系统环境
root # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core)
安装squid
yum -y install squid
squid默认工作模式正向代理,/etc/squid/squid.conf 默认配置文件解释如下
# Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed
# 默认ACL acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # 拒绝Safe_ports和SSL_ports之外的端口访问 # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost
# 允许本地访问cachemgr http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # 自定义ACL和访问规则 # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy 兜底策略deny all http_access deny all # Squid normally listens to port 3128 默认侦听端口 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320
常用的ACL配置
一般来说,安装完服务器,比较常见的ACL会包括黑白名单IP地址、访问的URL或域名、服务时间限制等。
需求不复杂时,直接修改squid.conf文件就可以做如下管控:
1、IP地址x.x.x.x之外的客户端全部拒绝
acl client_whitelists src x.x.x.x
http_access allow client_whitelists
http_access deny all
2、禁止客户端访问网址中包含<keyword>关键词的网站
acl forbidden_keywords url_regex -i <keyword> http_access deny forbidden_keywords
3、禁止客户端访问某个domain: test.com
acl forbidden_urls url_regex test.com http_access deny forbidden_urls
4、禁止下载带有某些类型后缀的文件,如.avi,.rar
acl forbidden_file_types urlpath_regex -i .rar$ .avi$ http_access deny forbidden_file_types
如果环境比较复杂,为了方便后续维护黑白名单,也可以创建几个配置文件,然后与squid.conf这个主配置文件关联:
[root@localhost conf.d]# mkdir /etc/squid/conf.d 创建配置文件client_IP.conf、content-filter.conf和time.conf
[root@localhost conf.d]# cat client_IP.conf
acl client_whitelist src 192.168.108.1
acl client_blacklist src 192.168.108.100
http_access deny client_blacklist
http_access allow client_whitelist
[root@localhost conf.d]# cat content-filter.conf
acl forbidden_domain dstdomain .jd.com
acl forbidden_keywords url_regex -i taobao
acl forbidden_urls url_regex -i qq.com
acl forbidden_file_types urlpath_regex -i .rar$ .avi$
http_access deny forbidden_domain
http_access deny forbidden_keywords
http_access deny forbidden_urls
http_access deny forbidden_file_types
[root@localhost conf.d]# cat time.conf
acl Working_time time MTWHF 08:00-20:59
http_access deny !Working_time
修改主配置文件squid.conf # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # #http_access allow localnet http_access allow localhost include /etc/squid/conf.d/content-filter.conf
include /etc/squid/conf.d/time.conf include /etc/squid/conf.d/client_IP.conf # And finally deny all other access to this proxy http_access deny all
身份认证
local基本认证后续完善。
集成AD域认证(需将squid服务器加域)
1、安装samba和krb5
yum install samba* yum install krb5* 2、修改krb.conf root# cat /etc/krb5.conf #只贴出有关部分,域名须用大写 [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt default_realm = DEMO.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] DEMO.COM = { kdc = dc1.DEMO.COM:88 admin_server = dc1.DEMO.COM:749 default_domain = DEMO.COM } [domain_realm] .DEMO.COM = DEMO.COM DEMO.COM = DEMO.COM 配置完成后可以通过Kinit工具进行测试方法如下 代码: root# kinit administrtor Password for administrator@DEMO.COM: 3、修改smb.conf root # cat /etc/samba/smb.conf [global] workgroup = DEMO security = ads server string = netproxy realm = DEMO.COM password server = dc1.demo.com winbind use default domain = yes winbind offline logon = true encrypt passwords = yes idmap gid = 10000 - 20000 idmap uid = 10000 - 20000 os level = 20 dns proxy = no max log size = 50 4、加域: root# net ads join –U administrator #需使用有加域权限的账号 5 、使用wbinfo –t验证主机已成功加入AD root# wbinfo –t 系统返回 checking the trust secret via RPC calls succeeded 说明主机信任已成功建立 使用wbinfo –u 可以列出AD中注册的帐号信息。Wbinfo –g可以返回AD中的组信息。 6、测试ntlm_auth验证 root# ntlm_auth --username=administrator Password:************** NT_STATUS_OK: NT_STATUS_OK (0x0) 说明域帐号administrator已成功验证
