Shulou(Shulou.com)06/01 Report--

This article shows you how to analyze the configuration of squid, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

4.1 Common configuration options

Because there is something wrong with the default configuration file, we must first modify the contents of the configuration file in order to get squid running.

Let's take a look at the structure of the squid.conf file and some common options:

The squid.conf profile can be divided into thirteen sections, which are:

1.NETWORK OPTIONS (related network options)

2.OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM (related options for neighbor selection algorithms)

3.OPTIONS WHICH AFFECT THE CACHE SIZE (options for defining cache size)

4.LOGFILE PATHNAMES AND CACHE DIRECTORIES (defines the path of the log file and the directory of the cache)

5.OPTIONS FOR EXTERNAL SUPPORT PROGRAMS (external support program option)

6.OPTIONS FOR TUNING THE CACHE (adjust options for cache)

7.TIMEOUTS (timeout)

8.ACCESS CONTROLS (access Control)

9.ADMINISTRATIVE PARAMETERS (management parameters)

10.OPTIONS FOR THE CACHE REGISTRATION SERVICE (cache Registration Service option)

11.HTTPD-ACCELERATOR OPTIONS (HTTPD acceleration option)

12.MISCELLANEOUS (Miscellaneous)

13.DELAY POOL PARAMETERS (delay pool parameter)

Although squid's configuration file is large, if you are only providing proxy services for a small and medium-sized network and are only going to use one server, you only need to modify a few options in the configuration file. These common options are:

1.http_port

Description: defines the port on which squid listens for HTTP customer connection requests. The default is 3128 and 80 if HTTPD acceleration mode is used. You can specify multiple ports, but all specified ports must be on the same command line.

2.cache_mem (bytes)

Description: this option is used to specify the ideal value of memory that can be used by squid. This part of memory is used to store the following objects:

In-Transit objects (incoming object)

Hot Objects (hot objects, that is, objects frequently accessed by users)

Negative-Cached objects (objects of negative storage)

It is important to note that this does not indicate that the memory used by squid must not exceed this value. In fact, this option defines only one aspect of the memory used by squid, and squid uses memory in other ways. So the actual memory used by squid may exceed this value. The default is 8MB.

3.cache_dir Directory-Name Mbytes Level-1 Level2

Description: specifies the size of the swap space that squid uses to store objects and its directory structure. Multiple such swap spaces can be defined with multiple cache_dir commands, and these swap spaces can be distributed over different disk partitions. "directory" indicates the top-level directory of the swap space. If you want to use the entire disk as swap space, you can use this directory as the mount point to mount the entire disk. The default is / var/spool/squid. "Mbytes" defines the total amount of space available. It is important to note that the squid process must have read and write access to this directory. "Level-1" is the number of first-level subdirectories that can be established under this top-level directory, with a default value of 16. Similarly, "Level-2" is the number of second-level subdirectories that can be created, with a default value of 256. Why do you define so many subdirectories? This is because if there are too few subdirectories, the number of files stored in one subdirectory will greatly increase, which will also lead to a great increase in the time it takes for the system to find a file, resulting in a sharp decline in the overall performance of the system. Therefore, in order to reduce the number of files in each directory, we must increase the number of directories used. If you only use one-level subdirectories, the number of subdirectories under the top-level directory is too large, so we use a two-level subdirectory structure.

So, how do you determine the number of subdirectories your system needs? We can use the following formula to estimate.

Known quantity:

DS = Total available swap space (unit KB) / number of swap SPAC

OS = average size of each object = 20k

NO = average number of objects stored in each secondary subdirectory = 256

Unknown quantity:

L1 = number of first-level subdirectories

L2 = number of secondary subdirectories

Calculation formula:

L1 x L2 = DS / OS / NO

Note that this is an indefinite equation that can have multiple solutions.

4.acl

Description: defines an access control list.

The definition syntax is:

Acl aclname acltype string1...

Acl aclname acltype "file"...

When using a file, the format of the file is to contain one entry per line.

Acltype can be one of the src dst srcdomain dstdomain url_pattern urlpath_pattern time port proto method browser user.

