Squid configuration details + authentication Full Edition

Article Title: Squid configuration details + certification full edition. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Here, we need to configure a Proxy Server that only provides Proxy services for internal networks. It divides users into two types: advanced users and normal users. Advanced users are identified by physical addresses of NICs. Common users need to enter the user name and password for normal use. Advanced users do not have access time and file type restrictions, while normal users only have access at work and some other restrictions.
　　
　　 Install
You can get the release of the software's source generation... from the Squid site www.squid-cache.org, such as the RPM package provided by Red Hat.
　　
The RPM installation method is simple. The command is as follows:
　　
$ Rpm-ivh Squid-2.x.STALBx.i386.rpm
　　
However, the author believes that even if Squid has been installed by default in the system, you should first Delete and then install the latest source code package. Because open-source software constantly fixes problems and provides updated functions, the latest version can ensure the highest performance and security, and the source code method can be fully customized. Unlock:
　　
$ Tar xvfz squid-2.5.STABLE.tar.gz
　　
The size of the compressed package in bz2 mode may be smaller. The corresponding command is:
　　
$ Tar xvfj squid-2.5.STABLE.tar.bz2
　　
Then, enter the corresponding directory to configure and compile the source code. The command is as follows:
　　
$ Squid-2.5.STABLE2 cd
　　
The configure command has many options. If you are not clear about the options, use "-help" to view the options. Generally, the following options are used:
　　
-- Prefix =/web/squid
# Specify the installation location of Squid. If only this option is specified, the directory contains bin, sbin, man, conf, and other directories. The main configuration file is in the conf subdirectory. To facilitate management, it is best to use the -- sysconfdir =/etc parameter to set the file location to/etc.
-- Enable-storeio = ufs, null
# The file system used is usually the default ufs, but if you want to create a proxy server that does not cache any files, you need to add a null file system.
-- Enable-arp-acl
# In this way, you can manage the MAC address of the client directly in Rule settings to prevent IP spoofing.
-- Enable-err-extensions ages = "Simplify_Chinese"
-- Enable-default-err-ages = "Simplify_Chinese"
# The above two options tell Squid to compile and use the simplified Chinese error message.
-- Enable-linux-netfilter
# Linux transparent proxy is allowed.
-- Enable-underscore
# Underline is allowed in the URL to be parsed. By default, Squid considers the underlined URL illegal and rejects access to the URL.
　　
The configuration compilation process is as follows:
　　
./Configure -- prefix =/var/squid
-- Sysconfdir =/etc
-- Enable-arp-acl
-- Enable-linux-netfilter
-- Enable-pthreads
-- Enable-err-language = "Simplify_Chinese"
-- Enable-storeio = ufs, null
-- Enable-default-err-language = "Simplify_Chinese"
-- Enable-auth = "basic"
-- Enable-baisc-auth-helpers = "NCSA"
-- Enable-underscore
Some of these options have special functions and will be described below.
　　
Finally, run the make and make install commands to compile the source code into executable files and copy them to the specified location.
　　
　　 Basic Configuration
After the installation is complete, configure the run of Squid (not the previous configuration ). All projects are completed in squid. conf. The Squid. conf provided by squid contains a very detailed description, which is equivalent to a user manual. You can refer to this document for any questions about the configuration.
　　
In this example, the proxy server is also a gateway. the IP address of the internal network interface eth0 is 192.168.0.1, And the IP address of the external network interface eth1 is 202.103.x.x. The following are the configuration options required for a basic Proxy:
　　
Http_port 192.168.0.1: 3128
　　
The default port is 3128. Of course, it can also be any other port, as long as it does not conflict with other services. For the sake of security, adding an IP address in front of Squid will not listen to external network interfaces.
