idoc.vn tai lieu huong dan cai dat cau hinh linux squid proxy server
TRANSCRIPT
-
Cit,cuhnhLinuxSQUIDProxyServerdownloadtiy:
squid:OptimisingWebDelivery
cbnSQUID3.0.RC1
Squid3.0.STABLE7configurationfile
ftp://mirror.aarnet.edu.au/pub/squid...TABLE16.tar.gz
Squidlmtproxyserver,khnngcasquidltitkimbngthng(bandwidth),citinvicbomt,tngtctruycpwebchongisdngvtrthnhmttrongnhngproxyphbincnhiungibitn.Hinnay,trnthtrngcrtnhiuchngtrnhproxyservernhngchnglichainhcim,thnhtlphitrtinsdng,thhailhuhtkhnghtrICP(ICPcsdngcpnhtnhngthayivnidungcanhngURLsnctrongcachelnilutrnhngtrangwebmbntngiqua).Squidlslachnttnhtchomtproxycacheserver,squidpnghaiyucucachngtalsdngminphvcthsdngctrngICP.
Squidarakthutlutrcpcaocaccwebclient,ngthihtrccdchvthngthngnhFTP,GophervHTTP.SquidlutrthngtinminhtcaccdchvtrntrongRAM,qunlmtcsdliulncaccthngtintrna,cmtkthutiukhintruycpphctp,htrgiaothcSSLchoccktnibomtthngquaproxy.Hnna,squidcthlinktvicccachecaccproxyserverkhctrongvicspxplutrcctrangwebmtcchhpl.
SauychngtasthchincchthccitmtProxyservernhthno.
-
2/Cit:
utinchngtanncmtskhinimvihiphncngcamtproxyserver:
******Tctruycpacng:rtquantrngvsquidthngxuynphicvghidliutrncng.MtaSCSIvitctruyndliulnlmtngcvinttchonhimvny.
******DunglngadnhchocachephthucvokchccamngmSquidphcv.T1n2Gbchomtmngtrungbnhkhong100my.TuynhinychlmtconsctnhchtvdvnhucutruycpInternetmilyutquytnhscnthitlncaacng.
******RAM:rtquantrng,tRAMthSquidschmhnmtcchrrng.
******CPU:khngcnmnhlm,khong133MHzlcngcthchyttvitil7requests/second.
CitSquidviRedHatLinuxrtngin.Squidsccinubnchnntrongqutrnhcitngaytu.HocnubnciLinuxkhngSquid,bncthcisauquatinchrpmvilnh:
rpmitn_gi_Squid
Khisquidsccivbncthbcquaphncuhnhsquid.
Ccthmcmcnhcasquid:
/usr/sbin
/etc/squid
-
/var/log/squid
Cittsource:
+Tacfilesourcecasquidlsquidversion.tar.gz,tathchinccbclnhsau:
tarxzvfsquidversion.tar.gz
cdsquidversion
./configure
make
makeinstall
Saukhitathchincclnhtrn,coinhtacitxongsquid.
3/CuhnhSquid:
Saukhicitxongsquid,taphicuhnhsquidphhpvitngyucuring.Tacuhnhmtsthamstrongfile/etc/squid/squid.confnhsau:
**http_port:mcnhl3128.
**icp_port:mcnhl3130.
**cache_dir:khaibokchthcthmccachechosquid,mcnhl:cache_dir/var/spool/squid/cache10016256
-
Gitr100tcldng100MBlmcache,nudunglngacngln,tacthtngthmtuthucvokchthca.Nhvysquidslucachetrongthmc/var/spool/squid/cachevikchthccachel100MB.
**AccessControlListvAccessControlOperators:tacthdnghaichcnngtrnngnchnvgiihnvictruyxutdavodestinationdomain,IPaddresscamyhocmng.Mcnhsquidstchiphcvttc,vvytaphicuhnhlithamsny.cvy,tacuhnhthmchothchhpviyucubnghaithamsl:aclvhttp_access.