They are explained as follows:

Src indicates the source address. You can specify it in the following ways:

Acl aclname src ip-address/netmask... (customer ip address)

Acl aclname src addr1-addr2/netmask... (address range)

Dst indicates the destination address. The syntax is:

Acl aclname dst ip-address/netmask... (i.e. the ip address of the server requested by the customer)

Srcdomain indicates the domain to which the customer belongs. The syntax is:

Acl aclname srcdomain foo.com... Squid will reverse query the DNS based on the customer ip.

Dstdomain indicates the domain to which the request server belongs. The syntax is:

Acl aclname dstdomain foo.com... It is determined by the URL requested by the customer.

Note that if the user uses the server ip instead of the full domain name, squid will do reverse DNS resolution to determine its full domain name, and record it as "none" if it fails.

Time indicates the access time. The syntax is as follows:

Acl aclname time [day-abbrevs] [h2:m1-h3] [hh:mm-hh]

Day-abbrevs:

S-Sunday

M-Monday

T-Tuesday

W-Wednesday

H-Thursday

F-Friday

A-Saturday

H2:m1 must be less than h3:m2, expressed as [hh:mm-hh].

Port specifies the access port. You can specify multiple ports, such as:

Acl aclname port 80 70 21...

Acl aclname port 0-1024... (specify a port range)

Proto specifies the use of the protocol. You can specify multiple protocols:

Acl aclname proto HTTP FTP...

Method specifies the request method. For example:

Acl aclname method GET POST...

5.http_access

Description: a certain type of user is allowed or prohibited according to the access control list.

If an access does not have a matching project, the default is "not" to apply the last item. For example, if the last item is allowed, it is prohibited by default. Therefore, you should usually set the final entry to "deny all" or "allow all" to avoid security risks.

4.2 Application examples

Hypothetical scenario: a company uses squid as a proxy server, the proxy server is configured as PII450/256M/8.4G, the ip segment used by the company is 1.2.3.0 Universe 24, and wants to use 8080 as the proxy port.

The corresponding squid configuration options are:

1.http_port

Http_port 8080

2.cache_mem

Idea: because the server only provides proxy services, this value can be set as high as possible.

Cache_mem 194M

3.cache_dir Directory-Name Mbytes Level-1 Level2

Idea: if the hard disk is 8.4G, you should make a good plan when installing the system to divide the available space for different file systems. In this example, we can divide it as follows:

/ cache1 3.5G

/ cache2 3.5G

/ var 400M

Swap 127M

/ the rest

And, during installation, we try not to install unnecessary packages. In this way, the security and stability of the system can be improved while saving space. Let's calculate the number of first-and second-level subdirectories required.

Known quantity:

DS = total available swap space (unit KB) / number of swap space = 7G/2=3500000KB

OS = average size of each object = 20k

NO = average number of objects stored in each secondary subdirectory = 256

Unknown quantity:

L1 = number of first-level subdirectories

L2 = number of secondary subdirectories

Calculation formula:

L1 x L2 = DS / OS / NO=3500000/20/256=684

Let's take

L11416

L2B43

So, our cache_dir statement is:

Cache_dir / cache1 3500M 16 43

Cache_dir / cache2 3500M 16 43

4.acl

Idea: define acl through src.

Acl allow_ip src 1.2.3.4/255.255.255.0

5.http_access

Http_access allow allow_ip

4.3 start and stop squid.

After you configure and save squid.conf, you can start squid with the following command.

Squid

Alternatively, use RedHat's startup script to start squid. Exe.

/ etc/rc.d/init.d/squid start

Similarly, you can stop running squid or restart squid with the following script.

/ etc/rc.d/init.d/squid stop

/ etc/rc.d/init.d/squid restart

Fifth, configure your squid-- advanced articles according to your requirements

5.1 other configuration options

Before going into some advanced applications of squid, it is necessary to have a comprehensive understanding of other useful configuration options. Let's talk about these options by category, and we'll talk about the options for some special applications.

5.1.1 Network options

1.tcp_incoming_address

Tcp_outgoing_address

Udp_incoming_address

Udp_outgoing_address

Description:

Tcp_incoming_address specifies to listen for bound ip addresses from customers or other squid proxy servers

Tcp_outgoing_address specifies the ip address at which to initiate a connection to a remote server or another squid proxy server

Udp_incoming_address specifies for ICP sockets the ip address that receives packets from other squid proxy servers udp_outgoing_address specifies the ip address for ICP sockets to send packets to other squid proxy servers

The default is that no ip address is bound. The binding address can be specified using either ip or the full domain name.

