Preface:
This document describes how to use squid and squidGuard to configure proxy servers in linux. The www Proxy service is used as an example to describe how to filter harmful sites and restrict users' access to the internet.
I. Introduction
Squid is the most popular agent server software in Linux. It has powerful functions and supports proxies for HTTP, FTP, Gopher, SSL, WAIS, and other protocols. It is easy to set up, you only need to make slight changes to the configuration file to run the proxy server. In addition, Squid has the page cache function. It receives the user's download application and automatically processes the downloaded data. That is to say, when a user wants to download a home page, it sends an application to Squid to download it for it, and then Squid connects to the requested website and requests the home page, the home page is sent to the user and a backup is retained at the same time. When other users apply for the same page, Squid immediately transmits the saved backup to the user, making the user feel that the speed is quite fast.
SquidGuard is an auxiliary software for squid to implement filtering, redirection, and access control. It is a free software with powerful functions, easy installation, easy configuration, and fast processing speed. Functions: restrict access by some users based on the web server or URLs list; block access by some users to the web server and URLs on the blacklist; some users are blocked from accessing URLs that match regular expressions. In the URL path, domain name access is enhanced, and IP access is prohibited. The blocked URL is redirected to a smart CGI information page; redirects an unauthorized user to a registration page. It has access rules based on the date, Week, and specific time of the day. different user groups have different rules. However, you cannot filter or check the text in the document and the JavaScript or Vbscript language in HTML.
Ii. Installation
1. Install squid:
Downloading squid-2.4.stable2-src.tar.gz from www.squid-cache.orgcontains local/usr/local/squid/src.
Before compiling Squid, create a user and group dedicated to run Squid. Here, create a group and user named squid, and set the user directory to/usr/local/squid.
# Su squid
$ Cd/usr/local/squid/src
$ Tar xvzf squid-2.4.STABLE2-src.tar.gz
$ Squid-2.4.STABLE2 cd
$./Configure
$ Make
$ Make install
(Installed in the/usr/local/squid directory by default)
2. Install Berkeley DB 2.x:
Download db-2.7.7.tar.gz from the http://www.sleepycat.com and under the/usr/local/squidGuard/src/directory
$ Su
# Cd/usr/local/squidGuard/src/
# Tar xvzf db-2.7.7.tar.gz
# Cd db-2.7.7
# Cd build_unix
# ../Dist/configure
# Make
# Make install
(Installed in the/usr/local/BerkeleyDB directory by default)
Note: squidGuard does not support Berkeley DB 3.x
3. Install squidGuard
Slave/
# Cd/usr/local/squidGuard/src/
# Tar xvzf squidGuard-1.1.4.tar.gz
# Cd squidGuard-1.1.4
#./Configure -- with-sg-config =/usr/local/squidGuard. conf
-- With-sg-logdir =/usr/local/squidGuard/logs
-- With-sg-dbhome =/usr/local/squidGuard/db
# Make
# Make test // test OK to perform the next installation
# Make install
Iii. Configuration
1. Configure squid:
Modify the squid configuration file/usr/local/squid/etc/squid. conf:
Http_port 8080
# Use the proxy port of squid, which is lower than 1024. squid must run as root
Http_access allow all
# Allow all users to access http through proxy
Redirect_program/usr/local/squid/bin/squidGuard-c/usr/local/squidGuard. conf
# Squid enable squidGuard for filtering and forwarding
Other parameters:
Cache_mem: Set the memory size used by the proxy service. It is generally recommended to set the memory size to 1/3 of the physical memory.
Cache_dir: Specifies the cache directory path. The default value is/usr/local/squid/cache.
Maximum_object_size: specify the maximum object size that Squid can receive. The default value of Squid is 4 MB, which can be set as needed.
Cache_dir: Set the cache location and size. The general format is as follows:
Cache_dir/usr/local/squid/cache 100 16 256
/Usr/local/squid/cache represents the cache location; 100 represents the maximum cache size of 100 MB; 16 and 256 represent the number of level-1 and level-2 directories.
Cache_effective_user: sets the valid users who use the cache. The default value is user nobody. If there is no user nobody in the system, it is best to create one or run Squid as a non-root user. Run as squid
Cache_effective_group: sets a valid user group for caching. The default group is nogroup. If there is no nogroup in the system, it is best to create a group. Here is the squid group.
(Use the default value for other parameters !)