7、配置NSS Nss为Name Service Switch,控制帐号的验证。编辑/etc/nsswitch.conf,如下
passwd: files winbind sss shadow: files sss group: files winbind sss
8、 在squid.conf文件中增加 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 hours acl squid_user proxy_auth REQUIRED http_access allow all squid_user 9、用户要通过验证squid必须能访问winbind pipe,否则用户不能通过Squid验证。修改winbind pipe权限 root# chown -R root:squid /var/lib/samba/winbindd_privileged root#chmod -R 750 /var/lib/samba/winbindd_privileged 10、 重新启动squid服务器,验证使用域用户身份验证。 如果使用域帐号登陆计算机,那么浏览网页时就不会提示输入用户名及密码认证,非域用户登陆计算机,通过代理访问网站时,将弹出用户身份验证窗口要求用户输入用户名及密码验证。
如果想设置特定域用户组通过验证才可以使用代理服务,可在 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 和auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic后加一句 --require-membership-of=DEMO.COM\Groupname "DEMO.COM":域名 "Groupname":上网组名
反向代理
# 注释掉正向代理监听 #http_port 3128 # 配置反向代理
# 修改端口80 accel vhost vport 为反向代理 http_port 80 accel vhost vport # cache_peer 代理IP 端口 0 originserver name=a "a"代表一个域名 cache_peer 123.125.119.147 parent 80 0 originserver name=a cache_peer 61.135.169.125 parent 80 0 originserver name=b # 设置a的域名为 www.qq.com cache_peer_domain a www.qq.com cache_peer_domain b www.baidu.com
常用运维命令
[root@localhost squid]# squid -h Usage: squid [-cdzCFNRVYX] [-n name] [-s | -l facility] [-f config-file] [-[au] port] [-k signal] -h | --help Print help message. -v | --version Print version details. -a port Specify HTTP port number (default: 3128). -d level Write debugging to stderr also. -f file Use given config-file instead of /etc/squid/squid.conf -k reconfigure|rotate|shutdown|restart|interrupt|kill|debug|check|parse Parse configuration file, then send signal to running copy (except -k parse) and exit. -n name Specify service name to use for service operations default is: squid. -s | -l facility Enable logging to syslog. -u port Specify ICP port number (default: 3130), disable with 0. -z Create missing swap directories and then exit. -C Do not catch fatal signals. -D OBSOLETE. Scheduled for removal. -F Don't serve any requests until store is rebuilt. -N Master process runs in foreground and is a worker. No kids. --foreground Master process runs in foreground and creates worker kids. --kid role-ID Play a given SMP kid process role, with a given ID. Do not use this option. It is meant for the master process use only. -R Do not set REUSEADDR on port. -S Double-check swap during rebuild. -X Force full debugging. -Y Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.
下面几条在修改配置后用的较多
[root@localhost squid]# squid -k check #检查配置文件 [root@localhost squid]# squid -k reconfig #让配置热生效,不用重启服务 [root@localhost squid]# squid -k parse #解析配置文件,反馈错误
验证与日志查看
服务器本地使用代理验证,curl -x localhost:3128 <url> -I
[root@localhost squid]# curl -x localhost:3128 www.baidu.com -I HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 277 Content-Type: text/html Date: Mon, 31 Aug 2020 03:17:22 GMT ETag: "575e1f72-115" Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT Pragma: no-cache Server: bfe/1.0.8.18 X-Cache: MISS from localhost.localdomain X-Cache-Lookup: MISS from localhost.localdomain:3128 Via: 1.1 localhost.localdomain (squid/4.4) Connection: keep-alive
查看日志文件
[root@localhost squid]# cat /var/log/squid/access.log [root@localhost squid]# cat /var/log/squid/cache.log