Squid Proxy Server

Installing squid

Some distributions will be preinstalled with squid services, while others may not.

# Yum Install Squid

Proxy Server Overview

Squid provides cache acceleration, application-level filtering control capabilities. When a client requests a Web page through a proxy, the specified proxy server checks its own cache and returns the cached page content directly to the client if there is already a page in the cache that the client needs, and if there are no pages for the client to access in the cache, the proxy server sends an access request to the Internet , when the returned Web page is obtained, the page data is saved to the cache and sent to the client.

HTTP Proxy Cache Acceleration objects are mainly static web elements such as text, images, and so on. The use of caching reduces the process of submitting duplicate Web requests to the Internet, increasing the speed at which the client's Web access is appropriate.

Because the client's Web Access request is actually replaced by proxy server, it can hide the real IP address of the user and play a certain protective role. The Proxy server can also act as a filter.

Basic types of proxy servers

1). Traditional agent

is the ordinary proxy service, in the client's browser, QQ chat tools and other software, you must manually set the proxy server address and port, and then use the proxy to access the network. For Mina's browser, the domain name resolution request to the site is also sent to the specified proxy server.

2). Transparent proxy

Provides the same functionality as a traditional proxy, except that the transparent proxy does not specify the address and port of the proxy server. Instead, the firewall policy redirects Web Access through the default route, which is transparent to the client, and the client does not know that it is using a proxy, so it is called a transparent proxy. When a transparent proxy is used, the domain name resolution request when the Web browser accesses the site is prioritized to the DNS server.

In practical applications, traditional proxies are used in the Internet, for example: computer programs use proxies to hide native real IP addresses, and multiple proxies for download tools can circumvent the server's concurrent connection limits. Transparent proxies are used in LAN environments.

Squid configuration file

Squid configuration files are located in/etc/squid/squid.conf

Http_port 3128//Agent service listening address and port (default port is 3128), if the server has more than one network interface, but only want to provide service to one IP, also can specify IP address and interface, example: Http_port 192.168.1.33:3128

Cache_mem MB//Specifies the amount of memory used by the cache feature, in megabytes, and a multiple of 4, which is recommended to be set to 1/4 to 1/3 of actual memory, depending on the performance and load of the server.

Maximum_object_size 4096 kb///allowed to save to cache space of the largest object (file) size, in kilobytes, files exceeding the limit size will not be cached, but directly to the user, the default 4096KB basic can meet the general page, but want to proxy audio, When you cache files such as videos, you should increase the parameters appropriately.

Reply_body_max_size 10240000 Allow all//allows the user to download the maximum file size in bytes (byte), the default setting is 0 bytes, which means no limit. All of them refer to any user.

Cache_dir UFS/VAR/SPOOL/SQUID 100 16 256//refers to the cache data used by the directory, capacity, number of subdirectories and other related parameters. UFS (the format of the earliest cached file used by UNIX files System,squid)/var/spool/squid The default hosting directory for cached data, followed by a number that indicates the amount of disk space (MB) allocated for the cache directory, and the number of subdirectories and two-level subdirectories. When the number of users of the agent is large, the cache directory size can be increased appropriately.

Access_log/var/log/squid/access.log Squid//Specify the log location and record format for the proxy server (squid)

Visible_hostname proxy.dyq.com//proxy server The visible host name of the machine

Dns_testnames www.google.com www.sina.com.cn www.162.com//used to specify DNS resolution, in order to ensure that the resolution is normal, it is best to set multiple DNS.

Traditional agent Building

The traditional agent is characterized in that the client's related program must specify the proxy server address, port and other basic information. The following examples illustrate.

Example Description:

Server a→→ Server B (squid proxy) →→ client C

192.168.1.12 192.168.1.13 192.168.1.14

Configuring squid to implement traditional proxy services, there are two places to note:

1. Configure the visible host name

2. Add the Http_access enable all access policy to allow any client to use the proxy service.

Modifying the squid.conf configuration file

# vim/etc/squid/squid.conf

Http_port 3128

Visible_hostname Localhost.localdomain

Reply_body_max_size 10240000 Allow all #允许下载的最大文件大小

Http_access allow all #放在http_access before deny all

Initialize and start Squid service

The first time you start the Squid service, the cache directory will be started and initialized, in the absence of a Squid service script available, you can also directly drip ah with Squid program to start the service, it is necessary to first process initialization.

Squid-z//-z option to initialize the cache directory

squid-d//Start squid service;-D indicates non-DNS testing

After modifying the squid.conf configuration file, a reload is required to take effect.

Service Squid Reload

Squid-k reconfigure//Both commands can reload the configuration.

Make sure squid service is running properly

# NETSTAT-ANPT | grep "Squid"

TCP 0 0::: 3128:::* LISTEN 8556/(squid)

Setting up Client Configuration

General browser, the program has the option to configure the agent, this Baidu is good, not much said

Verifying the proxy server

Use the proxy browser to access the site, and then view the server's days file, view the access log, see the same time the IP has changed.

