Squid服务器常见配置

系统环境

root # cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core) 

安装squid

yum -y install squid

squid默认工作模式正向代理,/etc/squid/squid.conf 默认配置文件解释如下

# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
# 默认ACL acl localnet src
0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # 拒绝Safe_ports和SSL_ports之外的端口访问 # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost
# 允许本地访问cachemgr http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server
who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # 自定义ACL和访问规则 # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy 兜底策略deny all http_access deny all # Squid normally listens to port 3128 默认侦听端口 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

常用的ACL配置

一般来说,安装完服务器,比较常见的ACL会包括黑白名单IP地址、访问的URL或域名、服务时间限制等。

需求不复杂时,直接修改squid.conf文件就可以做如下管控:

1、IP地址x.x.x.x之外的客户端全部拒绝

acl client_whitelists src x.x.x.x
http_access allow client_whitelists
http_access deny all

2、禁止客户端访问网址中包含<keyword>关键词的网站

acl forbidden_keywords url_regex -i <keyword>
http_access deny forbidden_keywords

3、禁止客户端访问某个domain: test.com

acl forbidden_urls url_regex test.com
http_access deny forbidden_urls

4、禁止下载带有某些类型后缀的文件,如.avi,.rar

acl forbidden_file_types urlpath_regex -i \.rar$ \.avi$
http_access deny forbidden_file_types

如果环境比较复杂,为了方便后续维护黑白名单,也可以创建几个配置文件,然后与squid.conf这个主配置文件关联:

[root@localhost conf.d]# mkdir /etc/squid/conf.d
创建配置文件client_IP.conf、content-filter.conf和time.conf

[root@localhost conf.d]# cat client_IP.conf

acl client_whitelist src 192.168.108.1
acl client_blacklist src 192.168.108.100

http_access deny client_blacklist
http_access allow client_whitelist

[root@localhost conf.d]# cat content-filter.conf
acl forbidden_domain dstdomain .jd.com
acl forbidden_keywords url_regex -i taobao
acl forbidden_urls url_regex -i qq.com
acl forbidden_file_types urlpath_regex -i \.rar$ \.avi$

http_access deny forbidden_domain
http_access deny forbidden_keywords
http_access deny forbidden_urls
http_access deny forbidden_file_types

[root@localhost conf.d]# cat time.conf
acl Working_time time MTWHF 08:00-20:59

http_access deny !Working_time


修改主配置文件squid.conf
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#http_access allow localnet
http_access allow localhost

include /etc/squid/conf.d/content-filter.conf
include /etc/squid/conf.d/time.conf include /etc/squid/conf.d/
client_IP.conf # And finally deny all other access to this proxy http_access deny all

身份认证

local基本认证后续完善。

 

集成AD域认证(需将squid服务器加域)

1、安装samba和krb5
yum
install samba* yum install krb5* 2、修改krb.conf root# cat /etc/krb5.conf #只贴出有关部分,域名须用大写 [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt default_realm = DEMO.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] DEMO.COM = { kdc = dc1.DEMO.COM:88 admin_server = dc1.DEMO.COM:749 default_domain = DEMO.COM } [domain_realm] .DEMO.COM = DEMO.COM DEMO.COM = DEMO.COM 配置完成后可以通过Kinit工具进行测试方法如下 代码: root# kinit administrtor Password for administrator@DEMO.COM: 3、修改smb.conf root # cat /etc/samba/smb.conf [global] workgroup = DEMO security = ads server string = netproxy realm = DEMO.COM password server = dc1.demo.com winbind use default domain = yes winbind offline logon = true encrypt passwords = yes idmap gid = 10000 - 20000 idmap uid = 10000 - 20000 os level = 20 dns proxy = no max log size = 50 4、加域: root# net ads join –U administrator #需使用有加域权限的账号 5 、使用wbinfo –t验证主机已成功加入AD root# wbinfo –t 系统返回 checking the trust secret via RPC calls succeeded 说明主机信任已成功建立 使用wbinfo –u 可以列出AD中注册的帐号信息。Wbinfo –g可以返回AD中的组信息。 6、测试ntlm_auth验证 root# ntlm_auth --username=administrator Password:************** NT_STATUS_OK: NT_STATUS_OK (0x0) 说明域帐号administrator已成功验证
7、配置NSS Nss为Name Service Switch,控制帐号的验证。编辑/etc/nsswitch.conf,如下
passwd:     files winbind sss 
shadow:     files sss
group:      files winbind sss

