Shulou(Shulou.com)06/02 Report--

Security code: heaven rewards hard work and rushes to the other side of the ideal

Brief introduction:

Squid is the most commonly used open source agent service software in Linux system.

(official website: http//www.squid-cache.org)

It can well realize the cache proxy of HTTP and FTP, as well as DNS query, SSL and other applications.

As a proxy service software in the application layer, squid mainly provides the functions of cache acceleration and filtering control in the application layer.

The working mechanism of the agent

When a client requests a web page through a proxy, the designated proxy server will first check its own cache, and if there is already a page needed by the client in the cache, it will directly feedback the page content in the cache to the client; if there are no pages to be accessed by the client in the cache, the proxy server will send an access request to Internet. When the returned web page is obtained, the web page data will be saved in the cache and sent to the client.

The cache acceleration objects of HTTP proxy are mainly static web elements such as text, images and so on. When the client visits the same website application in different states, or when different clients visit the same website application, the corresponding results can be obtained directly from the cache of the proxy server. This greatly reduces the process of submitting repeated Web site web page requests to Internet and improves the access response speed of the client.

Because the web access request of the client is actually replaced by the proxy server, it can hide the real IP address of the user and play a certain role of security protection.

Basic types of agents:

1. Traditional agents:

You must manually set the IP address and port of the proxy server in the client through the browser, QQ chat tool, and download application.

Before you can use the agent to access the network application.

Traditional agents are suitable for Internet Internet environment.

two。 Transparent proxy:

Like the traditional proxy, the main difference is that the client does not need to specify the address and port number of the proxy server, but redirects the access to port 80 of the web request to port 3128 of the proxy server through default route and firewall policy. the process of redirection is transparent to the client.

Transparent proxies are used in LAN environments.

Install the configuration and commands of the squid service

Version of squid: 3.4.6

Squid version: 3.4.11 features: auxiliary protocol extension, Tencent Cloud SSL certificate, Store-ID, transaction notes, multicast DNS

First, set up traditional agency services

1. Compile and install squid

The above compilation module parameters are as follows:

-- prefix=/usr/local/squid / / installation directory

-- sysconfdir=/etc / / modify the configuration file to another directory separately

-- enable-arp-acl / / can be managed directly through the client MAC in the rules to prevent the client from using IP to cheat

-- enable-linux-netfilter / / use kernel filtering

-- enable-linux-tproxy / / supports transparent mode

-- enable-async-io= value / / Asynchronous Iripple O to improve storage performance

-- enable-err-language= "Simplify_Chinese" / / error message display language

-- enable-underscore / / allow underscores in URL

-- enable-poll / / use poll () mode to improve performance

-- enable-gnuregex / / use GNU regular expressions

After installation, create link files, users and groups

Configuration file for 2.Squid

The configuration file for Squid is located in / etc/squid.conf. For more detailed configuration items, please refer to the / etc/squid.conf.documented file.

Operation Control of 3.Squid

(1) check whether the configuration file syntax is correct

(2.) start and stop Squid

The cache directory is initialized automatically when the squid service is started for the first time. In cases where no Squid service script is available, the Squid program can also be called directly to start the service, which requires initialization.

(3.) use squid service scripts

In order to make the squid service start, stop, reload and other operations more convenient, and use chkconfig and service tools to manage.

Give execution permission to the written script, and then add the squid program as a system service

Add a firewall rule to the squid server that allows clients to access web sites through squid proxies

Proxy configuration of the client

Note: if the client is a Linux, if you want to use a proxy server (such as elinks web browser, wget download tool), you must specify the address, port and other information of the proxy server through the environment variable.

Verification method of traditional Agent Service

(1.) View the new records of the squid access log

Tail / usr/local/squid/var/logs/access.log

By looking at the access log of squid's server, you can see that the client 172.16.16.110 went to access the web website server 172.16.16.172 to record the message.

(2.) View the new records of the web access log

Tail / var/log/httpd/access_log

In the visited web server, the access record from the proxy server 172.16.16.22 is found through the access log, indicating that when using the proxy server, the web server does not know the real IP address of the client because it is actually accessed by the proxy server on its behalf.

The IP address of 172.16.16.22 is the address of the proxy server.

Second, set up transparent proxy service

On the Linux gateway, build the squid proxy service to provide services for local area network clients to access Internet

On all LAN clients, you only need to configure the IP address and default gateway correctly.

1. Configure squid to support transparent proxy

The default configuration of the squid service does not support transparent proxies, so the configuration file needs to be modified. For squid2.6 and above, you only need to add a transparent option after the http_port configuration line.

two。 Set the redirection policy for iptables

Note: the squid server in the transparent proxy service is built on the host of the Linux gateway, so it is necessary to set the firewall policy to give the data packet of the client accessing the external network to the squid server to deal with, and set a REDIRECT (redirection policy) on the firewall, its function is to map the port of the client accessing the Internet to port 3128 of the squid server.

Note: REDIRECT is also a packet control type and can only be used in the PREROUTING or OUTPUT chain of the nat table as well as in the chain being called.

Note: the routing and forwarding function should also be turned on at this time, otherwise the data is impassable!

3. Verify the use of transparent proxies

Note: clear the configuration related to manual agents

Verification results:

In the squid proxy server log, it is found that the client 192.168.4.110 visited the recorded information of the target website 172.16.16.172

The access record of the IP address 172.16.16.1 from the proxy server was found on the web website server visited, thus hiding the real IP.

III. ACL access control

It can be filtered according to various conditions such as source address, destination address, access URL path, access time, etc.

ACL access control is realized through the following two steps: one is to use acl configuration items to define the conditions that need to be controlled, and the other is to allow or deny access to the defined list through http_access configuration items.

1. Define access control lists

Acl list name list type list content

Common types of access control lists:

Src: source IP address, network segment, IP address range

Dst: destination IP address, network segment, host name

Port: target port

Dstdomain: target domain, matching all sites within the domain

Time: the period of time during which the proxy service is used

Maxcom: number of concurrent connections per client

Url_regex: the URL address of the target resource.-I means case is ignored.

Urlpath_regex: the entire URL path of the target resource.

two。 Set access permissions

When the http_access allow or deny list name is inverted, add! Symbol

Verify access control results

.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.