as follows:

Acl badaddr dst 202.118.2.182

Of course, this dst can also be a domain name, which is converted to an IP address by the Squid query DNS server.

Another widely used control is file type. If you do not want normal users to download MP3, AVI, and other files through the proxy server, you can restrict them. The Code is as follows:

Acl mmxfile urlpath_regex \. mp3 $ \. avi $ \. exe $ http_access deny mmxfile

Many readers should be familiar with regex, because this statement uses a standard regular expression (also called a regular expression ). The signature matches all URL requests ending with the signature,. avi, and so on. You can also use the-I parameter to ignore case sensitivity. For example, the following code:

Acl mmxfile urlpath_regex-I \. mp3 $

In this case, both the listener and. MP3 will be rejected. Of course, the-I parameter applies to anything that may need to be case sensitive, such as the previous domain name control.

What should I do if I want normal users to access the Internet only during work hours and work days every week? Take a look at the following ACL definition:

Acl worktime time MTWHF-PM-http_access deny! Worktime

First, we define that the allowed internet access time is a fixed period of time from Monday to Friday in the morning and afternoon. Then, we use http_access to define that all requests not in this period are not allowed.

To ensure the bandwidth of an advanced user, you can use Squid to control the concurrent connections of each user so as not to affect others. The Code is as follows:

Acl conncount maxconn 3 http_access deny conncount normal http_access allow normal

In this way, a common user can only initiate three connections at a fixed time, and the connection will be rejected from the fourth one.

In short, Squid ACL Configuration is flexible and powerful. For more control methods, see squid. conf. default.

Authentication

User/password authentication provides more convenience for Squid management. The most common authentication method is NCSA. From Squid 2.5, NCSA certification is included in basic, rather than the previous independent authentication module. Next, let's take a look at the specific operations to implement authentication.

First, the configuration options during compilation should include the following Configuration:

-- Enable-auth = "basic" -- enable-basic-auth-helpers = "NCSA"

Page
After "make install", copy "helpers/basic_auth/NCSA/ncsa_auth" to the user's executable directory, for example,/usr/bin (if the execution file cannot be found in this directory, use make all instead of make during compilation, or directly execute make in this directory ), then we need to use the Apache password management program htpasswd to generate the file corresponding to the user name/password, just like the following line of code:

Htpasswd-c/var/squid/etc/password guest

After you enter the password of the guest user twice, a guest user is generated. If you need to add users later, just remove the-c parameter from the preceding command and run it again.

Squid 2.5 has a major change in authentication processing. Here we will only discuss the processing method of Version 2.5. For versions 2.4 and below, see squid. conf. default. In version 2.5, squid. conf includes the following options:

This option specifies the authentication method (basic), the required Program (ncsa_auth), and the corresponding password file (password)

Auth_param basic program/usr/bin/ncsa_auth/var/squid/etc/password

Number of processes of the authentication program

Auth_param basic children 5

Field content displayed in the browser when the user/Password dialog box is entered

Auth_param basic realm My Proxy Caching Domain

Basic Authentication Validity Period

Auth_param basic credentialsttl 2 hours

Normal users must pass authentication before accessing the Internet

Acl normal proxy_auth REQUIRED http_access allow normal

The authentication can be completed through the above configuration. Some readers may ask: What should I do if authentication is only for common users while advanced users access the Internet directly? In fact, these two types of users can coexist.

As mentioned above, Squid is used to process http_access sequentially. Therefore, if normal users are processed first during http_access, authentication is required for the current user, regardless of whether the user belongs to an advanced user; on the contrary, if advanced users are processed first, only common users that need to be authenticated are left. For example, the following configuration code:

... Http_access allow normal (authentication required) http_access allow advance (authentication not required )...

Whether it is a noauth user or not, user name/password verification is required. The correct method is to switch the two locations. The Code is as follows:

... Http_access allow advance http_access allow normal...

Advanced users are not affected.

Summary

The following is a summary of squid. conf:

Server Configuration

Http_port 192.168.0.1: 3128 cache_mgr start@soocol.com cache_dir null/tmp cache_access_log/var/squid/access. log cache_log/var/squid/cache. log cache_store_log/var/squid/store. log visible_hostname No1.proxy client_mask 255.255.255.255 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_user_host_header on

User category

Acl advance arp 00: 01: 02: 1f: 2c: 3e 00: 01: 02: 3c: 1a: 8b... acl normal proxy_auth REQUIED acl all src 0.0.0.0

Behavior Classification

Acl mmxfile urlpath_regex \. mp3 $ \. avi $ \. exe $ acl conncount maxconn 3 acl worktime time MTWHF--acl sinapage dstdomain OK .sina.com.cn acl qq dstdomain quota

Processing

Http_access allow advance http_access deny conncount normal http_access deny! Worktime http_access deny mmxfile http_access deny sinapage http_access deny qq http_access allow normal

After configuration, the advance group can access the Internet without any restrictions, while the normal group can only access the Internet during working hours, and cannot download multimedia files or access certain websites, you cannot send more than three requests.

This article introduces the basic capabilities of Squid. Of course, it is far more powerful than this. It can build a powerful proxy server array to help local Web servers improve performance and improve the security of local networks. Further control is needed to make full use of its functions.