Squid configuration details + Authentication

Source: Internet
Author: User
Tags server array
Squid configuration details + Authentication-Linux general technology-Linux technology and application information. The following is a detailed description. [I = s] This post was last edited by gary168

Note: You can configure NCSA authentication for both the RPM package and the source code installation of squid.

Here, we need to configure a Proxy Server that only provides Proxy services for internal networks. It divides users into two types: advanced users and normal users. Advanced users are identified by physical addresses of NICs. Common users need to enter the user name and password for normal use. Advanced users do not have access time and file type restrictions, while normal users only have access at work and some other restrictions.

Install

The software's source code installation package can be obtained from the Squid site www.squid-cache.org, including gz and bz2 compression methods. You can also use the Linux release, such as the RPM package provided by Red Hat.

The RPM installation method is simple. The command is as follows:

$ Rpm-ivh Squid-2.x.STALBx.i386.rpm


However, the author believes that even if Squid has been installed by default in the system, you should first Delete and then install the latest source code package. Because open-source software constantly fixes problems and provides updated functions, the latest version can ensure the highest performance and security, and the source code method can be fully customized. Unlock:

$ Tar xvfz squid-2.5.STABLE.tar.gz


The size of the compressed package in bz2 mode may be smaller. The corresponding command is:

$ Tar xvfj squid-2.5.STABLE.tar.bz2


Then, enter the corresponding directory to configure and compile the source code. The command is as follows:

$ Squid-2.5.STABLE2 cd


The configure command has many options. If you are not clear about the options, use "-help" to view the options. Generally, the following options are used:

-- Prefix =/web/squid
# Specify the installation location of Squid. If only this option is specified, the directory contains bin, sbin, man, conf, and other directories. The main configuration file is in the conf subdirectory. To facilitate management, it is best to use the -- sysconfdir =/etc parameter to set the file location to/etc.
-- Enable-storeio = ufs, null
# The file system used is usually the default ufs, but if you want to create a proxy server that does not cache any files
To add a null file system.
-- Enable-arp-acl
# In this way, you can manage the MAC address of the client directly in Rule settings to prevent IP spoofing.
-- Enable-err-extensions ages = "Simplify_Chinese"
-- Enable-default-err-ages = "Simplify_Chinese"
# The above two options tell Squid to compile and use the simplified Chinese error message.
(RPM package settings: [root @ rh73 ~] # Cd/etc/squid/
[Root @ rh73 ~] # Rm-f errors
[Root @ rh73/etc/squid] # ln-s/usr/lib/squid/errors/Simplify_Chinese/errors

/Usr/lib/squid/errors contains prompts for squid versions in various languages, which are stored in different subdirectories by directory .)
-- Enable-linux-netfilter
# Linux transparent proxy is allowed.
-- Enable-underscore
# Underline is allowed in the URL to be parsed, because Squid considers the underlined URL
The specified IP address is invalid.


The configuration compilation process is as follows:

./Configure -- prefix =/var/squid
-- Sysconfdir =/etc
-- Enable-arp-acl
-- Enable-linux-netfilter
-- Enable-pthreads
-- Enable-err-language = "Simplify_Chinese"
-- Enable-storeio = ufs, null
-- Enable-default-err-language = "Simplify_Chinese"
-- Enable-auth = "basic"
-- Enable-baisc-auth-helpers = "NCSA"
-- Enable-underscore


Some of these options have special functions and will be described below.

Finally, run the make and make install commands to compile the source code into executable files and copy them to the specified location.

Basic Configuration

After the installation is complete, configure the run of Squid (not the previous configuration ). All projects are completed in squid. conf. The Squid. conf provided by squid contains a very detailed description, which is equivalent to a user manual. You can refer to this document for any questions about the configuration.

In this example, the proxy server is also a gateway. the IP address of the internal network interface eth0 is 192.168.0.1, And the IP address of the external network interface eth1 is 202.103.x.x. The following are the configuration options required for a basic Proxy:

Http_port 192.168.0.1: 3128


The default port is 3128. Of course, it can also be any other port, as long as it does not conflict with other services. For the sake of security, adding an IP address in front of Squid will not listen to external network interfaces.

