Shulou(Shulou.com)06/02 Report--

Catalogue

1 squid configure ACL access control list

2 squid log analysis combined with periodic planning tasks

3 squid reverse proxy

4. Summary of articles.

Opening note: the previous article introduced in detail the two cache proxy methods and principles of squid. This article does not introduce the squid service, but starts directly with squid's ACL access control list. Interested friends can take a look at: traditional proxy + transparent proxy of Squid cache server, basic concept of ACL access control list, Nginx + Tomcat reverse proxy.

The source code package provides:

1. Squid source code package: Baidu network disk Squid source code package, password: 12sq

2. Squid log: Baidu network disk Squid log analysis source code package, password: sgwk

1) introduction to ACL access control of Squid

Squid provides a powerful proxy control mechanism. Through reasonable setting and restriction of ACL, we can filter conditions in many ways, such as source address, destination address, access URL path, access time and so on.

There are two steps to configuring ACL:

1: use acl configuration items in the main configuration file to define the conditions that need to be controlled

2: control "allow" and "deny" access to defined lists through http_access configuration items

* * the following is the format for defining control lists and setting access permissions * *:

1 acl [list name] [list type] [list content].

[list name]: can be customized to identify control conditions

[list type]: must be a squid predefined value, corresponding to different categories of control conditions

[list contents]: is the specific object to be controlled. It can be separated by multiple values, separated by spaces.

2 http_access [allow] or [deny] list name

[allow]: indicates that the pass is allowed.

[deny]: indicates refusal to pass

The following table is the list type of access control: list type list content showing meaning / purpose src192.168.1.168 or 192.168.1.0 source IP address, network segment dst216.163.137.3 or www.baidu.com destination IP address, hostname or network segment port80, 443,8080 destination port dstdomain.qq.com destination domain, matching all sites in the domain timeMTWHF 8:30-17:30 AS uses the agent's service period The letters represent the number of concurrent connections per client on each day of the week url_regexurl_regex-I ^ rtsp:// the URL address of the target resource,-I indicates ignoring case urlpath_regexurlpath_regex-I .mp3 $the entire URL path of the target resource, and-I means ignoring case

In the actual production environment, when defining ACL access control, users' access requirements should be correctly analyzed according to the current network environment, and the control conditions for using proxy services should be accurately defined. The following demonstration is aimed at different client addresses, target websites that need to restrict access, and specific time periods. Define respectively:

[root@localhost squid-3.4.6] # vim / etc/squid.conf

Acl locahost src 127.0.0.1 Charpy 255.255.255.255-# Source address: 127.0.0.1

Acl MYLAN src 192.168.1.0 Compact 24Murray-# client network segment

Acl to_locahost src 127.0.0.0amp 8-# destination address is: 127.0.0.0amp 8 segment

Acl MC20 maxconn 20-# maximum concurrent connection 20

Acl BlackURL url_regex-I ^ rtsp:// ^ emule: / /-# URL that begins with rtsp://, etc.

Acl MEDIAFILE urlpath_regex-I. mp3 $.mp4 $- # URL path ending with .mp3 .mp4

Acl WORKTIME time MTWHF 08:30-17:30-# Mondays to weekdays: no 8, 30, 17, 30.

The following figure is an illustration of defining an access control list:

If you need to limit more objects of the same class, you can use separate files to store them, and you can only use the corresponding file location at the content of the acl configuration.

[root@localhost squid-3.4.6] # mkdir / etc/squid

[root@localhost squid-3.4.6] # cd / etc/squid/

[root@localhost squid] # vim ipblock.list-(create a list of destination IP addresses)

The target IP established is as follows:

61.135.167.36

125.49.127.25

60.28.14.0/24

[root@localhost squid] # vim dmblock.list-(create a list of target domain addresses)

The target domain is established as follows:

.qq.com

.msn.com

.live.com

[root@localhost squid] # vim / etc/squid.conf-(configure ACL access control list again)

The definition is as follows:

Acl IPBLOCK dst "/ etc/squid/ipblock.list"-(call the contents of the list in the specified file)

Acl DMBLOCK dstdomain "/ etc/squid/dmblock.list"

As shown below:

Start setting access permissions:

[root@localhost squid] # vim / etc/squid.conf

The settings are as follows:

Http_access deny MYLAN MEDIAFILE-(download of MP3, MP4 and other dangerous files is prohibited)

Http_access deny MYLAN IPBLOCK-(prevent clients from accessing IP addresses in the blacklist)

Http_access deny MYLAN DMBLOCK-(prevent clients from accessing the site domain in the blacklist)

Http_access deny MYLAN MC20-(concurrent connections to clients beyond 20:00 will be blocked)

Http_access allow MYLAN WORKTIME-(allow clients to surf the Internet during working hours)

Http_access deny all-(all clients are prohibited from using proxies by default)

As shown below:

Access control rule description: squid will test the rules in the order of each rule. If a matching rule is found, it will no longer be found. Therefore, the order of the rules is very important.

Squid log analysis:

Sarg is a Squid log analysis tool, which uses HTML format to list in detail the site information, time occupation information, ranking, connection times and visits of each user visiting Internet.

