Set up Squid Proxy Server

Source: Internet
Author: User
Tags squid proxy
The squid RPM file has been bundled with RedHat 7.1. When installing the system, if you select
It is automatically installed on the system. You can run the following command to check whether squid has been installed in your system:
rpm -q squid   

The latest version of squid can be obtained on the squid homepage or its image site. Squid can be installed on the system using the following command:

rpm -ivh squid-2.3.STABLE4-10.i386.rpm   

Configure squid

Squid is customized by editing its configuration file squid. conf. The squid. conf file is usually in the/etc/squid directory.
. This configuration file contains a lot of content, but each of its options is well described in detail.

The first thing to modify is http_port. This option specifies the port for squid to listen to customer requests. The default value is 3128. Use proxy
Function. The port value must be used with the IP address of the machine running squid. You can modify it as follows:

Http_port 192.168.0.1: 8080

The preceding statement indicates that squid is bound to the IP address 192.168.0.1 and port 8080. The port can be set to any value, but you need to confirm
No other program uses the same port. The port settings of other service requests can also be set to similar configurations.

Access Control

With the access control feature, you can control the cache, access to a specific site or a group of sites at a specific time interval. Squid Access Control has two elements: ACL element and access list. The access list allows or denies access to this service by some users.

The following lists some important ACL element types.

  • Src: Source Address (Client IP address)
  • Dst: Destination Address (that is, the server IP address)
  • Srcdomain: Source Name (client name)
  • Dstdomain: Target name (server name)
  • Time: The time of the day and the day of the week.
  • Url_regex: URL rule expression matching
  • Urlpath_regex: URL-path rule expression matching, skipping protocol and Host Name
  • Proxy_auth: User Authentication through external programs
  • Maxconn: Maximum number of connections from a single IP Address

To use the control function, you must first set and apply the ACL rules. The ACL declaration format is as follows:

Acl acl_element_name type_of_acl_element values_to_acl

Note:

  1. Acl_element_name can be any name defined in the ACL.
  2. No two ACL elements must have the same name.
  3. Each ACL consists of list values. When a match is detected, multiple values are connected by logic or operations. In other words, that is, any ACL
    If the element value is matched, the ACL element is matched.
  4. Not all ACL elements can use all types in the access list.
  5. Different ACL elements are written in different rows. Squid combines them in a list.

We can use many different access entries. Below we will use a few:

  • Http_access:Allow HTTP access. This is the main access control entry.
  • No_cache:Defines the response to the cache request.

The access list Rules consist of keywords similar to 'allow' or 'deny' to allow or deny service to specific or a set of ACL elements.
Note:

  1. These rules are matched in the order they are arranged. Once a matching rule is detected, the matching detection ends immediately.
  2. An access list can contain multiple rules.
  3. If no rule matches the access request, the default action corresponds to the last rule in the list.
  4. All elements in an access entry are logically connected to the operation:
    Http_access Action Declaration 1 and Declaration 2 and declaration or.
    Http_access Action Declaration 3
    Multiple http_access statements are connected by or, but each element of an access entry is connected by an operation.
  5. Remember that the rules in the list always follow the top-down order.

Return to configuring squid

By default, Squid does not have any user access control. To allow an access, you must customize the rules. Enter the following text before the http_access deny line in squid. conf:

Acl mynetwork 192.168.0.1/255.255.255.0
Http_access allow mynetwork

Mynetwork is the acl name, And the next line is the rule that applies to a specific acl (that is, mynetwork. 192.168.0.1 indicates that the subnet mask in the network is 255.255.255.0. Mynetwork is mainly used to give a group of machines on the network, and the next rule allows these
The machine accesses the http service. The above modification works with http_port to make Squid work well. Squid
Run the following command:

Service squid start

Note:
Squid can also run automatically when the system is started by enabling Squid in ntsysv or setup (system service menu. In
After any changes are made to the configuration file, the currently running Squid process must be restarted. You can use the following command to complete the process:

  1. Service squid restart or
  2. /Etc/rc. d/init. d/squid restart

Configure the client

Because the client requests are sent to the specific port of the proxy server, the client also needs to configure accordingly. Before proceeding to the next step, please
Make sure that the client accessing the proxy server has been connected to the LAN and assigned a valid IP address.
Linux server running Squid.
Configuration in Internet Explorer:

  1. Click Tools> Internet Options on the menu.
  2. Select connection and click LAN Settings
  3. Select the proxy server and enter the IP address and port of the proxy server.

Configuration Under Netscape Navigator:

  1. Choose Edit> Preference> Advanced> Proxies from the menu ).
  2. Select Manual Proxy Configuration ).
  3. Click View and
  4. Enter the IP address and port of the proxy server.

Use Ram

Multiple Access Control and its rules provide a flexible mechanism for client access control. The following is a common example:

  1. Allow machines in the list to access the Internet.

    Acl allowed_clients src 192.168.0.10 192.168.0.20 192.168.0.30
    Http_access allow allowed_clients
    Http_access deny! Allowed_clients

    This rule only allows machines with IP addresses 192.168.0.10, 192.168.0.20, and 192.168.0.30.
    Access to the Internet is denied on machines with other IP addresses.

  2. Restrict the access period.

    Acl allowed_clients src 192.168.0.1/255.255.255.0
    Acl regular_days time MTWHF-
    Http_access allow allowed_clients regular_days
    Http_access deny! Allowed_clients

    This rule allows all clients in the subnet 192.168.0.1 to go from AM to Am from Monday to Friday.
    Access the Internet.

