{{ v.name }}
{{ v.cls }}类
{{ v.price }} ¥{{ v.price }}
CentOS6.5安装Squid3.5.4并配置用户认证和ACL
阅读:430
2019-03-19 14:41:37
来源:新网
一、搭建squid服务器
[root@localhost~]#cd/usr/local/src/
[root@localhostsrc]#yuminstallepel-release#安装最新的epel源
[root@localhostsrc]#yum-yinstallvim
[root@localhostsrc]#vim/etc/selinux/config#关闭selinux
#selinux=enforcing#注释selinux=disabled#添加
[root@localhostsrc]#yum-yinstallwget#安装wget[root@localhostsrc]#wgethttp://www.squid-cache.org/versions/v3/3.5/squid-3.5.4.tar.gz
[root@localhostsrc]#tarzxfsquid-3.5.4.tar.gz
[root@localhostsrc]#cdsquid-3.5.4[root@localhostsquid-3.5.4]#
./configure--prefix=/usr/local/squid--sysconfdir=/etc/squid--enable-storeio=ufs,aufs,diskd--enable-icmp--enable-kill-parent-hack--enable-err-language="simplify_chinese"--enable-snmp--enable-arp-acl--enable-poll--enable-auth--enable-auth-basic=ncsa--enable-delay-pools--disable-ident-lookups--with-large-files
#如下两个参数是开启用户认证:
--enable-auth--enable-auth-basic=ncsa
#3.2以前的版本写法是:
--enable-auth="basic"--enable-baisc-auth-#helpers="ncsa"
#3.2以后不一样了,需要注意这一点。
#详情可看releasenote:http://www.squid-cache.org/versions/v3/3.5/squid-3.5.4-releasenotes.html
#所有属性都可以查询资料:http://my.oschina.net/u/1162688/blog/412266
#或官方文档:http://www.squid-cache.org/versions/v3/3.5/cfgman/
#若configure报错,提示需要c编译器
configure:error:in`/usr/local/src/squid-3.5.4':configure:error:noacceptableccompilerfoundin$pathsee`config.log'formoredetails
[root@localhostsquid-3.5.4]#yum-yinstallgccgcc-c++#安装gcc
#若configure报错,提示需要perl
configure:error:in`/usr/local/src/squid-3.5.4':
configure:error:perlisrequiredtocompilesquid.pleaseinstallperlandthenre-runconfigure
see`config.log'formoredetail
[root@localhostsquid-3.5.4]#yum-yinstallperlperl-devel#安装perl
#re-runconfigure
[root@localhostsquid-3.5.4]#
./configure--prefix=/usr/local/squid--sysconfdir=/etc/squid--enable-storeio=ufs,aufs,diskd--enable-icmp--enable-kill-parent-hack--enable-err-language="simplify_chinese"--enable-snmp--enable-arp-acl--enable-poll--enable-auth--enable-auth-basic=ncsa--enable-delay-pools--disable-ident-lookups--with-large-files
[root@localhostsquid-3.5.4]#make&&makeinstall#编译,等待大约15分钟
[root@localhostsquid-3.5.4]#mkdir-pv/var/spool/squid#创建cache_dir缓存目录mkdir:createddirectory`/var/spool/squid'
[root@localhostsquid-3.5.4]#mkdir-pv/var/log/squid#创建日志目录mkdir:createddirectory`/var/log/squid'
[root@localhostsquid-3.5.4]#groupaddsquid#创建squid用户组
[root@localhostsquid-3.5.4]#useradd-m-s/sbin/nologin-gsquidsquid#创建squid用户,指定不在/home下创建用户目录,不允许登录主机
#授权squid用户访问指定的缓存目录
[root@localhostsquid]#chown-rsquid:squid/var/spool/squid/[root@localhostsquid]#chown-rsquid:squid/var/log/squid/
#备份并编辑配置文件,修改缓存目录的位置,也可以根据如下配置文件指定的目录创建缓存目录
[root@localhostsquid-3.5.4]#cp/etc/squid//squid.conf/etc/squid//squid.conf.old[root@localhostsquid-3.5.4]#vim/etc/squid/squid.conf