Transparent proxy

Transparent proxies are consistent with the services provided by traditional proxies, but their transparent implementations rely on redirection policies with default routes and firewalls, making it more appropriate to serve the networked host rather than serving clients in the Internet.

The environment on which LAN hosts access the Internet through a Linux gateway is described below:

(1) On the Linux gateway, build squid to provide proxy services for client access to the Internet.

(2) on all LAN clients, just set the IP address correctly, the default gateway, do not need to manually specify the proxy server address, port and other information

The key to the transparent proxy is the Linux gateway server, and the client only needs to set the network address correctly, the default gateway, and does not need to specify a proxy server.

As for the DNS resolution function of the client, it is best to pass the normal DNS resolution and not recommend to the proxy server for processing. The following mainly describes the Squid service transparent proxy settings, firewall policy settings, and other operations refer to the previous traditional proxy configuration process.

Configure SQUID to support transparent proxy

Squid By default does not support transparent proxy, if you want to set, to the Http_port configuration after the addition of transparent (transparent) option, you can support.

# vim/etc/squid/squid.conf

Http_port 192.168.1.33:3128 Transparent

: Wq

# Service Squid Reload

To set the redirection policy for iptables

Squid Service is built on the Linux gateway, so just set the firewall policy correctly, you can send LAN host access to the Internet packets to squid for processing. This requires the use of the Iptables redirect (redirection) policy, which is to redirect the native port, and to transfer outgoing packets that access the Web site protocol http HTTPS to the native Squid service (port 3128)

REDIRECT is also a type of packet control that can be used only in the prerouting or OUTPUT chain of the NAT table and in the chain it calls, specifying the destination port of the map by the--to-port port number.

Example: 192.168.4.0/24 accesses a packet of protocols such as HTTP HTTPS, which is forwarded to the Squid service running on the native 3128 port processing

# iptables-t nat-a prerouting-i eth1-s 192.168.4.0/24-p tcp--dport 80-j REDIRECT--to-ports 3128

# iptabbles-t nat-a prerouting-i eth1-s 192.168.4.0/24-p tcp--dport 443-j REDIRECT--to-ports 3128

FTP protocol because it involves multiple ports, multiple connections, using transparent proxy is not very good implementation, it is recommended to use traditional proxy, manually specify proxy IP, port.

Verifying the use of transparent proxies

Some software can set the proxy server address, in Linux can also be used unset command clear http_proxy, https_proxy and other variables

# unset Http_proxy Https_proxy

###

ACL access control

Squid server by reasonably setting ACLs (Access control list) and restrictions, you can filter the source address, destination address, URL path of access, time of access, and other conditions.

In configuration file squid.conf, ACL access control is implemented in the following two steps:

(1) Use ACL configuration items to define conditions that need to be controlled

(2) control of "Allow" or "deny" access to a defined list by http_access configuration items.

Defining ACL Lists

Format:

ACL list Name list Type list content ...

where "list name" can be random; "List type" must use squid predefined values, corresponding to different categories of control conditions; "List Content" is the specific object of control, and the contents of different types of lists do not match. can have multiple values (separated by a space, for "or" relationships)

The key to access control is to select the list type, specific condition object.

Set ACL access permissions

Once you have defined the Access control list, you need to use the Httpd_access configuration item to control it. Note: The http_access configuration line must be placed after the corresponding ACL configuration line, and each line http_access the configuration to determine an access control rule.

Format:

http_access allow or deny list name ...

Each http_access rule can contain more than one list name, and each list name is separated by a space (the relationship), indicating that the conditions that must be met for all ACL lists are restricted. When using a reverse condition, you can add "!" in front of the ACL list. "Exclamation mark.

# vim/etc/squid/squid.conf

Http_access den MYLAN mediafle//Prohibit clients from downloading files such as Mp3,mp4

http_access allow MYLAN worktime//allows clients to surf the internet during working hours

Http_access deny all//default prohibit all clients from using proxy

When you perform access control, squid is checked in the order of each rule, and if a matching rule is found no longer searches backwards (this is similar to the iptables rule). Therefore, the order of the rules is very important, and the two default situations require our attention:

(1) When no rules are set: The Squid service rejects the client's request.

(2) There are rules but no matching items found: Squid will use the opposite of the last rule, that is, if the last rule is allow, the request is denied, otherwise the request is allowed.

Typically, the most commonly used control rules are placed at the front to reduce the load on squid. In the overall strategy of access control, it is recommended to adopt the "allow after first refusal" or "Allow after Deny" method, the last rule is set as the default policy, set to "http_access let All" or "http_access deny all"

This article is from the "start from 0" blog, please be sure to keep this source http://0kaishi.blog.51cto.com/9457500/1679096

Squid Proxy Server