Vd:Tachchophpmng172.16.1.0/24cdngproxyserverbngtkhosrctrongacl.
aclMyNetworksrc172.16.1.0/255.255.255.0
http_accessallowMyNetwork
http_accessdenyall
+Tacngcthcmccmytruyxutnnhngsitekhngcphpbngtkhodstdomaintrongacl,vd:
aclBadDomaindstdomainyahoo.com
http_accessdenyBadDomain
http_accessdenyall
+Nudanhschcmtruyxutnccsitediqu,tacthluvo1filetext,trongfileldanhschccachnhsau:
aclBadDomaindstdomain/etc/squid/danhsachcam
-
http_accessdenyBadDomain
+Theocuhnhtrnthfile/etc/squid/danhsachcamlfilevnbnluccachkhngcphptruyxutcghilnlttheotngdng.
+Tacthcnhiuacl,ngvimiaclphicmthttp_accessnhsau:
aclMyNetworksrc172.16.1.0/255.255.255.0
aclBadDomaindstdomainyahoo.com
http_accessdenyBadDomain
http_accessallowMyNetwork
http_accessdenyall
+NhvycuhnhtrnchotathyproxycmccmytruyxutnsiteYahoo!vchcmng172.16.1.0/24lcphpdngproxy.http_accessdenyall:cmttcngoitrnhngaclckhaibo.
NuproxykhngthktnitrctipviInternetvkhngcachIPthchocproxynmsaumtFirewallthtaphichoproxyquerynmtproxykhccthdngInternetbngthamssau:
cache_peerlinuxsrv.mcsevn.comparent80808082
+Cuhnhtrnchochngtathyproxysquerylnproxychallinuxsrv.mcsevn.comvithamsparentthngquahttp_portl8080vicp_portl8082.
Ngoiratrongcngmtmngnucnhiuproxyserverthtacthchoccproxyservernyquerylnnhaunhsau:
-
cache_peerproxy2.mcsevn.comsibling80808082
cache_peerproxy3.mcsevn.comsibling80808082
siblingdngchoccproxynganghngvinhau.
4/KhingSquid:
Saukhicitvcuhnhlisquid,taphitocachetrckhichysquidbnglnh:
squidz
Nutrongqutrnhtocachebli,tachnccquyntrongthmccacheckhaibotrongthamscache_dir.Cththmckhngcphpghi.Nuctaphithayibng:
chownsquid:squid/var/spool/squid
chmod770/var/spool/squid
Saukhitoxongthmccache,takhingvdngsquidbngscriptnhsau:
/etc/init.d/squidstar
/etc/init.d/squidstop
Saukhisquidkhing,muntheodivqunlvictruycpcaccclienthaynhnggsquidanghotngcachenhthno,tathngxuyn
-
xemxtnhngfilesauy:
******cache_log:baogmnhngcnhbovthngtintrngthicacache
******store_log:baogmnhngcsdliuvnhngthngtingmiccpnhttrongcachevnhngghthn
******access_log:chattcnhngthngtinvvictruycpcaclient,baogmachngun,chn,thigian
MtsvdvACLSquidChophptruycpwebnhngcmvocctrangcchnhtrcaclallowipsrc"/etc/squid/allowip.txt"acldenywebsitedstdom_regex"/etc/squid/denywebsite.txt"http_accessdenydenywebsitehttp_accessallowallowip#vi/etc/squid/allowip.txt>>achlpmngvd:192.168.1.0/24#vi/etc/squid/denywebsite.txt>>dantri.com.vnyahoo.com#/etc/init.d/squidrestartHnchtruycpwebtheothigianaclhome_networksrc192.168.1.0/24aclallow_hourstimeMTWHF9:0017:00http_accessallowhome_networkallow_hoursHnchtruycpwebtheothigianvcmccIPchnhiwebaclhome_networksrc192.168.1.0/24aclallow_hourstimeMTWHF9:0017:00aclRestrictedHostsrc192.168.1.200http_accessdenyRestrictedHosthttp_accessallowhome_networkallow_hoursHnchtruycpwebtheothigianvloitrIPcaccspaclhome_networksrc192.168.1.0/24
-