  3. Assign different access periods to different clients.

    Acl hosts1 src192.168.0.10
    Acl hosts2 src 192.168.0.20
    Acl hosts3 src 192.168.0.30
    Acl morning time-
    Acl lunch time-
    Acl evening time-
    Http_access allow host1 morning
    Http_access allow host1 evening
    Http_access allow host2 lunch
    Http_access allow host3 evening
    Http_access deny all

    In this rule, host host1 can access the Internet during the morning and evening periods.
    Host2 and host3 can only access the Internet during the lunch and evening periods, respectively.

    Note:
    All elements in an access entry are connected to each other using the following method:

    Http_access Action statement1 AND staement2 AND statement OR.

    Multiple http_access statements are connected by or operations, and elements in each access entry are connected by operations. For details, see
    Below:

    Http_access allow host1 morning evening

    This expression cannot be performed simultaneously (morning AND evening) during the time period.
    The TRUE value is not returned, so this entry will not trigger any action.

  4. Site shielding
    Squid can block certain sites or sites that contain certain words. You can use the following rules:

    Acl allowed_clients src 192.168.0.1/255.255.255.0
    Acl banned_sites url_regex abc.com * () (*. com
    Http_access deny banned_sites
    Http_access allow allowed_clients

    It can also be used to shield websites that contain certain words (such as dummy and fake ).

    Acl allowed_clients src 192.168.0.1/255.255.255.0
    Acl banned_sites url_regex dummy fake
    Http_access deny banned_sites
    Http_access allow allowed_machibes

    In practical applications, you do not need to list all websites or words to be blocked. You can first save a file
    (View the banned. list file in the/etc directory) the ACL reads the required information from this file
    Block prohibited sites.

    ACL allowed_clients SRC 192.168.0.1/255.255.255.0
    ACL banned_sites url_regex "/etc/banned. List"
    Http_access deny banned_sites
    Http_access allow allowed_clients

  5. Optimization
    Squid can use the maxconn element to limit the number of client connections. To use this option, you must
    Allow client_db first.

    ACL mynetwork 192.168.0.1/255.255.255.0
    ACL numconn maxconn 5
    Http_access deny mynetwork numconn

    Note:
    The maxconn ACL is less than (less-. This ACL rule is matched when the number of connections exceeds the set value.
    This is the main reason why ACL is not used with http_access rules.

  6. Cache data
    For static pages, cached data can be immediately sent back to the client sending the request. No need to cache cgi-bin
    Or Servlet, which can be disabled by the ACL element no_cache.

    ACL cache_prevent1 url_regex cgi-bin /?
    ACL cache_prevent2 url_regex Servlet
    No_cache deny cache_prevent1
    No_cache deny cache_prevent2

  7. Custom error feedback
    You can use the deny_info option of the deny rule to customize error feedback information. Put the default Squid error information in
    /Etc/squid/errors directory. This directory can be specified with the error_directory option. You can also
    Customizes existing error feedback information.

    ACL allowed_clients SRC 192.168.0.1/255.255.255.0
    Acl banned_sites url_regex abc.com * () (*. com
    Http_access deny banned_sites
    Deny_info ERR_BANNED_SITE banned_sites
    Http_access allow allowed_clients

    In the preceding example, a custom message is displayed when a user attempts to access a forbidden site.
    The file name in the ERR_BANNED_SITE option must be in the directory of the preceding error message. The error message must be in the HTML format.
    . Some ACL options are listed above. You can refer to the FAQ document on the Squid homepage to obtain the ACL
    More information.

Logs

All Squid log files are stored in the/var/log/squid directory, including cache logs, access logs, and store. log files. Text
Access. log records client requests, connection activities, each HTTP & ICP query, Client IP address, and requester
Type, request URL, and so on. The data can be used to analyze the access. Many programs such as sarg, calamaris, and Squid-Log-Analyzer can be used to analyze the data and generate analysis reports in HTML format. These reports can be stored in a group of users and groups.
An IP address or a group of visited sites.

These record files can also be the following:

cache_access_log      For access.logcache_log             For cache.logcache_store_log       For store.log (Store manager)pid_filename          Squid process ID file name

Verification Method

The default configuration of Squid allows access by any user without verification. Squid provides user verification through an external program
Function (for example, only valid users are allowed to access the Internet), which requires a valid user name and password. You can use proxy_auth
ACL and authenticate_program are used to verify the user name and password before access is permitted. Some squids are listed below
Verification programs available:

  1. LDAP: Linux Lightweight Directory Access Protocol (Linux Lightweight Directory Access Protocol)
  2. NCSA: user name and password in the NCSA Style
  3. SMB: services using the SMB protocol, such as SAMBA or Windows NT
  4. MSNT: use Windows NT domain verification
  5. PAM: Linux-based load-able verification module
  6. Getpwam: Use the Linux Password

You must specify the verification program to be used. You can use the authenticate_program option. Make sure that the selected validators are installed and
Good job.

Modify the selected verification program in the squid. conf file
Authenticate_program/usr/local/bin/pam_auth

Acl pass proxy_auth REQUIRED
Acl mynetwork src 192.168.0.1/255.255.255.0
Http_access deny! Mynetwork
Http_access allow pass
Http_access deny all

This rule indicates that, using the PAM verification program, all users must perform verification before obtaining the access permission.

Some options, such as authenticate_ttl and authenticate_ip_ttl, can be used to change the action of the verification program, for example, to make a user name and password take effect again.

References

This article is just a glimpse of Squid's tip. More references can be found at the following sites:

  • Squid Home, www.squid-cache.org
  • Squid Documentation Project, squid-docs.sourceforge.net
  • Visolve.com
  • For Proxy Authentication, home. iae. nl/users/devet/squid/proxy_auth

(Posted from: www.linuxfocus.org, Author: D.S. Oberoi Translation: Free Neil)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.