The following configuration option is an email from the Server Manager. When an error occurs, the address is displayed on the error page for easy contact:

Cache_mgr start@soocol.com


The following parameters indicate the file system, location, and Cache Policy cached by Squid:

Cache_dir ufs/var/squid
Cache_mem 32 MB
Cache_swap_low 90
Cache_swap_high 95


Here, Squid uses the/var/squid directory as the directory for storing cached data. The cache size for each processing is 32 MB. When the cache space reaches 95%, the new content will replace the old one instead of being directly added to the directory until the space drops to 100% again. If you do not want Squid to cache any files, such as some proprietary systems with limited storage space, you can use a null File System (which does not require those cache policies ):

Cache_dir null/tmp


In the following several cache policy configurations, the most important is the first line, that is, the user's access record. You can analyze it to understand the detailed addresses of all user access:

Cache_access_log/var/squid/access. log
Cache_log/var/squid/cache. log
Cache_store_log/var/squid/store. log
(Note) if the cache directory and log directory are mounted to a logical volume or must be authenticated to access the Internet, it will be slower when the service is stopped or restarted!
If the authentication switch is turned on, and the corresponding permissions (squid or nobody) of the cache directory, log, and authentication file are not granted, otherwise the startup and shutdown will fail, or one of them will fail!

The following line of configuration is a parameter that appears in a newer version, telling Squid the server name displayed on the error page:

Visible_hostname No1.proxy # The visible computer name can be a computer name or IP address


The following configuration tells Squid how to process the user and process the IP address of each request as a separate address:

Client_mask 255.255.255.255.255


For normal proxy servers, the above configurations are sufficient. However, many squids are used as transparent proxies. The so-called transparent proxy means that the client does not know the existence of the proxy server, and of course no proxy-related settings are required, which greatly facilitates the system administrator. Related options include:

Httpd_accel_host virtual
Httpd_accel_port 80 # the above two options are used to define the squid acceleration mode. Here, virtual is used to specify the virtual host mode, and port 80 is the port to be accelerated, in this mode, squid removes the cache function.
Httpd_accel_with_proxy on # squid is the web Request accelerator and cache Proxy Server
Httpd_accel_user_host_header on # in transparent proxy mode, the proxy server's cache function can work correctly.


In Linux, you can use iptables/ipchains to directly forward requests to Web port 80 to Squid port 3128, which is claimed by Squid, the user's browser still thinks it accesses port 80 of the other party. For example, the following command:

Iptables-t nat-a prerouting-s 192.168.0.200/32-p tcp -- dport 80-j REDIRECT 3128


That is, all access destined for port 80 of 192.168.0.200 is redirected to port 3128.

After all the settings are complete, the key and important task is access control. Squid supports many management methods and is very easy to use (this is why some people prefer to use Squid without any caching, and do not want to use iptables independently ). Squid can identify users by IP address, host name, MAC address, user/password authentication, etc, you can also control user access through domain name, domain suffix, file type, IP address, port, URL matching, etc. You can also use time intervals to manage users, therefore, access control is the focus of Squid configuration. Squid divides Access types with ACL (Access Control List) and controls them with http_access deny or allow. Define two groups of users (advance and normal) as needed, and all user groups that are not specified, and badusers that are not allowed to access the Internet. The configuration code is as follows:

Acl allowhost src "/usr/local/squid/etc/squid. allow. hosts" # determine whether to allow proxy by reading the definitions in the file
Acl advance 192.168.0.2-192.168.0.10/32
Acl normal src 192.168.0.11-192.168.0.200/32
Acl baduser src 192.168.0.100/32
Acl baddst www.soocol.com
Acl all src 0.0.0.0/0

Http_access deny baduser
Http_access allow advance
Http_access allow normal
Http_access allow allowhost

The basic ACL format is as follows:

Acl list name Control Mode Control Target


For example, if acl all src 0.0.0.0/0 is named all, the control mode is src Source IP address, and the control target is 0.0.0.0/0, that is, all undefined users. For security reasons, this list is always disabled at the end.

The following list represents advanced users, including all computers with IP addresses ranging from 192.168.0.2 to 192.168.0.10:

Acl advance 192.168.0.2-192.168.0.20/32


The following baduser list contains only one computer, and its IP address is 192.168.0.100:

Acl baduser 192.168.0.100/32

(Supplement): acl my_network src 192.168.0.30
Http_access deny my_network
Http_access allow normal # reject the request before authentication; otherwise, you can access the Internet.
In this way, users with IP addresses 192.168.0.30 can be prohibited from accessing the Internet through proxy.
After the ACL is completed, you need to manage them separately. The Code is as follows:

Http_access deny baduser
Http_access allow advance
Http_access allow normal


The code above tells Squid that the baduser group is not allowed to access the Internet, but the advance and normal groups are allowed (detailed permissions are not yet specified ). Because Squid is a sequential read Rule, baduser is disabled first and normal is allowed. If the order of the two rules is reversed, because baduser is in the normal range, Squid allows all normal rules, then disabling baduser does not work.