aclallow_hourstimeMTWHF9:0017:00aclAllowHostsrc"/etc/squid/AllowHost.txt"http_accessallowAllowHosthttp_accessallowhome_networkallow_hours#vi/etc/squid/AllowHost.txt192.168.1.100192.168.1.200Hnchtruycpccwebsitecnnhtrcaclhome_networksrc192.168.1.0/24aclallow_hourstimeMTWHF9:0017:00aclGo***itesdstdomain"/etc/squid/Go***ites"aclBadSitesdstdomain"/etc/squid/BadSites"http_accessdenyBadSiteshttp_accessallowhome_networkallow_hoursGo***ites#vi/etc/squid/Go***ites.vnlamp.com.vnexpress.net.dantri.com.vn#vi/etc/squid/BadSites.lauxanh.us.dambut.comTngredirectsangwebsitennhtrckhitruycpnhngwebsitekocphpaclhome_networksrc192.168.1.0/24acldenywebsitedstdom_regex"/etc/squid/denywebsite.txt"http_accessdenydenywebsitedeny_infohttp://vnlamptest.vn/deny.htmldenywebsite>>ttnhincuhnhdns&httpd#deny_infohttp://www.google.com.vndenywebsite>>redirecttigoogle#deny_infoTCP_RESETdenywebsite>>resettheTCPconnection(blankpage)http_accessallowhome_network#vi/var/www/html/deny.html
-
"Thissitehasrestrictedbyadministrator"Hnchtntptindownloadaclhome_networksrc192.168.1.0/24aclblockfilesurlpath_regex"/etc/squid/block.files.acl"http_accessdenyblockfileshttp_accessallowhome_networkhocaclhome_networksrc192.168.1.0/24acldenyfiletypesurl_regexi.mp3$.mpg$.mpeg$.mp2$.avi$.wmv$.wma$.exe$http_accessdenydenyfiletypeshttp_accessallowhome_networkDngNCSAkimnhpasswordutintomtfilepassword#touch/etc/squid/squid_passwd#chmodo+r/etc/squid/squid_passwdDnghtpasswdadduservpassvofilesquid_passwdmito#htpasswd/etc/squid/squid_passwdu1Newpassword:Retypenewpassword:Addingpasswordforuseru1#Editfilesquid.confauth_parambasicprogram/usr/lib/squid/ncsa_auth/etc/squid/squid_passwdaclncsa_usersproxy_authREQUIREDhttp_accessallowncsa_usersChophpmtrangeIPchtruycpvonhngtrangwebcnhaclallow_domainsdstdomainurl_regex"/etc/squid/local/accesslocal.txt"acliplocalsrc"/etc/squid/iplocal.txt"http_accessdenyiplocal!allow_domainshttp_accessallowiplocal#vi/etc/squid/local/accesslocal.txt.vnexpress.net.tuoitre.com.vn
-
#vi/etc/squid/local/iplocal.txt192.168.1.0/24Cmtruycpvoyahooaclaclyahoodstdomainpager.yahoo.comaclaclyahoodstdomainshttp.msg.yahoo.comaclaclyahoodstdomainupdate.pager.yahoo.comaclaclyahoodstdomainscsa.yahoo.comaclaclyahoodstdomainmsg.yahoo.comhttp_accessdenyaclyahooCmdownloadfilecdunglng>=10MBaclhome_networksrc192.168.2.0/24acldenywebsitedstdom_regex"/etc/squid/denywebsite.txt"http_accessdenydenywebsitedeny_infohttp://www.google.com.vndenywebsitereply_body_max_size10000000allowhome_networkhttp_accessallowhome_networkhttp_accessdenyallicp_accessallowallCuhnhSquidProxyServeriukhinbngthngBc1:Thmvotrongfilecuhnhsquidmtsphnnhsau:#vi/etc/squid/squid.conf#AddControlBandwithaclipsrc"/etc/squid/ip.txt"#iptrongfileip.txtbgiihnaclallsrc0.0.0.0/0.0.0.0#AddControlBandwithdelay_pools1delay_class12delay_access1allowipdelay_access1denyalldelay_parameters11/115000/15000Videlay_parameters11/115000/15000tasgiihnbngthngchoccclientkhngthvtqu15000tngng15KbpsBc2:Tofileip.txtnhsau:
-
#vi/etc/squid/ip.txt192.168.1.33192.168.1.34VyccIPtrongfileip.txtscbngthngtial15Kbps
