Article Title: Set up a proxy server in Linux (2 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
5.2 User Authentication Settings
By default, squid itself does not contain any authentication program, but we can implement user authentication through external authentication programs. Generally, there are the following authentication procedures:
1. LDAP authentication: You can access the following resources to obtain more useful information.
However, we generally use ncsa-based authentication and User Authentication Based on NT and samba using smb_auth. The following describes the specific implementation of the two authentication methods.
5.2.1 ncsa user authentication implementation
Ncsa is one of the built-in authentication procedures of squid source code package, we take the squid-2.3.STABLE2 version as an example to describe the installation and configuration of ncsa.
1. Download The squidsource code package squid-2.3.stable2-src.tar.gz from www.squid-cache.organd put it in the/tmp directory.
2. Use tar to solve the problem:
Tar xvzf squid-2.3.STABLE2-src.tar.gz
% Make
% Make install
3. Then, enter the/tmp/squid-2.3.STABLE2/auth_modules/NCSA directory.
% Make
% Make install
After compilation is successful, an executable ncsa_auth file is generated.
4. Copy the generated execution file ncsa_auth to the/usr/bin directory.
Cp ncsa_auth/usr/bin
5. Modify related options in squid. conf as follows:
Note that the REQUIRED keyword indicates receiving access from all valid users.
7. Set http_access
Http_access allow auth_user
Note: If you specify multiple user classes that are allowed to access in the modified line, you should put the user classes to be authenticated in the first one. As follows:
Incorrect configuration: http_access allow auth_user all manager
Correct configuration: http_access allow auth_user manager all
8. Use the tool software htpasswd carried by apache to generate a password file under/usr/local/squid/etc and add the corresponding user information. Generally, each line of the password file contains the user information, that is, the user name and password.
Use htpasswd to generate the password file passwd and add the user bye.
Htpasswd-c/usr/local/squid/etc/passwd bye
Then restart squid. Password Authentication takes effect.
5.2.2 Implementation of smb User Authentication
There are not many articles about implementing user authentication using ncsa in China, but I have not seen using smb_auth and samba to implement NT-based user authentication yet, next, let's take a look at implementing NT-based user authentication in squid.
The current highest version of smb_auth is the smb_auth-0.05, which you can download at the following address. Of course, the squid source code package also contains smb_auth, but it is version 0.02.
The home address of smb_auth is http://www.hacom.nl /~ Richard/software/smb_auth.html.
1. system requirements:
Squid2.0 or later.
Install samba2.0.4 or later. You do not need to run the samba service because smb_auth only uses the client software of samba.
2.download smb_auth-0.05.tar.gz and copy it to/tmp.
3. tar xvzf smb_auth-0.05.tar.gz
4. Modify the SAMBAPREFIX and INSTALLBIN parameters in Makefile as required. SAMBAPREFIX specifies your samba installation path and INSTALLBIN specifies the smb_auth installation path. We specify:
SAMBAPREFIX =/usr, INSTALLBIN =/usr/bin.
5. make
6. make install. After successful installation, the executable smb_auth will be generated in the path specified by INSTALLBIN.
7. Follow these steps to set the master domain controller you want to use for authentication:
First, create a "proxy" file in the NETLOG shared directory, which contains only one "allow" string. Generally, the NETLOG directory is located in the winntsystem32Replimportscripts directory. Then, set all users and user groups that you want to access squid to have the right to read the file.
8. Modify the related options in squid. conf as follows:
Note that the REQUIRED keyword indicates receiving access from all valid users.
10. Set http_access
Http_access allow auth_user
Note: If you specify multiple user classes that are allowed to access in the modified line, you should put the user classes to be authenticated in the first one. As follows:
Incorrect configuration: http_access allow auth_user all manager
Correct configuration: http_access allow auth_user manager all
If everything is correct, restart squid and the password authentication takes effect.
Note: The call method of smb_auth is as follows:
1. smb_auth-W your_domain_name
Use your_domain_name to specify your domain name. Smb_auth will broadcast to find the Master domain controller.
2. smb_auth-W your_domain_name-B
If you have multiple network interfaces, you can use-B to specify the IP address of the network interface used for broadcast.
3. smb_auth-W your_domain_name-U
You can also use-U to directly specify the IP address of the master domain controller.
4. smb_auth-W your_domain_name-S share
You can use-S to specify a shared directory different from NETLOG.
5.2.3 other Authentication Settings in squid. conf
1. authenticate_children
Description: sets the number of authentication sub-processes. The default value is 5. If you are in a busy network environment, you can increase the value as appropriate.
2. authenticate_ttl
Note: Set the validity period of one authentication. The default value is 3600 seconds.
3. proxy_auth_realm
Description: sets the domain name displayed to the user during user logon authentication.
5.3 transparent proxy settings
We have already passed the definition of transparent proxy in section 1. Let's take a look at how to implement transparent proxy in squid.
The implementation of transparent proxy must be later than Linux 2.0.29, but Linux 2.0.30 does not support this function. Fortunately, we usually use Versions later than 2.2.X, so don't worry about this problem. Next we will use ipchains + squid to implement transparent proxy. Before starting, we must note that at present, we can only implement transparent proxies that support HTTP, but we do not have to worry too much, because we use proxies, the purpose is to use the squid cache to improve the Web access speed. We can use ipchains to provide access to internal illegal IP addresses and improve network security.
Make sure that you have configured the following features for your kernel:
[*] Network firewils
[] Socket Filtering
[*] Unix domain sockets
[*] TCP/IP networking
[] IP: multicasting
[] IP: advanced router
[] IP: kernel level autoconfiguration
[*] IP: firewalling
[] IP: firewall packet netlink device
[*] IP: always defragment (required for masquerading)
[*] IP: transparent proxy support
If not, recompile the kernel. Generally, the RedHat6.x and later versions have been configured by default.
5.3.2squid configuration options
Set related options in squid. conf as follows:
Http_port 3218
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
Note:
1. http_port 3128
In this example, we assume that the HTTP listening port of squid is 3128, that is, the default value of squid. Then, redirect all the packets from the client's web Request (that is, the target port is 80) to port 3128.
2. httpd_accel_host virtual
Httpd_accel_port 80
These two options are used to define the squid acceleration mode. Here we use virtual to specify the virtual host mode. Port 80 is the request port to be accelerated. In this mode, squid removes the cache and ICP functions. If you need these functions, you must set the httpd_accel_with_proxy option.
3. httpd_accel_with_proxy on
This option must be set to on in transparent proxy mode. In this mode
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