8、 在squid.conf文件中增加 
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5 
auth_param basic realm Squid proxy-caching web server 
auth_param basic credentialsttl 5 hours 
acl squid_user proxy_auth REQUIRED 
http_access allow all squid_user 

9、用户要通过验证squid必须能访问winbind pipe,否则用户不能通过Squid验证。修改winbind pipe权限  
root# chown -R root:squid /var/lib/samba/winbindd_privileged 
root#chmod -R 750 /var/lib/samba/winbindd_privileged 

10、 重新启动squid服务器,验证使用域用户身份验证。 
如果使用域帐号登陆计算机,那么浏览网页时就不会提示输入用户名及密码认证,非域用户登陆计算机,通过代理访问网站时,将弹出用户身份验证窗口要求用户输入用户名及密码验证。 

如果想设置特定域用户组通过验证才可以使用代理服务,可在 auth_param ntlm program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 和auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic后加一句 --require-membership-of=DEMO.COM\\Groupname "DEMO.COM":域名 "Groupname":上网组名

反向代理

# 注释掉正向代理监听
#http_port 3128
# 配置反向代理
# 修改端口80 accel vhost vport 为反向代理
http_port 80  accel vhost vport
# cache_peer 代理IP 端口 0 originserver  name=a "a"代表一个域名
cache_peer 123.125.119.147 parent 80 0 originserver name=a
cache_peer 61.135.169.125 parent 80 0 originserver name=b
# 设置a的域名为 www.qq.com
cache_peer_domain a www.qq.com
cache_peer_domain b www.baidu.com

常用运维命令

[root@localhost squid]# squid -h
Usage: squid [-cdzCFNRVYX] [-n name] [-s | -l facility] [-f config-file] [-[au] port] [-k signal]
    -h | --help       Print help message.
    -v | --version    Print version details.

       -a port   Specify HTTP port number (default: 3128).
       -d level  Write debugging to stderr also.
       -f file   Use given config-file instead of
                 /etc/squid/squid.conf
       -k reconfigure|rotate|shutdown|restart|interrupt|kill|debug|check|parse
                 Parse configuration file, then send signal to 
                 running copy (except -k parse) and exit.
       -n name   Specify service name to use for service operations
                 default is: squid.
       -s | -l facility
                 Enable logging to syslog.
       -u port   Specify ICP port number (default: 3130), disable with 0.
       -z        Create missing swap directories and then exit.
       -C        Do not catch fatal signals.
       -D        OBSOLETE. Scheduled for removal.
       -F        Don't serve any requests until store is rebuilt.
       -N        Master process runs in foreground and is a worker. No kids.
       --foreground
                 Master process runs in foreground and creates worker kids.
       --kid role-ID
                 Play a given SMP kid process role, with a given ID. Do not use
                 this option. It is meant for the master process use only.
       -R        Do not set REUSEADDR on port.
       -S        Double-check swap during rebuild.
       -X        Force full debugging.
       -Y        Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.

下面几条在修改配置后用的较多

[root@localhost squid]# squid -k check  #检查配置文件
[root@localhost squid]# squid -k reconfig  #让配置热生效,不用重启服务
[root@localhost squid]# squid -k parse  #解析配置文件,反馈错误

验证与日志查看

服务器本地使用代理验证,curl -x localhost:3128 <url> -I

[root@localhost squid]# curl -x localhost:3128 www.baidu.com -I
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Content-Length: 277
Content-Type: text/html
Date: Mon, 31 Aug 2020 03:17:22 GMT
ETag: "575e1f72-115"
Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
X-Cache: MISS from localhost.localdomain
X-Cache-Lookup: MISS from localhost.localdomain:3128
Via: 1.1 localhost.localdomain (squid/4.4)
Connection: keep-alive

查看日志文件

[root@localhost squid]# cat /var/log/squid/access.log
[root@localhost squid]# cat /var/log/squid/cache.log

 

以上仅为常见常规配置,如果要深入学习Squid用法, 建议参考大神翻译著作《Squid中文权威指南》,网络可搜。

posted @ 2020-08-31 11:20  辣椒,一生所爱  阅读(1159)  评论(0编辑  收藏  举报