#BlockonlinestreamingofAudio/VideoaclBlockExturl_regexi\.mp3$\.asx$\.wma$\.wmv$\.avi$\.mpeg$\.mpg$\.qt$\.ram$\.rm$\.iso$\.wav$\.exe$
aclwebRadioReq1req_mime_typei^video/xmsasf$aclwebRadioReq2req_mime_typei^application/vnd.ms.wmshdr.asfv1$aclwebRadioReq3req_mime_typei^application/xmmsframed$aclwebRadioRep1rep_mime_typei^video/xmsasf$aclwebRadioRep2rep_mime_typei^application/vnd.ms.wmshdr.asfv1$aclwebRadioRep3rep_mime_typei^application/xmmsframed$
aclWMPbrowserWindowsMediaPlayer/*
http_accessdenyBlockExt!UtentiGoldhttp_accessdenyWMPallhttp_accessdenywebRadioReq1allhttp_accessdenywebRadioReq2allhttp_accessdenywebRadioReq3all
http_reply_accessdenywebRadioRep1allhttp_reply_accessdenywebRadioRep2allhttp_reply_accessdenywebRadioRep3all
(1.Addedtheextensions.wmaand.wmvatthefollowingline,soit'simpossibletodowlonloadthesefiletypesaclBloccoExturl_regexi\.mp3$\.asx$\.wma$\.wmv$\.avi$\.mpeg$\.mpg$\.qt$\.ram$\.rm$\.iso$\.wav$\.exe$
2.Createdaclfortheothertwo2mimetypes(maybenotnecessary)acl
-
webRadioReq1req_mime_typei^video/xmsasf$aclwebRadioReq2req_mime_typei^application/vnd.ms.wmshdr.asfv1$aclwebRadioReq3req_mime_typei^application/xmmsframed$aclwebRadioRep1rep_mime_typei^video/xmsasf$aclwebRadioRep2rep_mime_typei^application/vnd.ms.wmshdr.asfv1$aclwebRadioRep3rep_mime_typei^application/xmmsframed$
3.Addedthistoo...aclWMPbrowserWindowsMediaPlayer/*
4.Createdfollowingruleshttp_accessdenyBloccoExt!UtentiGoldhttp_accessdenyWMP!UtentiGoldhttp_accessdenywebRadioReq1!UtentiGoldhttp_accessdenywebRadioReq2!UtentiGoldhttp_accessdenywebRadioReq3!UtentiGold
http_reply_accessdenywebRadioRep1!UtentiGoldhttp_reply_accessdenywebRadioRep2!UtentiGoldhttp_reply_accessdenywebRadioRep3!UtentiGold
Notes:UtentiGoldisaniplistofprivilegedusers(CEO,ecc.)
Inthismode,ifI'mnotaprivilegeduser,I'mnotabletoopenwebradio(examplehttp://bbwms.libero.it/lifegate)withIE6andWMP9,clickingonalinkortypingtheurl)Proxytontp(Squid+SquidGuard+IPTables+Sarg+Webmin)________________________________________NetworkTopology===========>NetworkToplogy
-
[root@ProxyServer~]#yumyinstallsquidComplete![root@ProxyServer~]#vi/etc/squid/squid.confhttp_port:3128#line73:changecache_mem512MB#RAM/3cache_dirufs/hdd160G/squid/cache1000016256access_log/hdd160G/squid/log/access.logsquidcache_log/hdd160G/squid/log/cache.logcache_store_log/hdd160G/squid/log/store.logaclallsrc0.0.0.0/0.0.0.0aclmanagerprotocache_objectacllocalhostsrc127.0.0.1/255.255.255.255aclto_localhostdst127.0.0.0/8aclSSL_portsport443aclSafe_portsport80#httpaclSafe_portsport21#ftpaclSafe_portsport443#httpsaclSafe_portsport70#gopheraclSafe_portsport210#waisaclSafe_portsport102565535#unregisteredportsaclSafe_portsport280#httpmgmtaclSafe_portsport488#gsshttpaclSafe_portsport591#filemakeraclSafe_portsport777#multilinghttpaclCONNECTmethodCONNECT
aclMyNetwork1src192.168.0.0/255.255.255.0aclMyNetwork2src192.168.1.0/255.255.255.0aclMyNetwork3src192.168.2.0/255.255.255.0