#找到#cache_dir,追加如下部分:cache_dirufs/var/spool/squid102416256#cache_dirpath,capacity(m),no.sof1stand2ndleveldircache_mem2048mb#theextramemeryforsquidmaximum_object_size4mb#themaximumsizeofcachefilesavetodiskminimum_object_size0kb#theminimumsizeofcachefilesavetodiskmaximum_object_size_in_memory4096kb#themaximumsizeofcachefilecache_effective_usersquid#effectiveusercache_effective_groupsquid#effectivegroupaccess_log/var/log/squid/access.logcombined#pathofaccess_logandlayoutcache_log/var/log/squid/cache.log#cache_logcache_store_log/var/log/squid/store.log#loglocationlogfile_rotate60#/logfilerotate60dayscache_swap_high95#cleanoldcachedatawhencachedirisusedover95%cache_swap_low90#stopcleanwhencachedirdownto90%visible_hostnamehttpproxy#hostnamecache_mgrit@xxxx.com#mailboxofadmin
[root@localhostsquid]#pwd
/usr/local/squid[root@localhostsquid]#/usr/local/squid/sbin/squid-z#初始化squid(必不可少),会创建16个一级缓存目录`[root@localhostsquid]#/usr/local/squid/sbin/squid-kparse#依次读取配置文件,有错会报error[root@localhostsquid]#/usr/local/squid/sbin/squid#启动squid[root@localhostsquid]#netstat-ntlp#查看进程及端口
activeinternetconnections(onlyservers)protorecv-qsend-qlocaladdressforeignaddressstatepid/programnametcp000.0.0.0:220.0.0.0:*listen2153/sshdtcp00127.0.0.1:250.0.0.0:*listen1144/mastertcp00:::22:::*listen2153/sshdtcp00:::3128:::*listen30821/(squid-1)tcp00::1:25:::*listen1144/master
[root@localhostsquid]#curl-i-x172.17.35.38:3128www.baidu.com#测试代理,显示http/1.1200ok表示成功
#到这里只能实现本机访问,局域网其它机器访问需要在iptables中打开端口
[root@localhostsquid]#/sbin/iptables-iinput-ptcp--dport3128-jaccept
[root@localhostsquid]#/etc/init.d/iptablessave
[root@localhostsquid]#/etc/init.d/iptablesstatus
[root@localhostsquid]#/etc/init.d/iptablesrestart
------------------------------------------------------------------------------------------------------
二、配置用户认证:
#用户认证需要在configure时开启--enable-auth并指定认证方式--enable-auth-basic="listofhelpers":
#使用apache的htpasswd工具为squid用户生成密码文件,apache安装见http://my.oschina.net/u/1162688/blog/412426
#1、生成密码文件并设置密码:
[root@httpproxysrc]#find/-namehtpasswd-typef
/usr/local/apache/bin/htpasswd/usr/local/src/httpd-2.4.12/support/htpasswd
#使用htpasswd生成squid用户密码文件,并设置密码,若密码文件已存在,则用-b参数设置密码:
[root@localhostncsa]#/usr/local/apache/bin/htpasswd-c/etc/squid/passwdsquidnewpassword:re-typenewpassword:addingpasswordforusersquid
[root@localhostncsa]#
#2、选择用户验证程序
#squid安装完成后,会在/usr/local/squid/libexec/生产一些共不同验证方式的可执行文件,如果没有,可
#进入/usr/local/src/squid-3.5.4/helpers/basic_auth/ncsa/执行make生成:
[root@localhostpcre-8.36]#cd/usr/local/src/squid-3.5.4/helpers/basic_auth/ncsa/[root@localhostncsa]#ll