5.1.2 swap space setting options

1.cache_swap_low (percent, 0-100)

Cache_swap_high (percent, 0-100)

Description: squid uses a lot of swap space to store objects. Then, after a certain period of time, the swap space will be used up, so objects below a certain horizontal line must be cleared according to a certain index on a regular basis. Squid uses the so-called least recently used algorithm (LRU) to do this. When the used swap space reaches cache_swap_high, squid clears the value of each object below a certain horizontal line based on the calculation of LRU. This cleanup continues until the used space reaches cache_swap_low. These two values are expressed as a percentage. If you use a large swap space, it is recommended that you reduce the gap between the two, because one percentage point may be hundreds of megabytes of space, which is bound to affect the performance of squid. The default is:

Cache_swap_low 90

Cache_swap_high 95

2.maximum_object_size

Description: objects greater than this value will not be stored. If you want to improve access speed, please reduce this value; if you want to maximize bandwidth savings and reduce costs, please increase this value. The unit is K and the default value is:

Maximum_object_size 4096 KB

5.1.3 options for logging

1.cache_access_log

Description: specify the full path of the customer request log (including the name of the file and the directory in which it is located). The request can be a HTTP request from an ordinary user or an ICP request from a neighbor. The default value is:

Cache_access_log / var/log/squid/access.log

If you don't need the log, you can cancel it with the following statement: cache_access_log none

2.cache_store_log

Description: specify the full path of the object storage log (including the name of the file and the directory in which it is located). This record indicates which objects are written to the swap space and which objects are cleared from the swap space. The default path is:

Cache_log / var/log/squid/cache.log

If you don't need the log, you can cancel it with the following statement: cache_store_log none

3.cache_log

Description: specify the full path of the squid general information log (including the name of the file and the directory in which it is located).

The default path is: cache_log / var/log/squid/cache.log

4.cache_swap_log

Description: this option indicates the full path of the "swap.log" log for each swap space (including the name of the file and the directory in which it is located). The log file contains the metadata (metadata) of objects stored in the swap space. Usually, the system automatically saves the file in the top-level directory defined by the first "cache_dir" theory, but you can also specify other paths. If you define multiple "cache_dir", the corresponding log file might look like this:

Cache_swap_log.00

Cache_swap_log.01

Cache_swap_log.02

The following numeric extension corresponds to the specified number of "cache_dir" one by one.

It is important to note that it is best not to delete such log files, otherwise squid will not work properly.

5.pid_filename

Description: specify the full path of the log that records the squid process number (including the name of the file and the directory in which it is located). The default path is

Pid_filename / var/run/squid.pid

If you don't need the file, you can cancel it with the following statement: pid_filename none

6.debug_options

Description: controls how much information is recorded when logging. It can be controlled from two aspects: section control records from several aspects, and level controls the level of detail of records in each aspect. The recommended method (and the default) is: debug_options ALL,1

That is, each aspect is recorded with a level of detail of 1 (minimum).

7.log_fqdn on | off

Description: controls how user addresses are recorded in access.log. When this option is turned on, squid records the customer's full domain name, and when this option is cancelled, squid records the customer's ip address. Note that turning on this option will put a burden on the system because squid also has to do DNS queries for the customer ip. The default value is log_fqdn off

5.1.4 options for external support programs

1.ftp_user

Note: set the email address provided when logging in to the anonymous ftp server, and use your email address as the login password when logging in to the anonymous ftp server (for more information, please see the relevant chapter of this book). It is important to note that some anonymous ftp servers are very demanding on this point, and some will even check the validity of your email. The default value is ftp_user Squid@

2.ftp_list_width

Description: set the width of the ftp list, if set too small will not be able to browse to the long file name. The default value is ftp_list_width 32

3.cache_dns_program

Description: specify the full path of the DNS query program (including the name of the file and the directory in which it is located). The default path is:

Cache_dns_program / usr/lib/squid/dnsserver

4.dns_children

Description: sets the number of processes in the DNS query program. For large login server systems, it is recommended that this value be at least 10. The maximum value can be 32, and the default setting is 5. Note that if you arbitrarily lower this value, it may degrade the system performance dramatically, because the squid main process has to wait for the result of the domain name query. There is no need to reduce this value because the DNS query process does not consume too many system resources.

