Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
squid [2009/02/02 14:06] – angelegt gerald | squid [2024/02/29 13:36] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
====== Squid Proxy-Server ====== | ====== Squid Proxy-Server ====== | ||
+ | |||
+ | [[squid: | ||
+ | |||
+ | ===== Clearing Squid-Cache ===== | ||
+ | < | ||
+ | squid -k shutdown | ||
+ | rm -fr / | ||
+ | </ | ||
+ | then re-create the swap directory structure: | ||
+ | < | ||
+ | squid -z | ||
+ | </ | ||
+ | |||
+ | [[squid: | ||
Quelle((http:// | Quelle((http:// | ||
- | ===== 5 The / | + | |
+ | ===== Starting Squid ===== | ||
+ | |||
+ | Use the chkconfig configure Squid to start at boot:: | ||
+ | < | ||
+ | </ | ||
+ | Use the service command to start, stop, and restart Squid after booting: | ||
+ | < | ||
+ | [root@bigboy tmp]# service squid stop | ||
+ | [root@bigboy tmp]# service squid restart</ | ||
+ | |||
+ | You can test whether the Squid process is running with the pgrep command: | ||
+ | < | ||
+ | |||
+ | You should get a response of plain old process ID numbers. | ||
+ | ===== The / | ||
+ | |||
+ | The main Squid configuration file is squid.conf, and, like most Linux applications, | ||
+ | ==== The Visible Host Name ==== | ||
+ | |||
+ | Squid will fail to start if you don't give your server a hostname. You can set this with the visible_hostname parameter. Here, the hostname is set to the real name of the server bigboy. | ||
+ | < | ||
+ | |||
+ | ==== Access Control Lists ==== | ||
+ | |||
+ | You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL. | ||
+ | |||
+ | Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it | ||
+ | |||
+ | Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to add your specific permit statements above this line. In the chapter' | ||
+ | Squid has a minimum required set of ACL statements in the ACCESS_CONTROL section of the squid.conf file. It is best to put new customized entries right after this list to make the file easier to read. | ||
+ | |||
+ | ==== Restricting Web Access By Time ==== | ||
+ | |||
+ | You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23. | ||
+ | < | ||
+ | # Add this to the bottom of the ACL section of squid.conf | ||
+ | # | ||
+ | acl home_network src 192.168.1.0/ | ||
+ | acl business_hours time M T W H F 9: | ||
+ | acl RestrictedHost src 192.168.1.23 | ||
+ | |||
+ | # | ||
+ | # Add this at the top of the http_access section of squid.conf | ||
+ | # | ||
+ | http_access deny RestrictedHost | ||
+ | http_access allow home_network business_hours | ||
+ | </ | ||
+ | Or, you can allow morning access only: | ||
+ | < | ||
+ | # | ||
+ | # Add this to the bottom of the ACL section of squid.conf | ||
+ | # | ||
+ | acl mornings time 08: | ||
+ | |||
+ | # | ||
+ | # Add this at the top of the http_access section of squid.conf | ||
+ | # | ||
+ | http_access allow mornings | ||
+ | </ | ||
+ | ==== Restricting Access to specific Web sites ==== | ||
+ | |||
+ | Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named / | ||
+ | < | ||
+ | # File: / | ||
+ | www.openfree.org | ||
+ | linuxhomenetworking.com | ||
+ | |||
+ | # File: / | ||
+ | www.porn.com | ||
+ | illegal.com | ||
+ | </ | ||
+ | These can then be used to always block the restricted sites and permit the allowed sites during working hours. This can be illustrated by expanding our previous example slightly. | ||
+ | < | ||
+ | # | ||
+ | # Add this to the bottom of the ACL section of squid.conf | ||
+ | # | ||
+ | acl home_network src 192.168.1.0/ | ||
+ | acl business_hours time M T W H F 9: | ||
+ | acl GoodSites dstdomain "/ | ||
+ | acl BadSites | ||
+ | |||
+ | # | ||
+ | # Add this at the top of the http_access section of squid.conf | ||