　　
The following configuration option is an email from the Server Manager. When an error occurs, the address is displayed on the error page for easy contact:
　　
Cache_mgr start@soocol.com
　　
The following parameters indicate the file system, location, and Cache Policy cached by Squid:
　　
Cache_dir ufs/var/squid
Cache_mem 32 MB
Cache_swap_low 90
Cache_swap_high 95
　　
Here, Squid uses the/var/squid directory as the directory for storing cached data. The cache size for each processing is 32 MB. When the cache space reaches 95%, the new content will replace the old one instead of being directly added to the directory until the space drops to 90% again. If you do not want Squid to cache any files, such as some proprietary systems with limited storage space, you can use a null File System (which does not require those cache policies ):
　　
Cache_dir null/tmp
　　
In the following several cache policy configurations, the most important is the first line, that is, the user's access record. You can analyze it to understand the detailed addresses of all user access:
　　
Cache_access_log/var/squid/access. log
Cache_log/var/squid/cache. log
Cache_store_log/var/squid/store. log
　　
The following line of configuration is a parameter that appears in a newer version, telling Squid the server name displayed on the error page:
　　
Visible_hostname No1.proxy
　　
The following configuration tells Squid how to process the user and process the IP address of each request as a separate address:
　　
Client_mask 255.255.255.255.255
　　
For normal proxy servers, the above configurations are sufficient. However, many squids are used as transparent proxies. The so-called transparent proxy means that the client does not know the existence of the proxy server, and of course no proxy-related settings are required, which greatly facilitates the system administrator. Related options include:
　　
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_user_host_header on
　　
In Linux, you can use iptables/ipchains to directly forward requests to Web port 80 to Squid port 3128, which is claimed by Squid, the user's browser still thinks it accesses port 80 of the other party. For example, the following command:
　　
Iptables-t nat-a prerouting-s 192.168.0.200/32-p tcp -- dport 80-j REDIRECT 3128
　　
That is, all access destined for port 80 of 192.168.0.200 is redirected to port 3128.
　　
After all the settings are complete, the key and important task is access control. Squid supports many management methods and is very easy to use (this is why some people prefer to use Squid without any caching, and do not want to use iptables independently ). Squid can identify users by IP address, host name, MAC address, user/password authentication, etc, you can also control user access through domain name, domain suffix, file type, IP address, port, URL matching, etc. You can also use time intervals to manage users, therefore, access control is the focus of Squid configuration. Squid divides Access types with ACL (Access Control List) and controls them with http_access deny or allow. Define two groups of users (advance and normal) as needed, and all user groups that are not specified, and badusers that are not allowed to access the Internet. The configuration code is as follows:
Acl advance 192.168.0.2-192.168.0.10/32
Acl normal src 192.168.0.11-192.168.0.200/32
Acl baduser src 192.168.0.100/32
Acl baddst www.soocol.com
Acl all src 0.0.0.0/0
　　
Http_access deny baduser
Http_access allow advance
Http_access allow normal
　　
The basic ACL format is as follows:
　　
Acl list name Control Mode Control Target
　　
For example, if acl all src 0.0.0.0/0 is named all, the control mode is src Source IP address, and the control target is 0.0.0.0/0, that is, all undefined users. For security reasons, this list is always disabled at the end.
　　
The following list represents advanced users, including all computers with IP addresses ranging from 192.168.0.2 to 192.168.0.10:
　　
Acl advance 192.168.0.2-192.168.0.20/32
　　
The following baduser list contains only one computer, and its IP address is 192.168.0.100:
　　
Acl baduser 192.168.0.100/32
　　
After the ACL is completed, you need to manage them separately. The Code is as follows:
Http_access deny baduser
Http_access allow advance
Http_access allow normal
The code above tells Squid that the baduser group is not allowed to access the Internet, but the advance and normal groups are allowed (detailed permissions are not yet specified ). Because Squid is a sequential read Rule, baduser is disabled first and normal is allowed. If the order of the two rules is reversed, because baduser is in the normal range, Squid allows all normal rules, then disabling baduser does not work.
　　
Note that Squid will use allow-deny-allow-deny ...... Apply rules in this order. For example, when a user accesses the proxy server, Squid sequentially tests the list of all rules defined in Squid. If none of the rules match, Squid uses the opposite rule. In the preceding example, assume that a user's IP address is 192.168.0.201. What happens when he tries to access the Internet through this proxy server? We will find that it can be accessed normally, because Squid searches all the access lists and does not have any definition related to 192.168.0.201, then it starts to apply the rules, and the last one is deny, the default processing rule for Squid is allow, so 192.168.0.201 can access the Internet. This is obviously not what we want. Therefore, in all squid. conf, the last rule is always http_access deny all, and all is the previously defined "src 0.0.0.0 ".
　　
　　 Advanced Control
As mentioned above, Squid's control function is very powerful. As long as you understand the behavior of Squid, it can basically meet all the control requirements. Next, let's take a step-by-step look at how Squid manages its control.
　　
It is unreliable to identify users through IP addresses. What is better than IP addresses is the MAC physical address of the NIC. To use MAC address recognition in Squid, you must add the "-- enable-arp-acl" option during compilation.