5.dns_nameservers

Description: specify a list of DNS servers and force squid to use the DNS server in the list instead of the DNS server defined in the / etc/resolv.conf file. You can specify multiple DNS servers like this: dns_nameservers 10.0.0.1 192.172.0.4

Default setting is: dns_nameservers none

6.unlinkd_program

Description: specify the full path of the file deletion process.

The default setting is:

Unlinkd_program / usr/lib/squid/unlinkd

7.pinger_program

Description: specify the full path of the ping process. This process is used by squid to measure routing distance from other neighbors. This option is only useful if you enable this feature. The default is:

Pinger_program / usr/lib/squid/pinger

8.authenticate_program

Description: specifies the full path of the external program used for user authentication. The user authentication function of squid will be discussed in later chapters. The default setting is not authenticated.

5.1.5 user access Control options

1.request_size (KB)

Description: sets the maximum allowable amount of traffic requested by the user (in KB). If the user requests using the POST method, a larger value should be set. The default setting is:

Request_size 100 KB

2.reference_age

Note: squid clears objects according to their LRU (the least recently used algorithm), and squid dynamically calculates the LRU age of objects based on the total amount of disk space used. We use reference_age to define the maximum LRU age of an object. If an object is not accessed within the specified reference_age, squid deletes the object. The default is one month. You can use the time representation shown below.

1 week

3.5 days

4 months

2.2 hours

3.quick_abort_min (KB)

Quick_abort_max (KB)

Quick_abort_pct (percent)

Description: controls whether squid continues to transmit requests interrupted by the user. When the user interrupts the request, squid will detect

The value of quick_abort. If the remaining part is less than the value specified by "quick_abort_min", squid will continue to complete the transmission of the remaining part; if the remaining part is greater than the value specified by "quick_abort_max", squid will terminate the transmission of the remaining part; if the percentage specified by "quick_abort_pct" has been completed, squid will continue to complete the transmission of the remaining part. The default setting is:

Quick_abort_min 16 KB

Quick_abort_max 16 KB

Quick_abort_pct 95

5.1.6 various timeout setting options

1.negative_ttl time-units

Description: sets the lifetime of negative storage objects. So-called negative storage objects are error messages such as "connection failure" and "404 Not Found". Default setting is: negative_ttl 5 minutes

2.positive_dns_ttl time-units

Description: sets the lifetime of DNS query results that are cached successfully. The default is 6 hours.

Positive_dns_ttl 6 hours

3.negative_dns_ttl time-units

Description: sets the lifetime of DNS query results that fail to be cached. The default is 5 minutes.

Negative_dns_ttl 5 minutes

4.connect_timeout time-units

Description: sets the timeout value for squid to wait for the connection to complete. The default value is 2 minutes.

Connect_timeout 120 seconds

5.read_timeout time-units

Note: if squid has not read any data from the requested server within the specified time, squid will terminate the customer request. The default value is 15 minutes.

Read_timeout 15 minutes

6.request_timeout

Description: set how long squid will wait for the customer to issue an HTTP request after establishing a connection with the customer. The default value is 30 seconds.

Request_timeout 30 seconds

7.client_lifetime time-units

Description: sets how long the customer can maintain the connection after establishing a connection with the squid.

Note that because each connection made by the customer consumes a certain amount of system resources, be sure to modify this value correctly if you are providing proxy services for a large network. Because if the number of connections at the same time is too large, it may consume a lot of system resources, resulting in server downtime. The default value is 1 day, which is too large. It is recommended to reduce the value according to your own situation.

Client_lifetime 1 day

8.half_closed_clients on/off

Note: sometimes the TCP connection with squid may be semi-closed due to abnormal operation of the user.

At this time, the sender of the TCP connection has been closed, and the receiver is working normally. By default, squid maintains this semi-closed TCP connection until a read / write error on the socket is returned. If this value is set to off, squid closes the connection as soon as the "no more data to read" information is returned from the client. Half_closed_clients on

9.pconn_timeout

Description: sets how long the connection will be closed after squid establishes a connection with other servers and agents. The default value is 120 seconds.

