Article Title: Set up a Squid proxy server. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: D.S. Oberoi
Is Squid already installed?
The Squid rpm file has been bundled with RedHat 7.1. When installing the system, if you select
It is automatically installed on the system. You can run the following command to check whether Squid has been installed in your system:
Rpm-q squid
The latest version of Squid can be obtained on the Squid homepage or its image site. Squid can be installed on the system using the following command:
Rpm-ivh squid-2.3.STABLE4-10.i386.rpm
Configure Squid
Squid is customized by editing its configuration file squid. conf. The squid. conf file is usually in the/etc/squid directory.
. This configuration file contains a lot of content, but each of its options is well described in detail.
The first thing to modify is http_port. This option specifies the port for Squid to listen to customer requests. The default value is 3128. Use proxy
Function. The port value must be used with the IP address of the machine running Squid. You can modify it as follows:
Http_port 192.168.0.1: 8080
The preceding statement indicates that Squid is bound to the IP address 192.168.0.1 and port 8080. The port can be set to any value, but you need to confirm
No other program uses the same port. The port settings of other service requests can also be set to similar configurations.
Access Control
With the access control feature, you can control the cache, access to a specific site or a group of sites at a specific time interval. Squid Access Control has two elements: ACL element and access list. The access list allows or denies access to this service by some users.
The following lists some important ACL element types.
* Src: Source Address (Client IP address)
* Dst: Destination Address (that is, the server IP address)
* Srcdomain: Source Name (client name)
* Dstdomain: Target name (that is, server name)
* Time: The time of the day and the day of the week.
* Url_regex: URL rule expression matching
* Urlpath_regex: URL-path rule expression matching, skipping the protocol and Host Name
* Proxy_auth: User Authentication through external programs
* Maxconn: Maximum number of connections from a single IP Address
To use the control function, you must first set and apply the ACL rules. The ACL declaration format is as follows:
1. acl_element_name can be any name defined in the ACL.
2. No two ACL elements can use the same name.
3. Each ACL consists of list values. When a match is detected, multiple values are connected by logic or operations. In other words, that is, any ACL
If the element value is matched, the ACL element is matched.
4. Not all ACL elements can use all types in the access list.
5. Write different ACL elements in different rows. Squid combines them in a list.
We can use many different access entries. Below we will use a few:
* Http_access: allows HTTP access. This is the main access control entry.
* No_cache: defines the response to the cache request.
The access list Rules consist of keywords similar to 'allow' or 'deny' to allow or deny service to specific or a set of ACL elements.
Note:
1. These rules perform matching detection in the order they are arranged. Once a matching rule is detected, the matching detection ends immediately.
2. An access list can contain multiple rules.
3. If no rule matches the access request, the default action corresponds to the last rule in the list.
4. All elements in an access entry are logically connected to the operation:
Http_access Action Declaration 1 AND Declaration 2 AND declaration OR.
Http_access Action Declaration 3
Multiple http_access statements are connected by or, but each element of an access entry is connected by an operation.
5. Remember that the rules in the list always follow the top-down order.
Return to configuring Squid
By default, Squid does not have any user access control. To allow an access, you must customize the rules. Enter the following text before the http_access deny line in squid. conf:
Acl mynetwork 192.168.0.1/255.255.255.0
Http_access allow mynetwork
Mynetwork is the acl name, And the next line is the rule that applies to a specific acl (that is, mynetwork. 192.168.0.1 indicates that the subnet mask in the network is 255.255.255.0. Mynetwork is mainly used to give a group of machines on the network, and the next rule allows these
The machine accesses the http service. The above modification works with http_port to make Squid work well. Squid
Run the following command:
Service squid start
Note:
Squid can also run automatically when the system is started by enabling Squid in ntsysv or setup (system service menu. In
After any changes are made to the configuration file, the currently running Squid process must be restarted. You can use the following command to complete the process:
1. service squid restart or
2./etc/rc. d/init. d/squid restart
Configure the client
Because the client requests are sent to the specific port of the proxy server, the client also needs to configure accordingly. Before proceeding to the next step, please
Make sure that the client accessing the proxy server has been connected to the LAN and assigned a valid IP address.
Linux server running Squid.
Configuration in Internet Explorer:
1. Click Tools> Internet Options on the menu.
2. Select a connection and click LAN Settings
3. Select the proxy server and enter the IP address and port of the proxy server.
Configuration Under Netscape Navigator:
1. Click Edit> Preference> Advanced> Proxies on the menu ).
2. Select Manual Proxy Configuration ).
3. Click View and
4. Enter the IP address and port of the proxy server.
Use Ram
Multiple Access Control and its rules provide a flexible mechanism for client access control. The following is a common example:
1. Allow machines in the list to access the Internet.
Acl allowed_clients src 192.168.0.10 192.168.0.20 192.168.0.30
Http_access allow allowed_clients
Http_access deny! Allowed_clients
This rule only allows machines with IP addresses 192.168.0.10, 192.168.0.20, and 192.168.0.30.
Access to the Internet is denied on machines with other IP addresses.
2. restrict the access period.
Acl allowed_clients src 192.168.0.1/255.255.255.0
Acl regular_days time MTWHF-
Http_access allow allowed_clients regular_days
Http_access deny! Allowed_clients
This rule allows all clients in the subnet 192.168.0.1 to go from AM to Am from Monday to Friday.
Access the Internet.
3. assign different access periods to different clients.
Acl hosts1 src192.168.0.10
Acl hosts2 src 192.168.0.20
Acl hosts3 src 192.168.0.30
Acl morning time-
Acl lunch time-
Acl evening time-
Http_access allow host1 morning
Http_access allow host1 evening
Http_access allow host2 lunch
Http_access allow host3 evening
Http_access deny all
In this rule, host host1 can access the Internet during the morning and evening periods.
Host2 and host3 can only access the Internet during the lunch and evening periods, respectively.
Note:
All elements in an access entry are connected to each other using the following method:
Http_access Action statement1 AND staement2 AND statement OR.
Multiple http_access statements are connected by or operations, and elements in each access entry are connected by operations. For details, see
Below:
Http_access allow host1 morning evening
This expression cannot be performed simultaneously (morning AND evening) during the time period.
The TRUE value is not returned, so this entry will not trigger any action.
4. site shielding
Squid can block certain sites or sites that contain certain words. You can use the following rules:
Acl allowed_clients src 192.168.0.1/255.255.255.0
Acl banned_sites url_regex abc.com * () (*. com
Http_access deny banned_sites
Http_access allow allowed_clients
It can also be used to shield websites that contain certain words (such as dummy and fake ).
Acl allowed_clients src 192.168.0.1/255.255.255.0
Acl banned_sites url_regex dummy fake
Http_access deny banned_sites
Http_access allow allowed_machibes
In practical applications, you do not need to list all websites or words to be blocked. You can first save a file
(View the banned. list file in the/etc directory) the ACL reads the required information from this file
Block prohibited sites.
Acl allowed_clients src 192.168.0.1/255.255.255.0
Acl banned_sites url_regex "/etc/banned. list"
Http_access deny banned_sites
Http_access allow allowed_clients
5. Optimization
Squid can use the maxconn element to limit the number of client connections. To use this option, you must
Allow client_db first.
Acl mynetwork 192.168.0.1/255.255.255.0
Acl numconn maxconn 5
Http_access deny mynetwork numconn
Note:
The maxconn ACL is less than (less-. This ACL rule will apply when the number of connections exceeds the set value.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.