Use RedHat to create a secure and efficient Proxy Server

Linux is safe, efficient, and inexpensive, but it is hard to use. In fact, with the continuous development of Linux, its ease of use has greatly improved. Using a Linux operating system, you can enable a server with a 400 MHz provisioning configuration.
For CPU and 200 or 300 MB memory machines, it is easy to use ADSL to drive computers to access the Internet. The RedHat
8.0 and Squid are used as examples to create a secure and efficient server.
Configure server access
First, you must enable the server to access the Internet. To improve server efficiency, two NICs are generally used to connect the Intranet and the Internet. Next let's take a look at the method for connecting to ADSL-type broadband.
1. Click Start (Red Riding Hood) → System Tools → network device control ".
2. Click [configure] in the "Network Device Control" window.
3. Select the ENI and click the [edit] button.
4.
Select "activate a device when the computer starts", click "static IP number", and enter the IP address "192.168.1.1" after "number" (assuming that the IP address of the Intranet segment is 192.168.1.2 ~ 192.168.1.255), fill in "255.255.255.0" as the subnet mask, the default gateway number is null, and click [OK].
5.
Select an external Nic and set its IP address to a reserved IP address, such as "192.168.2.1". The other settings are the same as those in step 1. Although you can do this without setting an IP address for the NIC, You can automatically obtain an IP address through DHCP at startup, which greatly reduces the startup speed.
6. Click "Start> System Tools> Internet Configuration Wizard", select "xDSL connection" in the "select setting type" window, and click the [next] button.
7.
Select a Chinese and foreign Nic In the "Ethernet device". After the "provider name", you can enter any name. After the "Login Name", enter the account assigned by the Telecommunications Board, enter the dialing password after the "password. See figure 3. Press [forward]. In the displayed "create DSL connection" window, click [application].
8.
Now back to the "Network Configuration" window, select the "PPP0" device you just created and click "active". Then, ADSL starts dialing. If you want to enable automatic dialing every time your computer starts, click [edit] and select "Activate device when the computer starts ".
Client Configuration
First, make sure that the LAN is connected and the corresponding protocol is installed. The client can use Windows
9x, Me, 2000, XP, and other operating systems are easy to set. Open your browser, Click Tools> Internet Options, click the connection page, and then click LAN Settings ", check "use proxy server for LAN" (different versions are displayed slightly differently), fill in the server IP Address "192.168.1.1" after "Address", and fill in "3128" on the port ".
Configure Squid
In Linux, there are many agent servers, and Squid is one of them. It caches Internet data, receives user download requests, and automatically processes the downloaded data. Squid can act as the proxy for HTTP, FTP, GOPHER, SSL, and WAIS protocols. It cannot act as the proxy for POP, NNTP, and other protocols. There is a configuration file Squid. conf in the/etc/Squid directory to modify this file.
It can meet your different needs. For beginners, they may feel that there are too many projects and they are at a loss. But as long as you understand its configuration method, you can control your proxy server as you like. (Note the "#" sign before the line, indicating that the comment is followed .)
1. The simplest Proxy Server
If you don't want to work on this and have no requirements on the security and efficiency of the proxy server, you only need to change the word to let Squid work. Search for "http_access"
Change "deny" to "allow! (Change the line without the "#" sign .)
2. Performance impact options
To take advantage of Squid, it is best to have a deep understanding of Squid configuration files. Although it is very large, you can modify the corresponding options according to your actual situation without configuring all the options. First, let's see which options will affect Squid's performance.
(1) # cache_mem
8 MB: Specify the ideal memory value that Squid can use. We recommend that you set it to 1/3 of the memory. If your memory is MB or more, you can set it to half or more of the memory.
(2) # maximum_object_size
4096KB: objects greater than this value are not stored in the cache. This value is reduced if you want to increase the access speed. If you want to save bandwidth to the maximum extent and reduce costs, this value is increased. We recommend that you change the value to 1024KB.
(3) # minimum_object_size 0KB: objects smaller than this value are not stored in the cache. The default value is 0.
(4) # maximum_object_size_in_memory
8 KB: indicates the maximum number of objects that can be stored in the memory. If the memory is sufficient, you can adjust the value to a greater value to speed up reading large objects from the client.
(5) # cache_dir ufs/var/spool/Squid 100 16
256: Specify Squid to store the size of the swap space and its directory structure of the object. 100 is the size of swap space, which is 100 MB. 16 and 256 are the number of level-1 and level-2 directories respectively.
(6) # cache_swap_low 90, # cache _
Swap_high
95: When the Squid cache value exceeds or is lower than a certain percentage, data is exchanged with the swap space. When the cache is large, the two values can be relatively small and close.
3. Access control settings
We restrict computers in certain groups or IP addresses to access the Internet at specified times and block websites containing certain keywords. To use the control function, you must first set and apply the ACL rules. ACL
The Declaration format is as follows:
Acl acl_element_name type_of_acl _
Element values_to_acl
(1) Restrict Internet computers to use proxy, and only allow IP address 192.168.1.1 ~ Access the host of 192.168.1.255.
Acl school_clients src 192.168.1.0/
255.255.255.0
Acl all_clients src 0.0.0.0/0.0.0.0
Http_access allow school_clines
Http_access deny all_clients
(2) time limit. Only IP address 192.168.1.1 ~ is allowed ~ 192.168.1.255 machines are used from to every Monday to Friday. If you do not want to restrict Monday to Friday, remove the second line "MTWHF" below. "!" Indicates that the logic is not.
Acl school_clients src 192.168.1.0/
255.255.255.0
Acl allow_time time MTWHF 7: 00-
17: 00
& N