+ | # | ||
+ | http_access deny BadSites | ||
+ | http_access allow home_network business_hours GoodSites | ||
+ | </ | ||
+ | ==== Restricting Web Access By IP Address ==== | ||
+ | |||
+ | You can create an access control list that restricts Web access to users on certain networks. In this case, it's an ACL that defines a home network of 192.168.1.0. | ||
+ | < | ||
+ | # Add this to the bottom of the ACL section of squid.conf | ||
+ | # | ||
+ | acl home_network src 192.168.1.0/ | ||
+ | </ | ||
+ | You also have to add a corresponding http_access statement that allows traffic that matches the ACL: | ||
+ | < | ||
+ | # | ||
+ | # Add this at the top of the http_access section of squid.conf | ||
+ | # | ||
+ | http_access allow home_network | ||
+ | </ | ||
==== Password Authentication Using NCSA ==== | ==== Password Authentication Using NCSA ==== | ||
Zeile 66: | Zeile 183: | ||
Remember to restart Squid for the changes to take effect. | Remember to restart Squid for the changes to take effect. | ||
+ | |||
+ | ===== Forcing Users To Use Your Squid Server ===== | ||
+ | |||
+ | If you are using access controls on Squid, you may also want to configure your firewall to allow only HTTP Internet access to only the Squid server. This forces your users to browse the Web through the Squid proxy. | ||
+ | |||
+ | ==== Making Your Squid Server Transparent To Users ==== | ||
+ | |||
+ | It is possible to limit HTTP Internet access to only the Squid server without having to modify the browser settings on your client PCs. This called a transparent proxy configuration. It is usually achieved by configuring a firewall between the client PCs and the Internet to redirect all HTTP (TCP port 80) traffic to the Squid server on TCP port 3128, which is the Squid server' | ||
+ | |||
+ | === Squid Transparent Proxy Configuration === | ||
+ | |||
+ | Your first step will be to modify your squid.conf to create a transparent proxy. The procedure is different depending on your version of Squid. | ||
+ | |||
+ | **Prior to version 2.6:** In older versions of Squid, transparent proxy was achieved through the use of the httpd_accel options which were originally developed for http acceleration. In these cases, the configuration syntax would be as follows: | ||
+ | |||
+ | < | ||
+ | httpd_accel_host virtual | ||
+ | httpd_accel_port 80 | ||
+ | httpd_accel_with_proxy on | ||
+ | httpd_accel_uses_host_header on | ||
+ | </ | ||
+ | |||
+ | **Version 2.6 and Beyond:** Newer versions of Squid simply require you to add the word " | ||
+ | < | ||
+ | http_port 3128 transparent | ||
+ | </ | ||
+ | |||
+ | === Configuring iptables to Support the Squid Transparent Proxy === | ||
+ | |||
+ | The examples below are based on the discussion of Linux iptables in Chapter 14, "Linux Firewalls Using iptables" | ||
+ | In both cases below, the firewall is connected to the Internet on interface eth0 and to the home network on interface eth1. The firewall is also the default gateway for the home network and handles network address translation on all the network' | ||
+ | Only the Squid server has access to the Internet on port 80 (HTTP), because all HTTP traffic, except that coming from the Squid server, is redirected. | ||
+ | If the Squid server and firewall are the same server, all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128 and then only the firewall itself is allowed to access the Internet on port 80. | ||
+ | < | ||
+ | iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ | ||
+ | -j REDIRECT --to-port 3128 | ||
+ | iptables -A INPUT -j ACCEPT -m state \ | ||
+ | --state NEW, | ||
+ | --dport 3128 | ||
+ | iptables -A OUTPUT -j ACCEPT -m state \ | ||