Pconn_timeout 120 seconds

10.ident_timeout

Description: sets the time squid waits for user authentication requests. The default value is 10 seconds.

Ident_timeout 10 seconds

11.shutdown_lifetime time-units

Note: when a SIGTERM or SIGHUP signal is received, the squid will enter a shutdown pending mode and wait for all active sockets to be closed. After the time defined by shutdown_lifetime, all active users will receive a timeout message. The default value is 30 seconds.

Shutdown_lifetime 30 seconds

5.1.7 manage parameter options

1.cache_mgr

Description: set the administrator email address. The default is:

Cache_mgr root

2. Cache_effective_user

Cache_effective_group

Description: if you start squid,squid with root, it will become the user and user group specified in these two statements. The default changes to squid users and squid user groups. Note that the users and user groups specified here must actually exist in / etc/passwd. If you start squid with a non-root account, squid will keep users and user groups running. At this time, you cannot specify a http_port of less than 1024.

Cache_effective_user squid

Cache_effective_group squid

3.visible_hostname

Description: defines the hostname in the error message returned to the user.

Such as: visible_hostname www-cache.foo.org

4.unique_hostname

Note: if you have an array of proxy servers and you specify the same "visible_hostname" for each proxy server, you must specify a different "unique_hostname" for them to avoid "forwarding loops".

5.1.8 other miscellaneous

1. Dns_testnames

Description: set up for DNS query test, if the first site parsing is successful, then immediately end the DNS query test. If you don't want to do DNS query testing, don't remove the default settings.

# dns_testnames netscape.com internic.net nlanr.net microsoft.com

2.logfile_rotate

Note: usually, squid will rename and package log files periodically. For example, the log file being used as access.log,squid will be renamed and packaged as access.log.1.gz; after a certain period of time, squid will change the

Access.log.1.gz changes its name to access.log.2.gz and packages the current log file to access.log.1.gz. The number specified by logfile_rotate is the number of files packaged and backed up, and when this number is reached, squid deletes the oldest backup files. The default value is 10. If you want to do this manually, you can use logfile_rotate 0 to cancel the automatic operation.

3.err_html_text

Description: use this statement to define a string variable that can be referenced by% L in the error message file returned to the user. The error message file is usually in the / etc/squid/errors directory, which is a script file written in HTML, which you can modify yourself.

4.deny_info

Description: you can customize the deny access information file and associate it with different user lists. When the user is rejected by the relevant http_access rules, squid can display the corresponding deny information file that you customize to the user. The syntax is:

Usage: deny_info err_page_name acl

For example:

Deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys

5.memory_pools on | off

Note: if you set this item to on, squid will retain all allocated (but unused) memory pools for future use. The default is on.

Memory_pools on

6.log_icp_queries on | off

Description: sets whether to log ICP requests. If your system is heavily loaded, you can use off to cancel this feature. The default is:

Log_icp_queries on

7.always_direct

Note: this option allows you to specify certain user classes, and squid forwards requests from these user classes directly to the requested server. The syntax is:

Always_direct allow | deny [!] aclname...

For example, direct forwarding of FTP requests can be set as follows:

Acl FTP proto FTP

Always_direct allow FTP

8.never_direct

Description: contrary to always_direct. The syntax is:

Usage: never_direct allow | deny [!] aclname.

For example, to force users other than the local region to use a proxy server, you can set this:

Acl local-servers dstdomain foo.net

Acl all src 0.0.0.0/0.0.0.0

Never_direct deny local-servers

Never_direct allow all

9.icon_directory

Description: indicates the directory of the icon file used to send error messages to the user. The default path is: icon_directory / usr/lib/squid/icons

10.error_directory

Description: indicates the directory of the error description file used to send error messages to the user. The default path is:

Error_directory / etc/squid/errors

5.2 user authentication settings

By default, squid itself does not have any authentication procedures, but we can use external authentication programs to achieve user authentication. Generally speaking, there are the following certification procedures:

1.LDAP certification: you can visit the following resources for more useful information.

