Article Title: full introduction to squid proxy service in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Proxy provides two services: first, allow users who cannot directly access the Internet to access the Internet, because it is safer and easier to manage to allow a computer with higher permissions to directly connect to the network; the second is to allow users who have been able to access the Internet to access the website more quickly or extensively, because the proxy server can cache frequently accessed webpages to the local machine. When someone accesses the same page again, the proxy can directly send local pages without wasting network bandwidth. You can also have both.
The most widely used Squid is used as an example to discuss the proxy server in Linux. This only refers to server-side applications, excluding client configurations. Squid has the advantages of powerful functions, simple configuration, and rich documentation. The disadvantage is that the currently supported protocols are not wide enough and it is a little difficult for super-large applications, but these shortcomings are gradually being improved. For beginners and common applications, Squid is still the best choice.
Here, we need to configure a Proxy Server that only provides Proxy services for internal networks. It divides users into two types: advanced users and normal users. Advanced users are identified by physical addresses of NICs. Common users need to enter the user name and password for normal use. Advanced users do not have access time and file type restrictions, while normal users only have access at work and some other restrictions.
Install
The software's source code installation package can be obtained from the Squid site www.squid-cache.org, including gz and bz2 compression methods. You can also use the Linux release, such as Red
The RPM package provided by Hat.
The RPM installation method is simple. The command is as follows:
$ Rpm-ivh Squid-2.x.STALBx.i386.rpm
However, the author believes that even if Squid has been installed by default in the system, you should first Delete and then install the latest source code package. Because open-source software constantly fixes problems and provides updated functions, the latest version can ensure the highest performance and security, and the source code method can be fully customized. Unlock:
$ Tar xvfz squid-2.5.STABLE.tar.gz
The size of the compressed package in bz2 mode may be smaller. The corresponding command is:
$ Tar xvfj squid-2.5.STABLE.tar.bz2
Then, enter the corresponding directory to configure and compile the source code. The command is as follows:
$ Squid-2.5.STABLE2 cd
The configure command has many options. If you are not clear about the options, use "-help" to view the options. Generally, the following options are used:
-- Prefix =/web/squid # specify the installation location of Squid. If only this option is specified, the directory contains directories such as bin, sbin, man, and conf, the main configuration file is in the conf subdirectory. To facilitate management, it is best to use the -- sysconfdir =/etc parameter to set the file location to/etc.
-- Enable-storeio = ufs, null # the file system used is usually the default ufs, but if you want to create a proxy server that does not cache any files, you need to add a null file system.
-- Enable-arp-acl # in this way, you can manage the MAC address of the client directly in Rule settings to prevent IP spoofing.
-- Enable-err-extensions ages = "Simplify_Chinese" -- enable-default-err-extensions ages = "Simplify_Chinese" # the preceding two options tell Squid to compile and use simplified Chinese error messages.
-- Enable-linux-netfilter # allows you to use the transparent proxy function of Linux.
-- Enable-underscore # The underlined URL is allowed to be parsed, because by default, Squid considers the underlined URL illegal and rejects access to the URL.
The configuration compilation process is as follows:
. /Configure -- prefix =/var/squid -- sysconfdir =/etc -- enable-arp-acl -- enable-linux-netfilter -- enable-pthreads -- enable-err-language = "Simplify_Chinese" -- enable-storeio = ufs, null -- enable-default-err-language = "Simplify_Chinese" -- enable-auth = "basic" -- enable-baisc-auth-helpers = "NCSA" -- enable-underscore
Some of these options have special functions and will be described below.
Finally, run the make and make install commands to compile the source code into executable files and copy them to the specified location.
Basic Configuration
After the installation is complete, configure the run of Squid (not the previous configuration ). All projects are completed in squid. conf. Squid. conf
This includes a very detailed description, which is equivalent to a user manual. If you have any questions about the configuration, you can refer to it.
In this example, the proxy server is also a gateway. the IP address of the internal network interface eth0 is 192.168.0.1, And the IP address of the external network interface eth1 is 202.103.x.x.
The following configuration options are required for a basic Proxy: http_port 192.168.0.1: 3128
The default port is 3128. Of course, it can also be any other port, as long as it does not conflict with other services. For the sake of security, adding an IP address in front of Squid will not listen to external network interfaces.
The following configuration option is an email from the Server Manager. When an error occurs, the address is displayed on the error page for easy contact:
Cache_mgr netsnake@963.net
The following parameters indicate the file system, location, and Cache Policy cached by Squid:
Cache_dir ufs/var/squid cache_mem 32 MB cache_swap_low 90 cache_swap_high 95
Here, Squid uses the/var/squid directory as the directory for storing cached data. The cache size for each processing is 32 MB. When the cache space reaches 95%, the new content will replace the old one instead of being directly added to the directory until the space drops to 90% again. If you do not want Squid to cache any files, such as some vpcs with limited storage space, you can use a null File System (which does not require those cache policies): cache_dir null/tmp
In the following several cache policy configurations, the most important is the first line, that is, the user's access record. You can analyze it to understand the detailed addresses of all user access:
Cache_access_log/var/squid/access. log cache_log/var/squid/cache. log cache_store_log/var/squid/store. log
The following line of configuration is a parameter that appears in a newer version, telling Squid the server name displayed on the error page:
Visible_hostname No1.proxy
The following configuration tells Squid how to process the user and process the IP address of each request as a separate address: client_mask 255.255.255.255
For normal proxy servers, the above configurations are sufficient. However, many squids are used as transparent proxies. The so-called transparent proxy means that the client does not know the existence of the proxy server, and of course no proxy-related settings are required, which greatly facilitates the system administrator. Related options include:
Httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_user_host_header on
In Linux, you can use iptables/ipchains to directly forward requests to Web port 80 to Squid port 3128, which is claimed by Squid, the user's browser still thinks it accesses port 80 of the other party. For example, the following command:
Ipt net ables-t nat-a prerouting-s 192.168.0.200/32-p tcp -- dport 80-j REDIRECT 3128
That is, all access destined for port 80 of 192.168.0.200 is redirected to port 3128.
After all the settings are complete, the key and important task is access control. Squid supports many management methods and is very easy to use (this is why some people prefer to use Squid without any caching, and do not want to use iptables independently ). Squid can identify users by IP address, host name, MAC address, user/password authentication, etc, you can also control user access through domain name, domain suffix, file type, IP address, port, URL matching, etc. You can also use time intervals to manage users, therefore, access control is the focus of Squid configuration. Squid divides Access types with ACL (Access Control List) and controls them with http_access deny or allow. Define two groups of users (advance and normal) as needed, and all user groups that are not specified, and badusers that are not allowed to access the Internet. The configuration code is as follows:
Acl advance 192.168.0.2-192.168.0.10/32 acl normal src 192.168.0.11-192.168.0.200/32 acl baduser src 192.168.0.100/32 acl
Baddst www.somebadsite.com acl all src 0.0.0.0/0 http_access deny baduser http_access allow advance http_access allow normal
[1] [2] [3] Next page