Shulou(Shulou.com)06/02 Report--

ACL access control, log analysis for squid proxy service and ACL access control list for reverse proxy squid

Squid provides a powerful agent control mechanism. Through reasonable setting and restriction of ACL (Access Control List, access control list), it can filter all kinds of control conditions, such as source address, destination address, access URL path, access time and so on.

ACL access control is implemented through the following two steps:

①, use acl configuration items to define the conditions that need to be controlled

②, use the http_access configuration item to "allow" or "deny" access to the defined list.

Define access control lists

Format: acl list name list type list content

Common types of access control lists

Sample meaning of list type list content, purpose src (source address) 192.168.100.1, 192.168.100.0 src 24 source IP address, network segment dst (destination address) 192.168.234.5, 192.168.234.0 shock 24, www.baidu.com destination IP address, network segment, hostname port (destination port) 80,443,8080, 20 destination port dstdomain (target domain) .qq.com target domain Match all sites in the domain time (access time) 12:00-13:00, AS use proxy server period maxconn (maximum concurrent connections) 30 maximum number of concurrent connections per client url_regex (target url address) url_regex-I ^ rtsp:// URL address of the target resource,-I means ignore uppercase and lowercase urlpath_regex (whole destination url path) urlpath_regex-i sex adult entire URL path of the target resource -I means ignore case

two。 Set access permissions

After you have defined the various access control lists, use the http_access configuration items for control.

Format: http_access allow or deny list name

There are two points to be aware of when setting access permissions:

When no rule is set: the squid service will reject the client's request that there is a rule but no match can be found: squid will take the opposite permission from the last rule. Demonstration experiment

Because we have done the experiment of transparent proxy for squid before, we will continue with that experiment here. After configuring the transparent proxy, we can use client (client) with IP of 192.168.100.50 to access the web server with IP of 12.0.0.12, so let's make client unable to access web server by setting acl access control list.

Vim / etc/squid.conf

Acl localhost src 192.168.10amp 24 # define access control list http_access deny localhost # reject the list service squid stopservice squid start # restart the service

Squid log analysis

The log analysis function of squid requires the help of sarg (Squid Analysis Report Generator). First, deploy and install sarg tools.

Install related software environment packages

Yum-y install gcc gcc-c++ gd gd-devel httpd # the dg library here is software that supports image processing

Sarg download address

Install sargmkdir / usr/local/sarg # create installation directory for sarg tar zxvf sarg-2.3.11.tar.gz-C / opt/ # extract sarg to specified directory cd / opt/sarg-2.3.11/ # to sarg directory for compilation and installation. / configure-- prefix=/usr/local/sarg\ # here specify the installation directory-- sysconfdir=/etc/sarg\ # specify the configuration file directory- -enable-extraprotection # enable additional protection function after configuration Compile and install make & & make install to modify the sarg configuration file

Vim / etc/sarg/sarg.conf

Access_log / usr/local/squid/var/logs/access.log # specify access log file (open) title "Squid User Access Reports" # page title (open) output_dir / var/www/html/squid-reports # report output directory (open) user_ip no # display with user name (open) exclude_hosts / usr/local/sarg/noreport # do not count as sorted site list file (open, delete none Add path) topuser_sort_field connect reverse # top sort number of connections, access bytes, sort in descending order: normal (enable, modify BYTES) user_sort_field connect reverse # user access record connection times, access bytes sorted in descending order (open, modify BYTES) overwrite_report no # whether the log with the same name is overwritten (enabled) mail_utility mailq.postfix # send email report command (on Modify mail) charset UTF-8 # use character set (open) weekdays 0-6 # top ranking week period (open) hours 0-23 # top ranking time period (open) www_document_root / var/www/html # web page root directory (open)

Touch / usr/local/sarg/noreport creates the above files that are not counted in the site, and the added domain names will not be displayed in the sort

Ln-s / usr/local/sarg/bin/sarg / usr/local/bin/

# create soft links for easy command

Systemctl start httpd.service

# because we want to access the log in the web page, we need to start the httpd service

Run sarg

Then use client to log in to the web administration interface

Reverse proxy

Squid reverse proxy can accelerate the access speed of the website and distribute different URL requests to different web servers in the background. at the same time, Internet users can only see the address of the reverse proxy server to strengthen the access security of the website.

The principle of squid reverse proxy acceleration is described as follows:

The Squid reverse proxy server is located between the local Web server and the Internet. When the client requests access to the Web server, DNS resolves the accessed domain name to the IP address of the Squid reverse proxy server, and the client accesses the Squid proxy server.

If the Squid reverse proxy server caches the requested resource, it returns the requested resource to the client, otherwise the reverse proxy server will request the resource from the Web server in the background, then return the reply resource to the client, and cache a copy of the resource locally for the next request.

Experimental environment

Server IP address function proxy server 172.16.10.137squid proxy service client172.16.10.131 is responsible for accessing real server 1172.16.10.129 providing http service real server 2172.16.10.134 providing http service modifying the configuration file of squid proxy service

Vim / etc/squid.conf

Acl web1 dstdomain www.yun.comacl web2 dstdomain www.yun.com# defines two domain name-based control lists, named web1,web2http_access allow web1 web2# to allow access to http_port 172.16.10.137 accel vhost vport# 80 with web1,web2 as the target domain name, accel vhost vport# listens on port 80 of 172.16.10.137, accel refers to enabling acceleration mode, vhost Vport is used to forward requests cache_peer 172.16.10.29 parent 800 no-query originserver round-robin weight=1 name=web1#cache_peer specifies the backend server address, 80 is the backend service port, 0 is the ICP port number (for multiple Squid), originserver specifies the resource server, round-robin refers to polling, and weight refers to weight and free allocation. Name specifies an alias cache_peer 172.16.10.134 parent 800 no-query originserver round-robin weight=1 name=web2# as above

Remember to restart the squid service here

Modify the home page of the two http services to facilitate the verification of later experiments

Modify the address resolution of the client win7 to recognize www.yun.com

In this way, the experiment is successful. If you access www.yun.com, the real server will use polling to access the two web servers in turn.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.