Http://www.geocities.com/ResearchTriangle/Thinktank/5292/projects/ldap/

Http://home.iae.nl/users/devet/squid/proxy_auth/contrib/ldap_auth.tar.gz

2.SMB authentication: user authentication based on NT and samba can be realized. For more information, please visit the following resources.

Http://www.hacom.nl/~richard/software/smb_auth.html

3. User authentication based on mysql.

Http://home.iae.nl/users/devet/squid/proxy_auth/contrib/mysql_auth.c

4. User authentication based on sock5 password.

Http://nucleo.freeservers.com/

5. User authentication based on Radius.

Http://home.iae.nl/users/devet/squid/proxy_auth/contrib/auth.pl

But we generally use ncsa authentication and smb_auth user authentication based on NT and samba. Next we will talk about the specific implementation of these two authentication methods.

5.2.1 implementation of ncsa user authentication

Ncsa is one of the authentication programs included in the squid source code package. Let's take the squid-2.3.STABLE2 version as an example to describe the installation and configuration of ncsa.

1. Download the squid source code package squid-2.3.STABLE2-src.tar.gz from www.squid-cache.org and put it in the / tmp directory.

two。 Unlock it with tar:

Tar xvzf squid-2.3.STABLE2-src.tar.gz

% make

% make install

3. Then, go to the / tmp/squid-2.3.STABLE2/auth_modules/NCSA directory.

% make

% make install

When the compilation is successful, the executable file for ncsa_auth is generated.

4. Copy the generated execution file ncsa_auth to the / usr/bin directory

Cp ncsa_auth / usr/bin/bin

5. The options for modifying the squid.conf are as follows:

Authenticate_program / usr/local/squid/bin/ncsa_auth / usr/bin/passwd

6. Define related user classes

Acl auth_user proxy_auth REQUIRED

Note that the REQUIRED keyword indicates that access is received by all legitimate users.

7. Set up http_access

Http_access allow auth_user

Note that if you specify multiple user classes that are allowed to access in a career change, you should put the user class to be authenticated first. As follows:

Wrong configuration: http_access allow auth_user all manager

Correct configuration: http_access allow auth_user manager all

8. Use the tool software htpasswd carried by apache to generate the password file under / usr/local/squid/etc and add the corresponding user information. In general, each line of the password file contains one user's user information, that is, the user name and password.

Generate the password file passwd with htpasswd and add the user bye.

Htpasswd-c / usr/local/squid/etc/passwd bye

Then restart squid, and the password authentication is in effect.

5.2.2 implementation of smb user authentication

There are not many articles introducing and using ncsa to achieve user authentication in China, but I have not seen using smb_auth and samba to achieve NT-based user authentication. Let's take a look at the implementation of NT-based user authentication in squid.

The current highest version of smb_auth is smb_auth-0.05, which you can download at the following address. Of course, smb_auth is also included in squid's source code package, but it is version 0.02.

Http://www.hacom.nl/~richard/software/smb_auth-0.05.tar.gz

The home address of smb_auth is http://www.hacom.nl/~richard/software/smb_auth.html.

1. System requirements:

Squid2.0 version above.

Install samba2.0.4 and above. You don't need to run the samba service because smb_auth only uses samba's client software.

two。 Download smb_auth-0.05.tar.gz and copy it to / tmp.

3.tar xvzf smb_auth-0.05.tar.gz

4. Modify the SAMBAPREFIX and INSTALLBIN parameters in Makefile according to your requirements. SAMBAPREFIX specifies your samba installation path, and INSTALLBIN indicates the smb_auth installation path. We specify:

SAMBAPREFIX=/usr,INSTALLBIN=/usr/bin.

5.make

6.make install, after success, the executable file smb_auth. Exe will be generated in the path specified by INSTALLBIN.

7. Follow these steps to set up the primary domain controller you want to use for authentication:

First, create a "proxy" file in the NETLOG shared directory, which contains only a string of "allow". Generally speaking, the NETLOG directory is located in the winntsystem32Replimportscripts directory; then, set up all users and user groups that you want to access squid to have the right to read the file.

8. The options for modifying the squid.conf are as follows:

Authenticate_program / usr/local/squid/bin/smb_auth your_domain_name

9. Define related user classes

Acl auth_user proxy_auth REQUIRED

Note that the REQUIRED keyword indicates that access is received by all legitimate users.

