Linux gateway server squid configuration process

Preface to

Here, we configure an Proxy Server that provides proxy services only for internal networks. It has the following functions: it divides users into advanced users and ordinary users. For advanced users, it adopts the network card physical address recognition method,

Normal users need to enter a user name and password to work properly. Advanced users have no access time or file type restrictions, while regular users have access only at work and other restrictions.

Install

Install

from the source

The stable version comes with the source, so follow the command below to install

sudo apt-get install squid squid-common

Source compilation installs

Of course, you can also download the latest version of the official website to compile the installation:

Including STABLE stable version, DEVEL version is usually provided to the developer testing procedures, assumed to download the latest stable version of squid - 2.5. STABLE2. tar. gz, use the following command to solve package:

tar xvfz squid - 2.5. STABLE. tar. gz

Packages compressed with bz2 may be smaller. The corresponding command is

tar xvfj squid - 2.5. STABLE. tar. bz2

Then, go to the appropriate directory to configure and compile the source code as follows:

cd squid - 2.5. STABLE2

The configuration command configure has many options. If you are not sure, you can use "-help" to view it first. Typically, the following options are used:

- prefix = / WEB squid

Specify the installation location of Squid. If you specify only this option, you will have bin, sbin, man, conf, and so on in this directory, and the main configuration files will be in the conf subdirectory. For ease of administration, it is best to configure the file location to /etc with the parameter sysconfdir=/etc.

-- enable - storeio = ufs null

The file system used is usually the default ufs, but if you want to make a proxy server that does not cache any files, you need to add the null file system.

- enable arp -- acl

This can be managed directly from the MAC address of the client in the rule Settings to prevent the client from using IP to cheat.

- enable err - languages = "Simplify_Chinese

"

- enable default - err - languages = "Simplify_Chinese

"

The above two options tell Squid to encode and use simplified Chinese error messages.

- enable Linux -- netfilter

Allows the use of Linux's transparent proxy functionality.

- enable - underscore

An underscore is allowed in the parsed URL, because by default Squid considers URL with an underscore illegal and denies access to the address. The entire configuration compilation process is as follows:

. / configure - prefix = / var squid

- sysconfdir = / etc

- enable arp -- acl

- enable linux -- netfilter

- enable - pthreads

- enable err - language = "Simplify_Chinese

"

-- enable - storeio = ufs null

- enable default - err - language = "Simplify_Chinese

"

- enable - auth = "basic

"

- enable baisc - auth - helpers = "NCSA

"

- enable - underscore

Some of these options have special roles and are described below. Finally, execute the following two commands to compile the source code into an executable and copy it to the specified location.

make

sudo make install

Basic configuration

Once the installation is complete, the next step is to configure the Squid run (not as it was installed earlier). All projects are completed in squid.conf. Squid comes with squid.conf includes very detailed instructions, which are equivalent to a user's manual, and any questions about the configuration can be referred to. In this example, the proxy server is also a gateway, with the internal network interface eth0 at the IP address of 192.168.0.1, and the external network at the IP address of eth1 at 202.103.x.x. The following is a basic proxy configuration option:

Es318en http_port 192.168.0.1-3128

The default port is 3128, or any other port, as long as it does not conflict with other services. For security reasons, IP addresses are prefixed so that Squid does not listen to external network interfaces. The following configuration option is the server administrator's email address, which is displayed on the error page when an error occurs for easy contact by the user:

cache_mgr start@soocol.

The following parameters tell the Squid cache's file system, location, and cache policy:

cache_dir ufs/var/squid

cache_mem 32 MB

90

cache_swap_low

95

cache_swap_high

In this case, Squid will use the /var/squid directory as the directory where the cached data is stored. The cache size is 32 megabytes at a time. When the cache space is used at 95%, the new content will replace the old content without directly adding to the directory. If you don't want Squid to cache any files, such as some proprietary systems with limited storage, you can use the null file system (which does not require those caching policies) :

cache_dir null/tmp

Of the following policy configurations for caching, the main one is the first line, the user access record, which you can analyze to see the detailed address of all user access:

cache_access_log/var/squid/access log

cache_log/var/squid/cache log

cache_store_log/var/squid/store log

The following line of configuration is the parameter that appears in the newer version, telling Squid the server name that appears on the error page:

visible_hostname No1 proxy

The following configuration tells Squid how to handle the user, treating the IP address for each request as a separate address:

client_netmask 255.255.255.255

For a normal proxy server, the above configuration is sufficient. But many Squid are used as transparent agents. The so-called transparent proxy, is the client does not know the existence of the proxy server, of course, there is no need to do anything about the proxy Settings, thus greatly convenient system administrators. The relevant options are as follows:

httpd_accel_host virtual

80

httpd_accel_port

httpd_accel_with_proxy on

httpd_accel_user_host_header on

On Linux, requests for WEB port 80 can be forwarded directly to Squid port 3128,

, using iptables/ipchains

Squid takes over, and the user's browser still thinks it's accessing port 80. For example, the following command:

Es502en-nat A s 192.168.0.200/32 -- p tcp --dport 80-j REDIRECT 3128

This is to redirect all access to port 80 from 192.168.0.200 to port 3128.

After all the setup is done, the key and important task is access control. Squid supports many management methods and is very simple to use (it is also true that some people would rather use Squid without any caching than ipta

alone