The Sarg deployment process is as follows:

Install the GD library

[root@localhost ~] # mkdir / usr/local/sarg

Install Sarg:

[root@localhost ~] # tar xvf sarg-2.3.7.tar.gz-C / opt/-(decompress the source code package, please click: Baidu network disk Squid log analysis source code package)

[root@localhost sarg-2.3.7] # cd / opt/sarg-2.3.7

[root@localhost sarg-2.3.7] # / configure-- prefix=/usr/local/sarg-sysconfdir=/etc/sarg-- enable-extraprotection

[root@localhost sarg-2.3.7] # make & & make install

As shown below:

[root@localhost sarg-2.3.7] # vim / etc/sarg/sarg.conf-(modify configuration file)

The contents are as follows:

Access_log / usr/local/squid/var/logs/access.log-(remove comments and specify squid to access log files)

Title "Squid User Access Reports"-(remove comments, page title)

Output_dir / var/www/html/squid-reports-(remove comments, sarg report output directory)

User_ip no-(remove comments and use user name to display)

Exclude_hosts / usr/local/sarg/noreport-(here the path needs to be added, which means the sorted site list file is not included)

Topuser_sort_field connect reverse-(need to be modified to connect, meaning: # top sort in the number of links, access bytes, descending sort)

User_sort_field connect reverse-(number of connections to the user's access record, access bytes in descending order)

Overwrite_report no-(whether to overwrite the report when that report exists)

Mail_utility mailx.postfix-(send email report)

Charset UTF-8-(use character set)

Weekdays 0-6-(week cycle of top ranking)

Hours 0-23-(time period of top ranking without comments)

Www_document_root / var/www/html-(specify the root directory of the web page)

In the above configuration, sites that are not included in the sorting have been added, and the following file needs to exist

[root@localhost sarg-2.3.7] # touch / usr/local/sarg/noreport

Because this sarg needs to visit web to view logs, you need to install an apache

[root@localhost sarg-2.3.7] # yum install httpd-y

Start the apache service

[root@localhost sarg-2.3.7] # systemctl start httpd.service

[root@localhost ~] # mkdir / var/www/html/squid-reports

[root@localhost sarg-2.3.7] # sarg- (start sarg)

Visit: http://192.168.106.154/squid-reports/-(equivalent to multiple website visits)

The effect is as follows:

Sarg can be made into scheduled tasks that can be executed on a regular basis:

The daily report is as follows:

[root@localhost ~] # vim / usr/local/sarg/daily.sh

The contents are as follows:

#! / bin/bash

# Get current date

TODAY=$ (date +% d/%m/%Y)

YESTERDAY=$ (date-d "1 day ago" +% d/%m/%Y)

/ usr/local/sarg/bin/sarg-l / usr/local/squid/var/logs/access.log-o / var/www/html/sarg-z-d $YESTERDAY-$TODAT & > / dev/null

As shown below:

[root@localhost ~] # chmod + x / usr/local/sarg/daily.sh

[root@localhost ~] # crontab-e-(add scheduled tasks, execute at 00:00 every day)

Add the following:

00 00 * / usr/local/sarg/daily.sh

[root@localhost ~] # chkconfig crond on

The log analysis is completed here, and in the production environment, considering many factors, the daily report starts to be generated at 0: 00.

Squid reverse proxy:

Reverse proxy acceleration is used in many large portal architectures, such as nginx, squid and so on.

The following figure shows the squid reverse proxy topology:

Description of reverse proxy principle:

(1) the Squid reverse proxy server is located between the local Web server and the Internet. When the client accesses Web, DNS resolves the accessed domain name to the IP address of the Squid reverse proxy server. The client will access the Squid proxy server

(2) if the requested resource is cached in the Squid reverse proxy server, the resource is returned directly to the client, otherwise squid will take the resource from the web server in the background, provide it to the client and cache it locally.

Start implementing the Squid reverse proxy.

[root@localhost ~] # vim / etc/squid.conf-- (modify configuration file)

The modifications are as follows:

Http_port 192.168.106.154http 80 accel vhost vport-(modify the listening address and port, where the port is no longer 3128, but need to be changed to port 80 of http)

Cache_peer 192.168.106.156 parent 800 no-query originserver round-robin max_conn=30 weight=1 name=web1-(add the IP address 1 of the real backend server and specify it as Dalian connection, weight, alias)

Cache_peer 192.168.106.157 parent 800 no-query originserver round-robin max_conn=30 weight=2 name=web2-(add the IP address 2 of the real backend server and specify it as Dalian connection, weight, alias)

Cache_peer_domain web1 web2 www.yun.com-(access to the domain name, so you need to do DNS, now you can directly modify the hosts file)

Check the configuration file:

[root@localhost ~] # squid-k parse-(check the configuration file and find an error)

The error message is as follows:

14:39:06 on 2018-09-23 | ERROR: Ignoring unknown cache_peer option 'max_conn=30'

/ / that is, the configuration file does not recognize "max_conn=30" now. Then we delete it.

The following is a screenshot of the error:

The correct configuration file is shown below:

Next we need to modify the hosts configuration file because we are accessing the domain name. As shown below:

Verify:

To see another result, stop one of the web servers:

[root@localhost ~] # systemctl stop httpd.service

Visit again:

The conclusion of reverse proxy:

If you do not stop one server, then your request will be a result, because the result of your request is already cached on the squid server, so if you need better verification, you need to shut down the other web server to see if you can get different results.

Summary of the article

(1) the access control of squid service is mainly set by acl and http_access configuration items. Acl is used to define control conditions and http_access to decide whether to pass or reject.

(2) squid log analysis tool Sarg is in HTML format, so to view it, you need to build a WEB server, such as apache. It lists all the information about the user in detail.

(3) the squid reverse proxy can accelerate the access speed of the website, and different URL requests can be distributed to different background web servers, so that Internet users can only see the address of the proxy server.

Recommended articles related to this article:

(1): traditional proxy + transparent proxy of Squid cache server,

(2): the basic concept of ACL access control list,

(3): Nginx + Tomcat reverse proxy

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.