Note that Squid will use allow-deny-allow-deny ...... Apply rules in this order. For example, when a user accesses the proxy server, Squid sequentially tests the list of all rules defined in Squid. If none of the rules match, Squid uses the opposite rule. In the preceding example, assume that a user's IP address is 192.168.0.201. What happens when he tries to access the Internet through this proxy server? We will find that it can be accessed normally, because Squid searches all the access lists and does not have any definition related to 192.168.0.201, then it starts to apply the rules, and the last one is deny, the default processing rule for Squid is allow, so 192.168.0.201 can access the Internet. This is obviously not what we want. Therefore, in all squid. conf, the last rule is always http_access deny all, and all is the previously defined "src 0.0.0.0 ".

Advanced Control

As mentioned above, Squid's control function is very powerful. As long as you understand the behavior of Squid, it can basically meet all the control requirements. Next, let's take a step-by-step look at how Squid manages its control.

It is unreliable to identify users through IP addresses. What is better than IP addresses is the MAC physical address of the NIC. To use MAC address recognition in Squid, you must add the "-- enable-arp-acl" option during compilation. Then, you can use the following statements to identify users:

Acl advance arp 00: 01: 02: 1f: 2c: 3e 00: 01: 02: 3c: 1a: 8b...


It directly uses the user's MAC address, while the MAC address is generally not easy to modify. Even if a common user changes his IP address to an advanced user, it cannot pass, so this method is much more reliable than the IP address.

What should I do if I don't want users to access a website? There are two possible scenarios: one is that a host that does not allow access to a site, for example, the OK host is OK .sina.com.cn, while other Sina resources are allowed access, the ACL can be written as follows:

Acl sinapage dstdomain OK .sina.com.cn
......
Http_access deny OK
......


As you can see, except for OK, other such as www.sina.com.cn and news.sina.com.cn can be accessed normally.

In another case, the whole website is not accessible. You only need to write the domain name that the website has. The configuration is as follows:

Acl qq dstdomain .tencent.com.cn .tencent.com


Note that "." In front of tencent indicates that all hosts ending with this domain name are inaccessible; otherwise, only the host tcccent.com.cn cannot be accessed.

If you want to disable access to an IP address, such as 202.118.2.182, you can use dst to control it. The Code is as follows:


Acl badaddr dst 202.118.2.182


Of course, this dst can also be a domain name, which is converted to an IP address by the Squid query DNS server.

Another widely used control is file type. If you do not want normal users to download MP3, AVI, and other files through the proxy server, you can restrict them. The Code is as follows:

Acl mmxfile urlpath_regex \. mp3 $ \. avi $ \. exe $
Http_access deny mmxfile


Many readers should be familiar with regex, because this statement uses a standard regular expression (also called a regular expression ). The signature matches all URL requests ending with the signature,. avi, and so on. You can also use the-I parameter to ignore case sensitivity. For example, the following code:

Acl mmxfile urlpath_regex-I \. mp3 $


In this case, both the listener and. MP3 will be rejected. Of course, the-I parameter applies to anything that may need to be case sensitive, such as the previous domain name control.

What should I do if I want normal users to access the Internet only during work hours and work days every week? Take a look at the following ACL definition:

Acl worktime time MTWHF --
Http_access deny! Worktime


First, we define that the allowed internet access time is a fixed period of time from Monday to Friday in the morning and afternoon. Then, we use http_access to define that all requests not in this period are not allowed.

To ensure the bandwidth of an advanced user, you can use Squid to control the concurrent connections of each user so as not to affect others. The Code is as follows:

Acl conncount maxconn 3
Http_access deny conncount normal
Http_access allow normal


In this way, a common user can only initiate three connections at a fixed time, and the connection will be rejected from the fourth one.

In short, Squid ACL Configuration is flexible and powerful. For more control methods, see squid. conf. default.

   Authentication

User/password authentication provides more convenience for Squid management. The most common authentication method is NCSA. From Squid 2.5, NCSA certification is included in basic, rather than the previous independent authentication module. Next, let's take a look at the specific operations to implement authentication.

   (Source Code)The configuration options during compilation should include the following:

-- Enable-auth = "basic" -- enable-basic-auth-helpers = "NCSA"


After "make install", copy "helpers/basic_auth/NCSA/ncsa_auth" to the user's executable directory, for example,/usr/bin (if the execution file cannot be found in this directory, use make all instead of make during compilation, or directly execute make in this directory)
(RPM package Mode)The/usr/lib/squid directory contains the ncsa_auth, ntlm_auth, and other authentication execution programs. When editing the squid configuration file, enter auth_param basic program/usr/lbi/squid/ncsa_auth /Var/squid/etc/password(The path of the file name can be set to another directory)

Then we need to use the Apache password management program htpasswd to generate the file name corresponding to the user name/password, just like the following line of code:

Htpasswd-c/var/squid/etc/password guest # If the password file password is not squid, an alarm will fail when it is started!