+ | --state NEW, | ||
+ | --dport 80 | ||
+ | iptables -A INPUT -j ACCEPT -m state \ | ||
+ | --state ESTABLISHED, | ||
+ | --sport 80 | ||
+ | iptables -A OUTPUT -j ACCEPT -m state \ | ||
+ | --state ESTABLISHED, | ||
+ | --sport 80 | ||
+ | </ | ||
+ | **Note:** This example is specific to HTTP traffic. You won't be able to adapt this example to support HTTPS web browsing on TCP port 443, as that protocol specifically doesn' | ||
+ | If the Squid server and firewall are different servers, the statements are different. You need to set up iptables so that all connections to the Web, not originating from the Squid server, are actually converted into three connections; | ||
+ | < | ||
+ | iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.1.100 \ | ||
+ | -p tcp --dport 80 -j DNAT --to 192.168.1.100: | ||
+ | iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/ | ||
+ | -d 192.168.1.100 -j SNAT --to 192.168.1.1 | ||
+ | iptables -A FORWARD -s 192.168.1.0/ | ||
+ | -i eth1 -o eth1 -m state | ||
+ | | ||
+ | -p tcp --dport 3128 -j ACCEPT | ||
+ | | ||
+ | -i eth1 -o eth1 -m state --state ESTABLISHED, | ||
+ | -p tcp --sport 3128 -j ACCEPT | ||
+ | </ | ||
+ | |||
+ | In the first statement all HTTP traffic from the home network except from the Squid server at IP address 192.168.1.100 is redirected to the Squid server on port 3128 using destination NAT. The second statement makes this redirected traffic also undergo source NAT to make it appear as if it is coming from the firewall itself. The FORWARD statements are used to ensure the traffic is allowed to flow to the Squid server after the NAT process is complete. The unusual feature is that the NAT all takes place on one interface; that of the home network (eth1). | ||
+ | |||
+ | You will additionally have to make sure your firewall has rules to allow your Squid server to access the Internet on HTTP TCP port 80 as covered in Chapter 14, "Linux Firewalls Using iptables" | ||
+ | |||
+ | ==== Manually Configuring Web Browsers To Use Your Squid Server ==== | ||
+ | |||
+ | If you don't have a firewall that supports redirection, | ||
+ | |||
+ | For example, to make these changes using Internet Explorer | ||
+ | * Click on the " | ||
+ | * Click on " | ||
+ | * Click on " | ||
+ | * Click on "LAN Settings" | ||
+ | * Configure with the address and TCP port (3128 default) used by your Squid server. | ||
+ | |||
+ | Here's how to make the same changes using Mozilla or Firefox. | ||
+ | * Click on the " | ||
+ | * Click on " | ||
+ | * Click on " | ||
+ | * Click on " | ||
+ | * Configure with the address and TCP port (3128 default) used by your Squid server under " | ||
+ | |||
+ | ===== Squid Disk Usage ===== | ||
+ | |||
+ | Squid uses the ''/ | ||
+ | |||
+ | Every webpage and image accessed via the Squid server is logged in the ''/ | ||
+ | |||
+ | ===== Troubleshooting Squid ===== | ||
+ | |||
+ | Squid logs both informational and error messages to files in the / | ||
+ | |||
+ | Another source of errors could be unintended statements in the squid.conf file that cause no errors; mistakes in the configuration of hours of access and permitted networks that were forgotten to be added are just two possibilities. | ||
+ | |||
+ | By default, Squid operates on port 3128, so if you are having connectivity problems, you'll need to follow the troubleshooting steps in Chapter 4, " | ||
+ | |||
+ | Note: Some of Squid' | ||
+ | |||
+ | ===== Conclusion ===== | ||
+ | |||
+ | Tools such as Squid are popular with many company mangers. By caching images and files on a server shared by all, Internet bandwidth charges can be reduced. | ||
+ | |||
+ | Squid' | ||
+ | {{tag> | ||