Linux gateway based server squid configuration process details

preface

Here, we configure an Proxy Server that provides proxy services only for internal networks. It has the following functions: it divides users into advanced users and ordinary users. It adopts the network card physical address recognition method for advanced users.

Normal users need to enter a user name and password to use normally. Advanced users have no access time or file type restrictions, while regular users only have access at work and other restrictions.

The installation

Install from source

The stable version comes with the source. Follow these commands to install it

sudo apt-get install squid squid-common

Source code compilation and installation

Of course, you can download the latest version of the official website to compile and install:

Including STABLE stable version, DEVEL version is usually provided to the developer testing procedures, assumed to download the latest stable version of squid - 2.5. STABLE2. tar. gz, use the following command to solve package:

tar xvfz squid - 2.5. STABLE. tar. gz

The package compressed by bz2 may be smaller. The corresponding command is:

tar xvfj squid - 2.5. STABLE. tar. bz2

Then, enter the corresponding directory to configure and compile the source code. The command is as follows:

cd squid - 2.5. STABLE2

The configuration command configure has many options. If you are not sure, you can use "-help" to view it first. In general, the following options are used:

- prefix = / WEB squid

Specify the location where Squid will be installed, and if you specify only this 1 option, you will have directories bin, sbin, man, conf, and so on, while the main configuration files are now in the conf subdirectory. For ease of administration, it is best to configure this file location to /etc with the parameter sysconfdir=/etc.

-- enable - storeio = ufs null

The file system used is usually the default ufs, but if you want to make a proxy server that does not cache any files, you need to add the null file system.

- enable arp -- acl

This can be managed directly from the client's MAC address in the rule Settings to prevent the client from using IP to cheat.

- enable err - languages = "Simplify_Chinese"

- enable default - err - languages = "Simplify_Chinese"

The above two options tell Squid to encode and use simplified Chinese error messages.

- enable Linux -- netfilter

Allows the use of Linux's transparent proxy functionality.

- enable - underscore

An underscore is allowed in the parsed URL, because by default Squid will consider the underlined URL illegal and deny access to the address. The entire configuration compilation process is as follows:

. / configure - prefix = / var squid

- sysconfdir = / etc

- enable arp -- acl

- enable linux -- netfilter

- enable - pthreads

- enable err - language = "Simplify_Chinese"

-- enable - storeio = ufs null

- enable default - err - language = "Simplify_Chinese"

- enable - auth = "basic"

- enable baisc - auth - helpers = "NCSA"

- enable - underscore

Some of these options have special effects and are described below. Finally, execute the following two commands to compile the source code into an executable file and copy it to the specified location.

make

sudo make install

The basic configuration

Once the installation is complete, the next step is to configure the Squid run (not as it was installed earlier). All projects were completed in squid.conf. Squid comes with squid.conf includes very detailed instructions, equivalent to a user's manual, and any questions about the configuration can be referred to. In this example, the proxy server is also a gateway, with the internal network interface eth0 at the IP address 192.168.0.1, and the external network interface eth1 at the IP address 202.103.x.x. The following are the configuration options required for a basic agent:

http_port 192.168.0.1:3128

The default port is 3128, or any other port, as long as it does not conflict with other services. For security reasons, IP addresses are prefixed so that Squid does not listen to external network interfaces. The following configuration option is the server manager's email, which will be displayed on the error page when an error occurs to facilitate user contact:

cache_mgr start @ soocol.

The following parameters tell Squid about the cache's file system, location, and cache policy:

cache_dir ufs/var/squid

cache_mem 32 MB

cache_swap_low 90

cache_swap_high 95

In this case, Squid will use the /var/squid directory as the directory to hold the cached data. The cache size is 32 megabytes at a time. When the cache space usage reaches 95%, the new content will replace the old one without directly adding to the directory. If you don't want Squid to cache any files, such as some proprietary systems with limited storage space, you can use the null file system (so you don't need those caching policies) :

cache_dir null/tmp

Of the following policy configurations for caching, the main one is line 1, the user access record, which can be analyzed to understand the detailed addresses of all user access:

cache_access_log/var/squid/access log

cache_log/var/squid/cache log

cache_store_log/var/squid/store log

The following line of configuration is a parameter that appears in the newer version, telling Squid the name of the server that is displayed on the error page:

visible_hostname No1 proxy

The following configuration tells Squid how to handle the user, treating the IP address for each request as a separate address:

client_netmask 255.255.255.255

If it is a normal proxy server, the above configuration is sufficient. But many Squid are used as transparent proxies. The so-called transparent proxy, is the client does not know the existence of a proxy server, of course, also do not need to carry out any proxy related Settings, thus greatly convenient for the system administrator. The relevant options are as follows:

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_user_host_header on

On Linux, requests to WEB port 80 can be directly forwarded to Squid port 3128 using iptables/ipchains.

Squid takes over, and the user's browser still thinks it's accessing port 80. For example, this command:

iptables-es36360en nat-A PREROUTING 192.168.0.200/32 -- p tcp --dport 80-j REDIRECT 3128

This is to redirect all access to port 80 from 192.168.0.200 to port 3128.

Once all the setup is complete, the key and important task is access control. Squid supports many management methods and is very simple to use (it is also true that some people would rather use Squid without any caching than ipta alone