After you enter the password of the guest user twice, a guest user is generated. If you need to add users later, just remove the-c parameter from the preceding command and run it again. Otherwise, the authentication window is always displayed and the corresponding webpage cannot be accessed.

Squid 2.5 has a major change in authentication processing. Here we will only discuss the processing method of Version 2.5. For versions 2.4 and below, see squid. conf. default. In version 2.5, squid. conf includes the following options:

# This option specifies the authentication method (basic), the required Program (ncsa_auth), and
Password)
Auth_param basic program/usr/bin/ncsa_auth/var/squid/etc/password
# Specify the number of authentication processes
Auth_param basic children 5
# Fields displayed in the browser when the user/Password dialog box is entered
Auth_param basic realm My Proxy Caching Domain
# Basic Authentication Validity Period
Auth_param basic credentialsttl 2 hours
# Normal users must pass authentication before accessing the Internet
Acl normal proxy_auth REQUIRED # If the "REQUIRED" I does not pop up the authentication window, you can change it to the corresponding online user (such as guest)
Http_access allow normal


The authentication can be completed through the above configuration. Some readers may ask: What should I do if authentication is only for common users while advanced users access the Internet directly? In fact, these two types of users can coexist. As mentioned above, Squid is used to process http_access sequentially. Therefore, if normal users are processed first during http_access, authentication is required for the current user, regardless of whether the user belongs to an advanced user; on the contrary, if advanced users are processed first, only common users that need to be authenticated are left. For example, the following configuration code:

...
Http_access allow normal (authentication required)
Http_access allow advance (authentication not required)
...


Whether it is a noauth user or not, user name/password verification is required. The correct method is to switch the two locations. The Code is as follows:

...
Http_access allow advance
Http_access allow normal
...


Advanced users are not affected.

Summary

The following is a summary of squid. conf:

# Server Configuration
Http_port 192.168.0.1: 3128
Cache_mgr start@soocol.com
Cache_dir null/tmp
Cache_access_log/var/squid/access. log
Cache_log/var/squid/cache. log
Cache_store_log/var/squid/store. log
Visible_hostname No1.proxy
Client_mask 255.255.255.255.255
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_user_host_header on

# User category
Acl advance arp 00: 01: 02: 1f: 2c: 3e 00: 01: 02: 3c: 1a: 8b...
Acl normal proxy_auth REQUIED
Acl all src 0.0.0.0

# Behavior Classification
Acl mmxfile urlpath_regex \. mp3 $ \. avi $ \. exe $ # prohibit the client from downloading *. mp3, *. av, And I *. exe files.
Acl conncount maxconn 3
Acl worktime time MTWHF --
Acl sinapage dstdomain OK .sina.com.cn
Acl qq dstdomain .tencent.com.cn .tencent.com # prohibit QQ from accessing the Internet through proxy

# Processing
Http_access allow advance
Http_access deny conncount normal
Http_access deny! Worktime
Http_access deny mmxfile
Http_access deny sinapage
Http_access deny qq # This sentence must be written before the authentication statement; otherwise, you can access the Internet through proxy QQ.
Http_access allow normal

Note: 1. The order of ACL statements does not affect the pop-up of the authentication window, but the order of HTTP_ACCESS statements is very important.
2. if you have not written the authentication Statement (acl and http_access) to the host (such as the IP address or physical address), only the Authentication Window is displayed (with the authentication Statement ), cannot access the Internet through authentication.

After configuration, the advance group can access the Internet without any restrictions, while the normal group can only access the Internet during working hours, and cannot download multimedia files or access certain websites, you cannot send more than three requests.

This article introduces the basic capabilities of Squid. Of course, it is far more powerful than this. It can build a powerful proxy server array to help local Web servers improve performance and improve the security of local networks. Further control is needed to make full use of its functions.


Test method:
Ps aux | grep squid # Check whether the squid service is started
Netstat-an | grep 3128 # Check whether port 3128 of squid is listening
1. [root @ squid15] # GET/# It is valid for listening to all IP addresses or ports on the server.
2 .. [root @ squid15] # squidclient http://www.squid-cache.org/# only valid for listening on ports of all IP addresses
Troubleshooting:
1. If it fails after startup, check the system log: tail-n 20/var/log/messages | grep "Nov 25" (note: the current time) | more.

[Table = 98%] [tr] [td] If it works normally, the html file of squid's homepage will scroll in your terminal window. Once you confirm that squid is working properly, you can interrupt the squid process (for example, ctrl-c) and run squid in the background. [/Td] [/tr] [/table] Appendix:
Logon interface for accessing the Internet via proxy in windows 2000


Windows xp Logon interface through proxy




Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.