Shulou(Shulou.com)06/03 Report--

Deploy squid Service and configure traditional Agent reference blog: Centos 7 install Squid Agent Service and build traditional Agent

Configure squid transparent Agent reference blog: Centos7 install Squid Agent Service and configure transparent Agent

I. ACL access control

Squid provides a powerful agent control mechanism. Through reasonable setting and restriction of ACL, it can filter according to various conditions, such as source address, destination address, access URL path, access time and so on. In the configuration file squid.conf, ACL access control is implemented through two steps: first, using the ACL configuration item to define the conditions that need to be controlled; second, through the http_access configuration item to "allow" or "deny" access to the defined list.

1. Define the access control list

Each line of acl configuration can define an access control list in the following format:

Acl list name list type list content

Among them, "list name" is specified by the administrator to identify control conditions; "list type" must use squid predefined values, corresponding to different categories of control conditions; "list content" is the specific object to be controlled, and different types of lists correspond to different contents, and can have multiple values (separated by spaces, for "or" relations).

From the above format, it can be found that when defining an access control list, the key is to select the list type and set the specific condition object. There are many predefined list types for Squid, including source address, destination address, access time, access port, and so on, as shown in the following table:

Example of an ACL definition:

[root@centos02~] # vim / etc/squid.conf.. acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localhost src 127.0.0.1 / 255.255.255.255 acl mylan src 192.168.1.0 acl mylan src 24 192.168.4.0 mp4 24 acl to_localhost dst 127.0.0.0 acl mylan src 8 acl mc20 maxconn 20 acl blackurl url_regex-I ^ rtsp:// ^ emule:// acl mediafile urlpath_regex-I\ .mp3 $\ .mp4 $\. Rmvb$ Acl worktime time MTWHF 9:00-18:00....

When there are many objects of the same class that need to be restricted, you can use a separate file to store it, and specify the corresponding file location at the content of the acl configuration line. As follows:

[root@centos02~] # mkdir / etc/squid [root@centos02~] # cd / etc/squid [root@centos02 squid] # vim ipblock.list 61.135.167.365.1239.127.2560.28.14.0 [root@centos02 squid] # vim dmblock.list .qq.com.msn.com.l ive.com.verycd.com [root@centos02 squid] # vim / etc/squid.conf acl ipblock dst "/ etc/squid/ipblock .list "acl dmblock dstdomain" / etc/squid/dmblock.list "

When ACL is set, it also needs to be controlled through the http_access configuration item. It must be noted that the http_access configuration line must be placed after the corresponding acl configuration line. Each line of http_access configuration determines an access rule in the following format:

Http_access allow or deny list name

Apply the acl you just defined to the rule, as follows:

[root@centos02 squid] # vim / etc/squid.conf.. http_access deny! Safe_ports http_access deny mediafile http_access deny ipblock http_access deny dmblock http_access deny mc20 http_access allow worktime reply_body_max_size 10 MB ... http_access deny all

When configuring access permissions, you need to be aware of the following:

Each http_access rule can contain multiple access control list names separated by spaces, which means that the corresponding conditions of all access control lists must be met before restrictions can be imposed.

When you need to use an inverse condition, you can add "!" before the access control list. Symbols.

When performing access control, squid checks in the order of each rule, and does not search backwards if a matching rule is found (this is similar to the rule matching of iptables). Therefore, the order of the rules is very important.

When no rules are set, the squid service rejects the client's request. This is why the ACL rules of the three private network segments exist by default in the configuration file. If you want to reject one of the three network segments that exist by default, you need to comment it out and restrict it, so as to avoid conflicts and invalidate the access rules.

There is a rule but no match can be found: squid will take the opposite action from the last rule, that is, if the best rule is allow, the client's request will be rejected, otherwise the request will be allowed. The default last rule is "http_access deny all".

