Shulou(Shulou.com)06/03 Report--

ACL access control for squid services:

Squid provides a powerful agent control mechanism. Through reasonable setting and restriction of ACL, it can filter according to various conditions, such as source address, destination address, access URL path, access time and so on.

1. Each line of ACL configuration can define an access control list in the following format:

Acl list name list type list content

Among them, the list name is custom, which is equivalent to giving ACL a name; "list type" must use squid predefined values, corresponding to different categories of control conditions; "list content" is the specific object to be controlled, and different types of lists correspond to different contents, which can have multiple values (separated by spaces, for "or" relations).

The common types of access control lists are as follows:

Example of an ACL definition:

[root@localhost /] # vim / etc/squid.conf.. acl localnet src 10.0.0.0 ACLacl localnet src 8 # RFC1918 possible internal network # squid default some ACLacl localnet src 172.16.0.0 ACLacl localnet src 12 # RFC1918 possible internal network # default acl localnet src 192.168.0.0 RFC1918 possible internal network 16 # By default, RFC1918 possible internal network # exists acl localhost src 127.0.0.1 acl localhost src 255.255.255.255 # source address is 127.0.0.1acl mylan src 192.168.1.0 Universe 24 192.168.4.0 Universe 24 # client network segment acl to_localhost dst 127.0.0.0 Universe 8 # destination address is 127.0.0.0 Universe 8 # The maximum number of concurrent connections for segment acl mc20 maxconn 20 # is 20acl blackurl url_regex-I ^ rtsp:// ^ emule:// # URLacl mediafile urlpath_regex-I\ .mp3 $\ .mp4 $\ .rmvb$ # the URL path ending with .mp3, etc., acl worktime time MTWHF 9:00-18:00 # From 9:00 to 18:00 from Monday to Friday.

When there are many objects of the same class that need to be restricted, you can use a separate file to store it, and specify the corresponding file location at the content of the acl configuration line. As follows:

[root@localhost /] # mkdir / etc/squid [root@localhost /] # cd / etc/squid [root@localhost squid] # vim ipblock.list # create a target IP address list 61.135.167.36125.39.127.2560.28.14.0 [root@localhost squid] # vim dmblock.list # create a target domain address list .qq.com.msn.com.live.com.verycd.com [root@localhost squid ] # vim / etc/squid.conf acl ipblock dst "/ etc/squid/ipblock.list" # call the list content acl dmblock dstdomain "/ etc/squid/dmblock.list" in the specified file when ACL is set It also needs to be controlled through the http_access configuration item. It must be noted that the http_access configuration line must be placed after the corresponding acl configuration line. Each row of http_access configuration determines an access rule in the following format: http_access allow or deny list name

Apply the acl you just defined to the rule, as follows:

[root@localhost squid] # vim / etc/squid.conf.. http_access deny! Safe_ports # squid default access http_access deny mediafile # forbids clients from downloading files such as mp3 http_access deny ipblock # forbids guests The IP address in the blacklist http_access deny dmblock # prevents clients from accessing the blacklist http_access deny mc20 # clients whose concurrent connections exceed 20:00 will be prevented from http_access allow worktime # allowing clients to surf the reply_body_max_size 10 MB during working hours # the maximum file size allowed to download (10m).

Http_access deny all # prohibits all clients from using proxies by default, and squid has access rights that exist by default

When configuring access permissions, you need to be aware of the following:

Each http_access rule can contain multiple access control list names separated by spaces, which means that the corresponding conditions of all access control lists must be met before restrictions can be imposed.

When you need to use an inverse condition, you can add "!" before the access control list. Symbols.

When performing access control, squid checks in the order of each rule, and does not search backwards if a matching rule is found (this is similar to the rule matching of iptables). Therefore, the order of the rules is very important.

When no rules are set, the squid service rejects the client's request. This is why the ACL rules of the three private network segments exist by default in the configuration file. If you want to reject one of the three network segments that exist by default, you need to comment it out and restrict it, so as to avoid conflicts and invalidate the access rules.

There is a rule but no match can be found: squid will take the opposite action from the last rule, that is, if the best rule is allow, the client's request will be rejected, otherwise the request will be allowed. The default last rule is "http_access deny all".

In general, the most commonly used control rules are put first to reduce the load on squid. In the overall policy of access control, it is recommended to adopt the method of "deny first and then allow" or "allow first and then deny".

To configure more precise control, please refer to the blog post: https://blog.51cto.com/jafy00/682590

2. Squid log analysis:

In order to make it more intuitive for us to view the log, we can use SARG, a squid log analysis tool that uses HTML format to list in detail the site information of each user visiting Internet, time occupation information, ranking, number of connections, visits, and so on.

The deployment process for SARG is as follows:

1. Install the GD library in the system disk:

[root@localhost yum.repos.d] # yum-y install gd gd-devel

2. Install SARG:

[root@localhost src] # tar zxf sarg-2.3.7.tar.gz [root@localhost src] # cd sarg-2.3.7/ [root@localhost sarg-2.3.7] #. / configure-- prefix=/usr/local/sarg-- sysconfdir=/etc/sarg-- enable-extraprotection & & make & & make install

The meaning of the configuration item is as follows:

-- prefix=/usr/local/sarg: specify installation directory;-- sysconfdir=/etc/sarg: configuration file directory. If not specified, default is / usr/local/etc;--enable-extraprotection: add additional security protection

3. Configuration:

[root@localhost sarg-2.3.7] # cd / etc/sarg/ [root@localhost sarg] # vim sarg.conf.. # if only basic functions are implemented Then configure the following three items: access_log / usr/local/squid/var/logs/access.log # specifies the output directory of squid's access log file output_dir / var/www/html/sarg # sarg report, and points to the root directory of www_document_root / var/www/html # web pages under the root of the website. # other optimized configuration items are as follows You can change it according to your needs: title "Squid User Access Reports" # page title user_ip no # display exclude_hosts / usr/local/sarg/noreport # using user name to specify the site list file topuser_sort_field connect BYTES reverse # that is not included in the ranking in the top ranking Specify the number of connections and the number of bytes accessed, and replace reverse with normal in descending and ascending order. User_sort_field connect reverse # for user access records, the number of connections is sorted in descending order overwrite_report no # when that date report already exists Whether to override the report mail_utility mailq.postfix # Command for sending email reports charset utf-8 # uses the character set weekdays 0-6 # to specify the week period for top sorting, 0 is Sunday. Hours 7-12, 14, 14, 16, 18-20 # specifies the time period for top sorting.

4. Run:

[root@localhost sarg] # touch / usr/local/sarg/noreport # the above configuration item adds sites that are not included in the sort, and needs to exist in this file. The domain names added in this file will not be displayed in the sort. [root@localhost sarg] # ln-s / usr/local/sarg/bin/sarg / usr/local/bin # set symbolic link [root@localhost sarg] # sarg # execute sarg to start a record. SARG: recorded in file: 546, reading: 100.00%SARG: successful generation report start the httpd service at / var/www/html/sarg/2019Jun07-2019Jun07 [root@localhost sarg] # systemctl start httpd #, if you do not have the service, you must install it yourself.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.