total240-rwxr-xr-x.1rootroot74173may815:38basic_ncsa_auth-rw-r--r--.1100010003221may119:27basic_ncsa_auth.8-rw-r--r--.1100010005664may119:27basic_ncsa_auth.cc-rw-r--r--.1rootroot24160may815:38basic_ncsa_auth.o-rw-r--r--.1100010005825may119:27crypt_md5.cc-rw-r--r--.110001000918may119:27crypt_md5.h-rw-r--r--.1rootroot20104may815:38crypt_md5.o-rw-r--r--.1rootroot43003may815:36makefile-rw-r--r--.110001000748may119:27makefile.am-rw-r--r--.11000100043279may119:28makefile.in-rwxr-xr-x.110001000453may119:27required.m4
[root@localhostncsa]#make
[root@localhostncsa]#ls/usr/local/squid/libexec/
basic_db_authbasic_smb_authext_session_aclnegotiate_wrapper_authbasic_fake_authbasic_smb_auth.shext_sql_session_aclntlm_fake_authbasic_getpwnam_authbasic_smb_lm_authext_time_quota_aclntlm_smb_lm_authbasic_msnt_multi_domain_authcachemgr.cgiext_unix_group_aclpingerbasic_ncsa_authdigest_file_authext_wbinfo_group_aclstoreid_file_rewritebasic_nis_authdiskdhelper-mux.plunlinkdbasic_pop3_authext_delayer_acllog_db_daemonurl_fake_rewritebasic_radius_authext_file_userip_acllog_file_daemonurl_fake_rewrite.sh
#选择./configure时指定的认证方式ncsa,复制basic_ncsa_auth到可执行目录如/usr/bin下,并将这一路径写入配置文件:
[root@localhostncsa]#cp/usr/local/squid/libexec/basic_ncsa_auth/usr/bin/
[root@localhostsquid]#vim/etc/squid/squid.conf#在第一个http_access之前添加如下代码:
auth_parambasicprogram/usr/bin/basic_ncsa_auth/etc/squid/passwdauth_parambasicchildren5auth_parambasicrealmpleaseloginin:auth_parambasiccredentialsttl1hoursaclauth_userproxy_authsquidhttp_accessallowauth_user
#修改配置文件后执行reconfigure使之生效:
[root@localhosthttpd-2.4.12]#/usr/local/squid/sbin/squid-kreconfigure
#在浏览器中设置好代理,访问百度时就会弹出验证框。
#注意:若在ie中设置代理不成功,如第一次设置好了,第二次打开发现设置是空的,则要使用管理员身份运行ie。
------------------------------------------------------------------------------------------------------
三、配置acl访问控制:
#acl列表是为了实现访问控制,指定哪些机器可以访问代理和代理可以访问那些机器。要设置acl,要确定你的需求。
#比如公司在成都、北京、上海三地的局域网通过site-to-sitevpn组成私网,允许所有ip访问代理,不允许代理访问内网,
内网段为:
#172.16.0.0/16172.17.0.0/16172.18.0.0/16192.168.0.0/16
#192.168.201.1为防火墙,192.168.201.2路由器,172.16.35.1网关
我设置了如下acl:
acllocalnet_dst_allowdst192.168.201.1#firewallacllocalnet_dst_allowdst192.168.201.2#routeracllocalnet_dst_allowdst172.16.35.1#gatewayacllocalnet_dstdst172.16.0.0/16#idcacllocalnet_dstdst172.17.0.0/16#cdacllocalnet_dstdst172.18.0.0/16#shacllocalnet_dstdst192.168.0.0/16#cd/idc/shhttp_accessdenylocalnet_dsthttp_accessallowlocalhosthttp_accessallowlocalnet_dst_allowhttp_accessallowall#允许所有ip访问代理
#下面学习下acl的语法:
acl列表名称列表类型-i列表值名称自拟,-i不区分大小写
列表类型:
src源ip地址,客户端的ip地址格式:aclnamesrcip/netmask
dst目的ip地址,访问的ip地址格式:aclnamesrcip/netmask
arp客户端mac地址格式:aclnamearpmac-addr
srcdomain源域名格式:aclnamesrcdomain.domain.com
dstdomain目标域名格式:aclnamedstdomain.domain.com
port端口格式:aclnameportnum|num1-num2
proto协议格式:aclnameprotohttpftp......
method请求类型格式:aclnamemethodgetpost......
maxconn单一ip地址最大连接数格式:aclnamemaxconnnum
url_regexurl匹配格式:aclnameurl_regex[-i]^http://......