2. Configure squidGuard:
Modify the squidGuard configuration file/usr/local/squidGuard. conf:
Logdir/usr/local/squidGuard/logs # log directory Definition
Dbhome/usr/local/squidGuard/db # db directory Definition
Time testtime {# time rule Definition
Weekly mtwhf-
Weekly as08: 00-19: 00
Date *-01-
Date 2001.10.01-2001.10.09
}
Src admin {# source Group Definition
Ip address 192.168.100.18
}
Src client {
Ip 192.168.100.20 192.168.100.21 192.168.100.22
Ip 192.168.200.0/24
}
Dest porn {# target group definition
Domainlist porn/domains
Urllistporn/urls
Expressionlist porn/expressions
}
Acl {# access rule Definition
Admin within testtime {
Pass! Porn all
} Else {
Pass all
}
Client {
Pass! In-addr! Porn all
}
Default {
Pass none
Redirect http://admin.foo.com
(# You can also redirect to a cgi page containing some information, as shown below:
Http://admin.foo.com/cgi/blocked? Clientaddr = % a & clientname = % n & clientuser = % I & clientgroup = % s & targetgroup = % t & url = % u)
}
}
# Vi db/porn/domains
(Domain list file: mainly blocking some defined sites)
Co. za
Sex.com
(As shown above, it can block hack. co. za, sex.com, www.sex.com, and whatever.sex.com, but unlike. * [^.] sex.com, it does not match ssex.com)
# Vi db/porn/urls
(Url list files mainly block some sites and some columns)
Qihui.com/sex
Valen.sohu.com/album
(If blocking is possible)
# Vi db/porn/expressions
(The expression list file mainly blocks some URL accesses that match the expression)
(^ | [\? + =/]) (. *) (Girl )(.*)([\? + =/] | $)
(The above regular expression can block the access to the girl site in the URL, such as www.girlzine.com, girl.huabao.net, www.huayu.net/girl?www.universiti.com/girl, etc)
Note: squidGuard has strict syntax requirements on the configuration file. If the Configuration File Syntax is incorrect, squidGuard can still run, but squidGuard has entered emergency mode. In this case, the proxy service does not have any blocking effect, all accesses via this proxy can be passed. You can view the log files of logs/squidGuard to find errors, for example:
17:08:44 [2430] parse error in configfile/usr/local/squidGuard. conf line 8
17:08:44 [2430] going into emergency mode
.......
Line 1 of the configuration file is incorrect. squidGuard enters emergency mode.
For detailed description of configuration, see http://www.squidguard.org/
4. Run:
$ Chmod 777/usr/local/squid/logs
(Set logs to writable for all users. In this way, unspecified squid proxy customers can access the proxy server normally and generate files such as access. log and cache. log in the logs directory .)
$/Usr/local/squid/bin/squid-z
(Manually create the squid cache directory/usr/local/squid/cache .)
#/Usr/local/squid/bin/squid
(Squid is executed in the background. If you want to run squid on the front-end: If you want to run Squid on the front-end, execute the command:
$/Usr/local/squid/bin/squid-NCd1
This command officially starts Squid. If everything is normal, you will see a line of output:
Ready to serve requests)
# Ps ax | grep squid
20198? S0: 00/usr/local/squid/bin/squid
20200? S0: 27 (squid)
20310? S0: 00 (squidGuard)-c/usr/local/squidGuard. conf
20311? S0: 00 (squidGuard)-c/usr/local/squidGuard. conf
20312? S0: 00 (squidGuard)-c/usr/local/squidGuard. conf
20313? S0: 00 (squidGuard)-c/usr/local/squidGuard. conf
20314? S0: 00 (squidGuard)-c/usr/local/squidGuard. conf
(SquidGuard is also enabled. After each configuration modification, squid-k reconfigure can be used again. To kill squid, run squid-k kill)
View squidGuard log files:
Init domainlist/usr/local/squidGuard/db/porn/domains
16:14:43 [2270] init domainlist/usr/local/squidGuard/db/porn/domains
16:14:43 [2270] init urllist/usr/local/squidGuard/db/porn/urls
16:14:43 [2270] init expressionlist/usr/local/squidGuard/db/porn/expressions
16:14:43 [2270] squidGuard 1.1.4 started (1008836083.022)
16:14:43 [2270] recalculating alarm in 917 seconds
16:14:43 [2270] squidGuard ready for requests (1008836083.044)
SquidGuard is started properly
V. test:
Configure the client and test the proxy service:
On the other win2k, run IE (Internet ipve5.0 as an example), click "Tools", click "Internet Options", click the "connection" tab, and click "LAN Settings "; in the LAN Settings window, fill in the IP address 192.168.100.16 of the squid server in the address area, and fill in "8080" in the port area (after modification, the port number used by the squid proxy, that is, squid. http_port in conf, the default value is 3128). Click OK and exit.
Next, change the IP address to 192.168.100.20, browse some websites, such as sohu and 163, and then try the ones defined in domains and urls, such as hack. co. za and qihui.com/sex. the main page is redirected to http://admin.foo.com. Then try to browse the girl-related website and you won't be able to: (; search for girl in sohu is also redirected; try with IP address (some proxies do not limit the IP address, using an IP address can bypass proxy restrictions to access some prohibited sites! (Because squidGuard is used in the configuration file! In_addr, so users can be forced to use domain names instead of ip addresses)
Next, change the IP address to 192.168.100.18, change the time to the time outside testtime, browse the Web page, try the result, and then change the time to browse the Web page within testtime!
Finally, change the IP address to 192.168.100.30 and test the webpage.
(You can view access. log and cache. log under logs to see if the agent is running normally and the site records accessed)
Summary:
It can be seen from the above that the proxy server built with squid and squidGuard has simple configuration and powerful functions, it can effectively restrict users' access to the internet and filter websites (such as pornographic sites) listed on the blacklist ).
Here we only briefly introduce the example of http proxy. You can try other applications and functions on your own.
(Source: viphot)