-
http_accessallowmanagerMyNetwork1http_accessallowmanagerMyNetwork2http_accessallowmanagerMyNetwork3http_accessallowMyNetwork1http_accessallowMyNetwork2http_accessallowMyNetwork3http_accessdenyall[root@ProxyServer~]#servicesquidstartinit_cache_dir/var/spool/squid...Startingsquid:[OK][root@ProxyServer~]#chkconfigsquidon
II.InstallSquidGuardCode:[root@ProxyServer~]#yumyinstallsquidguardComplete![root@ProxyServer~]#vi/usr/local/squidGuard/squidGuard.confdbhome/usr/local/squidGuard/dblogdir/usr/local/squidGuard/logtimeworkhours{weeklymtwhf08:0016:30date**0108:0016:30}destinationbl_hacking{domainlistblacklists/hacking/domainsurllistblacklists/hacking/urls}
rewdmz{s@://admin/@://admin.foo.bar.de/@i
-
s@://foo.bar.de/@://www.foo.bar.de/@i}srcadmin{ip1.2.3.41.2.3.5userrootfoobarwithinworkhours}
srcfooclients{ip172.16.2.32172.16.2.100172.16.2.100172.16.2.200}
srcbarclients{ip192.168.2.0/26}destgood{}
destlocal{}
acl{admin{passany}
fooclientswithinworkhours{passgood!inaddrany}else{
-
passall}
barclients{pass!bl_hackingall}
default{pass!bl_hackingallrewritedmzredirecthttp://www.google.com}}III.ConfigIPTablesbcnykhquantrngtrongthct.ThilinuxLPIthkhngcnhihiVcnthmailoutlookmiInoutcnha.Tuitngchtchnyhttp://nhatnghe.vn/forum/showthread.php?t=8977Code:[root@ProxyServer~]#vi/etc/sysconfig/iptables#Generatedbyiptablessavev1.3.5onTueFeb2416:40:482009*filter:INPUTACCEPT[11305:6933866]:FORWARDACCEPT[463:57229]:OUTPUTACCEPT[10851:7011776]AFORWARDs192.168.0.3d192.168.2.1ieth1oeth2ptcpmstatestateNEWjACCEPTAFORWARDs192.168.0.3d192.168.2.1ieth1oeth2pudpmstatestateNEWjACCEPTCOMMIT
-
#CompletedonTueFeb2416:40:482009#Generatedbyiptablessavev1.3.5onTueFeb2416:40:482009*mangle:PREROUTINGACCEPT[11768:6991095]:INPUTACCEPT[11305:6933866]:FORWARDACCEPT[463:57229]:OUTPUTACCEPT[10851:7011776]:POSTROUTINGACCEPT[11324:7069325]COMMIT#CompletedonTueFeb2416:40:482009#Generatedbyiptablessavev1.3.5onTueFeb2416:40:482009*nat:PREROUTINGACCEPT[335:40971]:POSTROUTINGACCEPT[5:268]:OUTPUTACCEPT[149:8897]APREROUTINGieth0ptcpmtcpdport80jREDIRECTtoports3128APREROUTINGieth1ptcpmtcpdport80jREDIRECTtoports3128APREROUTINGieth2ptcpmtcpdport80jREDIRECTtoports3128APREROUTINGieth1ptcpjDNATtodestination192.168.2.1APREROUTINGieth1pudpjDNATtodestination192.168.2.1APOSTROUTINGoeth1jMASQUERADECOMMIT#CompletedonTueFeb2416:40:482009#Generatedbyiptablessavev1.3.5onTueFeb2416:40:482009*raw:PREROUTINGACCEPT[11768:6991095]:OUTPUTACCEPT[10851:7011776]COMMIT#CompletedonTueFeb2416:40:482009
-
IV.InstallSargCode:[root@ProxyServer~]#yumyinstallsargComplete![root@ProxyServer~]#vi/etc/sarg/sarg.confaccess_log/hdd160G/squid/log/access.logSquidAnalysisReportGeneratorSargSquidAnalysisReportGeneratorisatoolthatallowyoutoview"where"yourusersaregoingtoontheInternet.SargprovidesmanyinformationsaboutSquidusersactivities:times,bytes,sites,etc..