time时间段格式:aclnametime[day][h1:m1-h2:m2]
10
http_access来控制acl中定义的是拒绝还是允许,加!可以取非,比如我们访问非sslport,在配置文件中添加如下,deny的acl写在前面,allow的写在后面:
aclssl_portsport443http_accessdeny!safe_portshttp_accessallowsafe_ports
#下面贴出完整的squid.conf文件内容,请根据实际需要增删,不足之处请指出:
##recommendedminimumconfiguration:##exampleruleallowingaccessfromyourlocalnetworks.#adapttolistyour(internal)ipnetworksfromwherebrowsing#shouldbeallowed####acllocalnetsrc10.0.0.0/8#rfc1918possibleinternalnetwork####acllocalnetsrc172.16.0.0/12#rfc1918possibleinternalnetwork####acllocalnetsrc192.168.0.0/16#rfc1918possibleinternalnetwork####acllocalnetsrcfc00::/7#rfc4193localprivatenetworkrange####acllocalnetsrcfe80::/10#rfc4291link-local(directlyplugged)machinesacllocalnet_dst_allowdst192.168.201.1#idc_srx1400acllocalnet_dst_allowdst192.168.201.2#idc_3750acllocalnet_dst_allowdst172.16.35.1#gatewayacllocalnet_dstdst172.16.0.0/16#idcacllocalnet_dstdst172.17.0.0/16#cdacllocalnet_dstdst172.18.0.0/16#shacllocalnet_dstdst192.168.0.0/16#cd/idc/sh#aclportsaclssl_portsport443aclsafe_portsport80#httpaclsafe_portsport21#ftpaclsafe_portsport443#httpsaclsafe_portsport70#gopheraclsafe_portsport210#waisaclsafe_portsport1025-65535#unregisteredportsaclsafe_portsport280#http-mgmtaclsafe_portsport488#gss-httpaclsafe_portsport591#filemakeraclsafe_portsport777#multilinghttpaclconnectmethodconnect#auth_parambasicprogram/usr/bin/basic_ncsa_auth/etc/squid/passwd#auth_parambasicchildren5#auth_parambasicrealmpleaseloginin:#auth_parambasiccredentialsttl1hours#aclauth_userproxy_authsquid#http_accessallowauth_user#recommendedminimumaccesspermissionconfiguration:##denyrequeststocertainunsafeportshttp_accessdeny!safe_ports#denyconnecttootherthansecuresslportshttp_accessdenyconnect!ssl_ports#onlyallowcachemgraccessfromlocalhosthttp_accessallowlocalhostmanagerhttp_accessdenymanager#westronglyrecommendthefollowingbeuncommentedtoprotectinnocent#webapplicationsrunningontheproxyserverwhothinktheonly#onewhocanaccessserviceson"localhost"isalocaluser#http_accessdenyto_localhosthttp_accessdenylocalnet_dst##insertyourownrule(s)heretoallowaccessfromyourclients##exampleruleallowingaccessfromyourlocalnetworks.#adaptlocalnetintheaclsectiontolistyour(internal)ipnetworks#fromwherebrowsingshouldbeallowedhttp_accessallowlocalhost#allowallipandhostshttp_accessallowallhttp_accessallowlocalnet_dst_allow#andfinallydenyallotheraccesstothisproxy###http_accessdenyall#squidnormallylistenstoport3128http_port3128cache_mem2048mb#configuretheextramemeryforsquidmaximum_object_size4mb#configurethemaximumsizeofcachefilesavetodiskminimum_object_size0kb#configuretheminimumsizeofcachefilesavetodiskmaximum_object_size_in_memory4096kb#configurethemaximumsizeofcachefilecache_dirufs/var/spool/squid102416256#cachedirpath,capacity(m),no.sof1stleveldir,2ndleveldircache_effective_usersquid#effectiveusercache_effective_groupsquid#effectivegroupaccess_log/var/log/squid/access.logcombined#pathofaccess_logandlayoutcache_log/var/log/squid/cache.log#cache_logcache_store_log/var/log/squid/store.log#loglocationlogfile_rotate60#/logfilerotate60dayscache_swap_high95#whencachedirectoryusedover95%,begintocleanuptheoldcachedatacache_swap_low90#autocleanupcachedirectoryto90%#http_accessallowlocalnet#allowlocalnet#http_accessdenyall#denyallvisible_hostnamehttpproxy#hostnamecache_mgrit@xxxx.com#mailboxofadmin#uncommentandadjustthefollowingtoaddadiskcachedirectory.#cache_dirufs/var/spool/squid10016256#leavecoredumpsinthefirstcachedircoredump_dir/var/spool/squid##addanyofyourownrefresh_patternentriesabovethese.#refresh_pattern^ftp:144020%10080refresh_pattern^gopher:14400%1440refresh_pattern-i(/cgi-bin/|?)00%0refresh_pattern.020%4320
上一篇:
浏览器开发工具的秘密
{{ v.title }}