In general, the most commonly used control rules are put first to reduce the load on squid. In the overall policy of access control, it is recommended to adopt the method of "deny first and then allow" or "allow first and then deny". II. Squid log analysis

In order to make it more intuitive for us to view the log, we can use SARG, a squid log analysis tool that uses HTML format to list in detail the site information of each user visiting Internet, time occupation information, ranking, number of connections, visits, and so on.

1. Import gd package 1) Import gd package [root@centos02 ~] # rz

[root@centos02 ~] # lsanaconda-ks.cfg gd-devel-2.0.35-11.el6.x86_64.rpm initial-setup-ks.cfg2, install and configure sarg [root@centos02 ~] # mount / dev/cdrom / mnt/ mount: / dev/sr0 write protection [root@centos02 ~] # tar zxvf / mnt/sarg-2.3.7.tar.gz-C / usr/src/ [root@centos02 ~] # umount / mnt/ [root@centos02 ~] # mount / dev/cdrom / mnt/ mount: / dev/sr0 write protection will be mounted read-only [root@centos02 ~] # rm-rf / etc/yum.repos.d/CentOS-* [root@centos02 ~] # yum-y install gd gd-devel httpd [root@centos02 ~] # rpm-ivh gd-devel-2.0.35-11.el6.x86_64.rpm [root@centos02 ~] # rpm-ivh gd-devel-2.0.35-11.el6.x86_64.rpm-- nodeps [root@centos02] will be mounted read-only ~] # rpm-qa | grep gd [root@centos02 ~] # rpm-qa | grep gd-devel [root@centos02 ~] # rpm-qa | grep httpd [root@centos02 ~] # mkdir / usr/local/sarg [root@centos02 ~] # cd / usr/src/sarg-2.3.7/ [root@centos02 sarg-2.3.7] #. / configure-- prefix=/usr/local/sarg-- sysconfdir=/etc/sarg-- enable-extraprotection [root@centos02 sarg -2.3.7] # make & & make install [root@centos02 sarg-2.3.7] # ls-ld / etc/sarg/ drwxr-xr-x 2 root root 83 November 18 10:35 / etc/sarg/ [root@centos02 sarg-2.3.7] # ls-ld / usr/local/sarg/ drwxr-xr-x 4 root root 30 November 18 10:35 / usr/local / sarg/ [root@centos02 ~] # cp / etc/sarg/sarg.conf / etc/sarg/sarg.conf.bak [root@centos02 ~] # vim / etc/sarg/sarg.conf 8 access_log / usr/local/squid/var/logs/access.log 27 title "Squid User Access Reports" 122 output_dir / var/www/html/squid-reports 182 user_ip no 189 topuser_sort_field BYTES reverse 196 user_sort_field BYTES reverse 211exclude_hosts / usr/local/sarg/noreport 265 overwrite_report no 298 mail_utility mailx 444 charset utf-8 529 weekdays 0-6 537 hours 0-23 646 www_document_root / var/www/html [root@centos02 ~] # mkdir-p / usr/local/sarg/noreport [root@centos02 ~] # ln-s / usr/local/sarg/ Bin/sarg / usr/local/bin/ [root@centos02 ~] # sarg SARG: recorded in file: 27 Reading: 100.00%SARG: successful generation report in / var/www/html/squid-reports/2019Nov18-2019Nov18 [root@centos02 ~] # systemctl start httpd [root@centos02 ~] # systemctl enable httpd 3, windows client browser access test

Http://192.168.100.20/squid-reports/

Http://192.168.100.20/sarg/

3. Write a script [root@centos02 ~] # vim log.sh #! / bin/bashTD=$ (date-d'1 day ago' +% d/%M/%Y) / usr/local/sarg/bin/sarg-1 / usr/local/squid/var/logs/access.log-o / var/www/html/sarg-z-d $YETD_$TD & > / dev/nullexit 0 [root@centos02 ~] # chmod + x log.sh [root@centos02 ~] #. / log.sh & [1] 7798 [root@centos02 ~] # vim / etc/rc.d/rc.local / root/log.sh [root@centos02 ~] # chmod + x / etc/rc.d/rc.local

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.