10. Set up http_access

Http_access allow auth_user

Note that if you specify multiple user classes that are allowed to access in a career change, you should put the user class to be authenticated first. As follows:

Wrong configuration: http_access allow auth_user all manager

Correct configuration: http_access allow auth_user manager all

If all is correct, then restart squid and the password authentication is already in effect.

Description: the calling method of smb_auth:

1.smb_auth-W your_domain_name

Specify your domain name with your_domain_name. Smb_auth will broadcast to find the primary domain controller.

2.smb_auth-W your_domain_name-B

If you have multiple network interfaces, you can use-B to specify the ip address of the network interface used for broadcasting.

3.smb_auth-W your_domain_name-U

You can also specify the ip address of the primary domain controller directly with-U.

4.smb_auth-W your_domain_name-S share

You can specify a shared directory that is different from NETLOG with-S.

5.2.3 other settings for authentication in squid.conf

1.authenticate_children

Description: sets the number of authentication child processes. The default is 5. If you are in a busy network environment, you can increase this value appropriately.

2.authenticate_ttl

Description: set the validity period of one authentication. The default is 3600 seconds.

3.proxy_auth_realm

Description: sets the domain name to be displayed to the user when logging in to authenticate.

5.3 Settings of transparent proxy

We have already covered the concept of transparent proxy in the first section, so let's take a look at how to implement transparent proxy in squid.

The implementation of transparent proxy needs to be above Linux 2.0.29, but Linux 2.0.30 does not support this feature. Fortunately, we usually use a version above 2.2.x now, so we don't have to worry about it. Let's use ipchains+squid to implement a transparent proxy. Before we start, we can only implement transparent proxy that supports HTTP, but we don't need to worry too much, because the purpose of using proxy is to use squid cache to improve the access speed of Web. As for providing access to internal illegal ip addresses and improving network security, we can use ipchains to solve the problem.

Implementation environment: RedHat6.x+squid2.2.x+ipchains

5.3.1 related configuration of linux

Make sure your kernel is configured with the following features:

[*] Network firewalls

[] Socket Filtering

[*] Unix domain sockets

[*] TCP/IP networking

[] IP: multicasting

[] IP: advanced router

[] IP: kernel level autoconfiguration

[*] IP: firewalling

[] IP: firewall packet netlink device

[*] IP: always defragment (required for masquerading)

[*] IP: transparent proxy support

If not, please recompile the kernel. Generally above RedHat6.x, the system has configured these features by default.

Related configuration options for 5.3.2squid

Set the relevant options in squid.conf, as follows:

Http_port 3218

Httpd_accel_host virtual

Httpd_accel_port 80

Httpd_accel_with_proxy on

Httpd_accel_uses_host_header on

Description:

1.http_port 3128

In this example, we assume that the HTTP listening port for squid is 3128, which is the default value for squid. Then, redirect all packets from the client web request (that is, target port 80) to port 3128.

2.httpd_accel_host virtual

Httpd_accel_port 80

These two options were originally used to define the squid acceleration pattern. Here we use virtual to specify the virtual hosting mode. Port 80 is the request port for acceleration. In this mode, squid removes caching and ICP functions, and if you need these features, you must set the httpd_accel_with_proxy option.

3.httpd_accel_with_proxy on

This option must be set to on in transparent proxy mode. In this mode, squid is both an accelerator for web requests and a cache proxy server.

4.httpd_accel_uses_host_header on

In transparent proxy mode, you must set this option to on if you want your proxy server's caching function to work correctly. When set to on, squid indexes the stored object with the hostname instead of the ip address. This is especially important when you want to build an array of proxy servers.

5.3.3 related configuration of ipchains

The role of ipchains here is port redirection. We can use the following statement to redirect TCP packets with a target port of 80 to port 3128.

# receive all echo packets

/ sbin/ipchains-An input-j ACCEPT-I lo

# redirect TCP packets whose destination port is port 80 to port 3128

/ sbin/ipchains-An input-p tcp-d 0.0.0.0 Universe 0 80-j REDIRECT 80

Of course, before that, we must turn on the packet forwarding function with the following statement.

Echo 1 >; / proc/sys/net/ipv4/ip_forward

The above is how to parse the configuration of squid. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.