Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- squid [2009/02/02 14:27] – gerald
+++ squid [2024/02/29 13:36] (aktuell) – Externe Bearbeitung 127.0.0.1
@@ Zeile 1: / Zeile 1: @@
 ====== Squid Proxy-Server ======
+[[squid:config|Konfiguration z.B. Browserkennung ändern]]
+===== Clearing Squid-Cache =====
+<code>
+squid -k shutdown
+rm -fr /var/spool/squid/* (on Debian)
+</code>
+then re-create the swap directory structure:
+<code>
+squid -z
+</code>
+[[squid:ssh|Den Verkehr zwischen Squid-Proxy und Client verschlüsseln]]
@@ Zeile 169: / Zeile 183: @@
 Remember to restart Squid for the changes to take effect.
+===== Forcing Users To Use Your Squid Server =====
+If you are using access controls on Squid, you may also want to configure your firewall to allow only HTTP Internet access to only the Squid server. This forces your users to browse the Web through the Squid proxy.
+==== Making Your Squid Server Transparent To Users ====
+It is possible to limit HTTP Internet access to only the Squid server without having to modify the browser settings on your client PCs. This called a transparent proxy configuration. It is usually achieved by configuring a firewall between the client PCs and the Internet to redirect all HTTP (TCP port 80) traffic to the Squid server on TCP port 3128, which is the Squid server's default TCP port.
+=== Squid Transparent Proxy Configuration ===
+Your first step will be to modify your squid.conf to create a transparent proxy. The procedure is different depending on your version of Squid.
+**Prior to version 2.6:** In older versions of Squid, transparent proxy was achieved through the use of the httpd_accel options which were originally developed for http acceleration. In these cases, the configuration syntax would be as follows:
+<code>
+httpd_accel_host virtual
+httpd_accel_port 80
+httpd_accel_with_proxy on
+httpd_accel_uses_host_header on
+</code>
+**Version 2.6 and Beyond:** Newer versions of Squid simply require you to add the word "transparent" to the default "http_port 3128" statement. In this example, Squid not only listens on TCP port 3128 for proxy connections, but will also do so in transparent mode.
+<code>
+http_port 3128 transparent
+</code>
+=== Configuring iptables to Support the Squid Transparent Proxy ===
+The examples below are based on the discussion of Linux iptables in Chapter 14, "Linux Firewalls Using iptables". Additional commands may be necessary for you particular network topology.
+In both cases below, the firewall is connected to the Internet on interface eth0 and to the home network on interface eth1. The firewall is also the default gateway for the home network and handles network address translation on all the network's traffic to the Internet.
+Only the Squid server has access to the Internet on port 80 (HTTP), because all HTTP traffic, except that coming from the Squid server, is redirected.
+If the Squid server and firewall are the same server, all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128 and then only the firewall itself is allowed to access the Internet on port 80.
+<code>
+iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
+        -j REDIRECT --to-port 3128
+iptables -A INPUT -j ACCEPT -m state \
+        --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp \
+        --dport 3128
+iptables -A OUTPUT -j ACCEPT -m state \
+        --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \
+        --dport 80
+iptables -A INPUT -j ACCEPT -m state \
+        --state ESTABLISHED,RELATED -i eth0 -p tcp \
+        --sport 80
+iptables -A OUTPUT -j ACCEPT -m state \
+        --state ESTABLISHED,RELATED -o eth1 -p tcp \
+        --sport 80
+</code>
+**Note:** This example is specific to HTTP traffic. You won't be able to adapt this example to support HTTPS web browsing on TCP port 443, as that protocol specifically doesn't allow the insertion of a "man in the middle" server for security purposes. One solution is to add IP masquerading statements for port 443, or any other important traffic, immediately after the code snippet. This will allow non HTTP traffic to access the Internet without being cached by Squid.
+If the Squid server and firewall are different servers, the statements are different. You need to set up iptables so that all connections to the Web, not originating from the Squid server, are actually converted into three connections; one from the Web browser client to the firewall and another from the firewall to the Squid server, which triggers the Squid server to make its own connection to the Web to service the request. The Squid server then gets the data and replies to the firewall which then relays this information to the Web browser client. The iptables program does all this using these NAT statements:
+<code>
+iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.1.100 \
+        -p tcp --dport 80 -j DNAT --to 192.168.1.100:3128
+iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 \
+        -d 192.168.1.100 -j SNAT --to 192.168.1.1
+iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.1.100 \
+        -i eth1 -o eth1 -m state
+         --state NEW,ESTABLISHED,RELATED \
+        -p tcp --dport 3128 -j ACCEPT
+ iptables -A FORWARD -d 192.168.1.0/24 -s 192.168.1.100 \
+        -i eth1 -o eth1 -m state --state ESTABLISHED,RELATED \
+        -p tcp --sport 3128 -j ACCEPT
+</code>
+In the first statement all HTTP traffic from the home network except from the Squid server at IP address 192.168.1.100 is redirected to the Squid server on port 3128 using destination NAT. The second statement makes this redirected traffic also undergo source NAT to make it appear as if it is coming from the firewall itself. The FORWARD statements are used to ensure the traffic is allowed to flow to the Squid server after the NAT process is complete. The unusual feature is that the NAT all takes place on one interface; that of the home network (eth1).
+You will additionally have to make sure your firewall has rules to allow your Squid server to access the Internet on HTTP TCP port 80 as covered in Chapter 14, "Linux Firewalls Using iptables".
+==== Manually Configuring Web Browsers To Use Your Squid Server ====
+If you don't have a firewall that supports redirection, then you need to configure your firewall to only accept HTTP Internet access from the Squid server, as well as configure your PC browser's proxy server settings manually to use the Squid server. The method you use depends on your browser.
+For example, to make these changes using Internet Explorer
+  * Click on the "Tools" item on the menu bar of the browser.
+  * Click on "Internet Options"
+  * Click on "Connections"
+  * Click on "LAN Settings"
+  * Configure with the address and TCP port (3128 default) used by your Squid server.
+Here's how to make the same changes using Mozilla or Firefox.
+  * Click on the "Edit" item on the browser's menu bar.
+  * Click on "Preferences"
+  * Click on "Advanced"
+  * Click on "Proxies"
+  * Configure with the address and TCP port (3128 default) used by your Squid server under "Manual Proxy Configuration"
+===== Squid Disk Usage =====
+Squid uses the ''/var/spool/squid'' directory to store its cache files. High usage squid servers need a large amount of disk space in the /var partition to get optimum performance.
+Every webpage and image accessed via the Squid server is logged in the ''/var/log/squid/access.log'' file. This can get quite large on high usage servers. Fortunately, the logrotate program automatically purges this file.
+===== Troubleshooting Squid =====
+Squid logs both informational and error messages to files in the /var/log/squid/ directory. It is best to review these files first whenever you have difficulties.The squid.out file can be especially useful as it contains Squids' system errors.
+Another source of errors could be unintended statements in the squid.conf file that cause no errors; mistakes in the configuration of hours of access and permitted networks that were forgotten to be added are just two possibilities.
+By default, Squid operates on port 3128, so if you are having connectivity problems, you'll need to follow the troubleshooting steps in Chapter 4, "Simple Network Troubleshooting", to help rectify them.
+Note: Some of Squid's capabilities go beyond the scope of this book, but you should be aware of them. For example, for performance reasons, you can configure child Squid servers on which certain types of content are exclusively cached. Also, you can restrict the amount of disk space and bandwidth Squid uses.
+===== Conclusion =====
+Tools such as Squid are popular with many company mangers. By caching images and files on a server shared by all, Internet bandwidth charges can be reduced.
+Squid's password authentication feature is well liked because it allows only authorized users to access the Internet as a means of reducing usage fees and distractions in the office. Unfortunately, an Internet access password is usually not viewed as a major security concern by most users who are often willing to share it with their colleagues. Although it is beyond the scope of this book, you should consider automatically tying the Squid password to the user's regular login password. This will make them think twice about giving their passwords away. Internet access is one thing, letting your friends have full access to your e-mail and computer files is quite another.
+{{tag>squid proxy webproxy proxyserver}}

Nach oben

squid.1233584855.txt.gz · Zuletzt geändert: 2024/02/29 13:35 (Externe Bearbeitung)

Übersicht Letzte Änderungen

Admin