V.InstallWedminCode:[root@ProxyServer~]#wgethttp://jaist.dl.sourceforge.net/sour...01.noarch.rpm[root@ProxyServer~]#rpmUvhwebmin1.3601.noarch.rpmWebmininstallcomplete.Youcannowlogintohttps://ns.serverlinux.info:10000/asrootwithyourrootpassword.[root@ProxyServer~]#vi/etc/webmin/miniserv.confallow=127.0.0.1192.168.0.0/24#bottom:addIPsyoupermittoaccess[root@ProxyServer~]#wgetttp://www.niemueller.de/webmin/modules/squidguard/squidguard0.91.2.wbm.gzTheinstallationisquitesimple:LogintoyourWebminasadmin(orwhateveryoucalledtheadminstrativeuser)andgototheWebmintab,thenchoose"WebminConfiguration".Nowclickon"WebminModules".Givethefileinthefirstbox(youcanchooseanyinstallationmethod,allshouldwork).HitInstall.Nowthemoduleisbeinginstalled.
-
VI.Otherconfig
LogrotationBcnytrongLABkhnglmcngkhngsao,trnthctkhnglmlSeverDiedoqutainha.Linuxqunlfilecdunglnglnkhngcttcholm.VtrongbinychngtachuyncachenHDD160GkhngphiFolderDefaultCode:[root@ProxyServer~]#vi/etc/logrotate.conf#see"manlogrotate"fordetails#rotatelogfilesweeklyweekly#keep4weeksworthofbacklogsrotate4#createnew(empty)logfilesafterrotatingoldonescreate#usedateasasuffixoftherotatedfiledateext#uncommentthisifyouwantyourlogfilescompressed#compress#RPMpackagesdroplogrotationinformationintothisdirectoryinclude/etc/logrotate.d#nopackagesownwtmpandbtmpwe'llrotatethemhere/var/log/wtmp{monthlycreate0664rootutmprotate1
-
}/var/log/btmp{missingokmonthlycreate0600rootutmprotate1}#systemspecificlogsmaybealsobeconfiguredhere.Code:[root@ProxyServer~]#vi/etc/logrotate.d/squid/hdd160G/squid/log/access.log{weeklyrotate5copytruncatecompressnotifemptymissingok}/hdd160G/squid/log/cache.log{weeklyrotate5copytruncatecompressnotifemptymissingok}
/hdd160G/squid/log/store.log{weekly
-
rotate5copytruncatecompressnotifemptymissingok#Thisscriptaskssquidtorotateitslogsonitsown.#Restartingsquidisalongprocessanditisnotworth#doingitjusttorotatelogspostrotate/usr/sbin/squidkrotateendscript}
HowtoconfigureInternetExplorertouseaproxyserverIE>Tools>Internetoptions>Connections>LANSettings>1.OntheToolsmenuinInternetExplorer,clickInternetOptions,clicktheConnectionstab,andthenclickLANSettings.2.UnderProxyserver,clicktoselecttheUseaproxyserverforyourLANcheckbox.3.IntheAddressbox,typetheIPaddressoftheproxyserver:192.168.0.1.4.InthePortbox,typetheportnumber3128thatisusedbytheproxyserverforclientconnections(bydefault,8080).5.YoucanclicktoselecttheBypassproxyserverforlocaladdressescheckboxifyoudonotwanttheproxyservercomputertobeusedwhenyouconnecttoacomputeronthelocalnetwork(thismayspeedupperformance).6.ClickOKtoclosetheLANSettingsdialogbox.7.ClickOKagaintoclosetheInternetOptionsdialogbox.Servicesquidrestart
-
ServicehttpdrestartServicenetworkrestartServiceiptablesrestart