一、squid acl访问控制
mv squid.conf squid.conf.backup
egrep -v "^#|^$" squid.conf.backup > squid.conf
[root@squid etc]# wc -l squid.conf
44 squid.conf
1)对url进行关键字过滤
在squid.conf文件中添加如下两行:
acl qq url_regex -i ^http://.*qq.*$
http_access deny qq
在浏览器中进行访问www.baidu.com,测试结果如下(注意一定要使用代理访问):
然后使用命令让squid重读配置文件:
[root@squid ~]# squid -k reconfig
[root@squid ~]# lsof -i :3128
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
squid 22446 squid 15w IPv4 43702 0t0 TCP *:squid (LISTEN)
squid 22446 squid 17u IPv4 43646 0t0 TCP 192.168.49.135:squid->192.168.49.1:11361 (ESTABLISHED)
再次在浏览器中打开www.baidu.com,查看结果如下:
已经出现"Access Denied"错误,说明配置生效。
2)对url路径中的关键字进行过滤
将上面添加的两行注释掉,再添加如下两行:
acl qq_path urlpath_regex -i \.*qq*
http_access deny qq_path
然后让squid重读配置文件:
squid -k reconfig
最后在浏览器中进行访问测试:
打开http://im.qq.com/正常。
打开http://im.qq.com/pcqq/出现“Access Denied”错误,说明基于urlpath的acl规则生效,注意:urlpath是对http://*.*.*.*/ 后面的路径起作用的,因此http://im.qq.com/打开正常。
3)生产案例
限制使用BT和下载mp3:
acl BT urlpath_regix -i \.torrent$.
acl BT urlpath_regix -i \.torrent$ \.mp3$
http_access deny BT
限制访问某些网站:
acl sex url_regex -i ^http://.*sex.*$
http_access deny sex
二、配置web界面查看squid相关配置
1、首先安装apache
yum -y install httpd
2、配置并启动apache
[root@squid etc]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@squid etc]# vi /etc/httpd/conf/httpd.conf
[root@squid etc]# diff /etc/httpd/conf/httpd.conf.bak /etc/httpd/conf/httpd.conf
136c136
< Listen 80
---
> Listen 8001 #修改监听端口为8001,这里也可以不改,但是一般不适用80端口
1009a1010,1015
> ScriptAlias "/squid" "/usr/local/squid/libexec/cachemgr.cgi" #创建一个别名,使用cachemgr.cgi
> <Location "/squid"> #添加一个apache访问路径
> Order deny,allow
> Deny from all
> Allow from all
> </Location>
[root@squid etc]# /etc/init.d/httpd start
Starting httpd: httpd: apr_sockaddr_info_get() failed for squid.contoso.com
httpd: Could not reliably determine the server‘s fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
[root@squid etc]#
3、修改squid.conf默认配置
因为在squid的默认配置文件中有http_access deny !Safe_ports一行,所以需要把上面配置的8001端口添加到Safe_ports中,不然会出现访问拒绝错误。
acl Safe_ports port 8001
3、在浏览器中查看
输入访问url,http://192.168.49.135:8001/squid/,用户名密码默认为空。
打开之后,可以看到很多squid相关的信息。
比如可以看squid缓存的对象,虽然命令行也可以进行查看,但是这里提供了一个方便的web界面。
三、使用squid做透明代理
主机名 | 角色 | IP地址 |
squid.contoso.com | squid代理服务器 | eth0:192.168.49.135 eth1:172.16.49.135 |
ldapserver.contoso.com | squid客户端 | eth1:172.16.49.139 |
1)编辑squid配置文件
主要是修改如下两点:
a.设置http_port为透明代理模式
b.添加相关参数如下:
cache_mem 90 MB #注意90后面有一个空格,不然会有警告:WARNING: No units on ‘cache_mem 90MB‘, assuming 90.00 bytes
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8192 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
memory_replacement_policy lru
emulate_httpd_log on
[root@squid etc]# cp squid.conf squid.conf.bak$(date +%F)
[root@squid etc]# vi squid.conf
[root@squid etc]# diff squid.conf.bak2016-10-16 squid.conf
36c36
< http_port 3128
---
> http_port 3128 transparent #设置透明代理模式
51a52,61
>
> cache_mem 90 MB
> cache_swap_low 90
> cache_swap_high 95
>
> maximum_object_size 8192 KB
> minimum_object_size 0 KB
> maximum_object_size_in_memory 4096 KB
> memory_replacement_policy lru
> emulate_httpd_log on
2)修改防火墙设置
添加防火墙规则:
[root@squid etc]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 3128
[root@squid etc]# iptables -t nat -A POSTROUTING -o eth0 -s 172.16.49.0/24 -j MASQUERADE
3)开启ipv4转发功能
[root@squid etc]# sed -i ‘/net.ipv4.ip_forward/s/0/1/‘ /etc/sysctl.conf
[root@squid etc]# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@squid etc]# sysctl -p
4)测试squid客户端网络
[root@ldapserver ~]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0C:29:A5:4C:68
inet addr:172.16.49.139 Bcast:172.16.49.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea5:4c68/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:349 errors:0 dropped:0 overruns:0 frame:0
TX packets:223 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:30075 (29.3 KiB) TX bytes:24303 (23.7 KiB)
[root@ldapserver ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.49.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
[root@ldapserver ~]# ping 202.96.128.86
connect: Network is unreachable
[root@ldapserver ~]# ping www.baidu.com
ping: unknown host www.baidu.com
5)重读squid配置
squid -k reconfig
6)将squid服务器的内网IP地址设置为squid客户端的默认网关
[root@ldapserver ~]# route add default gw 172.16.49.135
[root@ldapserver ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.49.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
0.0.0.0 172.16.49.135 0.0.0.0 UG 0 0 0 eth1
7)测试squid透明代理
在squid服务器上:
[root@squid network-scripts]# squid -k rotate #日志轮询
[root@squid network-scripts]# tail -f /usr/local/squid/var/logs/access.log #观察访问日志
在squid客户端上:
[root@ldapserver ~]# ping www.baidu.com
PING www.a.shifen.com (14.215.177.38) 56(84) bytes of data.
64 bytes from 14.215.177.38: icmp_seq=1 ttl=127 time=8.00 ms
64 bytes from 14.215.177.38: icmp_seq=2 ttl=127 time=8.13 ms
64 bytes from 14.215.177.38: icmp_seq=3 ttl=127 time=7.89 ms
64 bytes from 14.215.177.38: icmp_seq=4 ttl=127 time=35.1 ms
^C
--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3229ms
rtt min/avg/max/mdev = 7.890/14.790/35.124/11.740 ms
squid客户端已经可以通过squid服务器上网了。
本文出自 “IT小二郎” 博客,请务必保留此出处http://jerry12356.blog.51cto.com/4308715/1862393
原文:http://jerry12356.blog.51cto.com/4308715/1862393