系統環境
root # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core)
安裝squid
yum -y install squid
squid默認工作模式正向代理,/etc/squid/squid.conf 默認配置文件解釋如下
# Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed
# 默認ACL acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # 拒絕Safe_ports和SSL_ports之外的端口訪問 # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost
# 允許本地訪問cachemgr http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # 自定義ACL和訪問規則 # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy 兜底策略deny all http_access deny all # Squid normally listens to port 3128 默認偵聽端口 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
常用的ACL配置
一般來說,安裝完服務器,比較常見的ACL會包括黑白名單IP地址、訪問的URL或域名、服務時間限制等。
需求不復雜時,直接修改squid.conf文件就可以做如下管控:
1、IP地址x.x.x.x之外的客戶端全部拒絕
acl client_whitelists src x.x.x.x
http_access allow client_whitelists
http_access deny all
2、禁止客戶端訪問網址中包含<keyword>關鍵詞的網站
acl forbidden_keywords url_regex -i <keyword> http_access deny forbidden_keywords
3、禁止客戶端訪問某個domain: test.com
acl forbidden_urls url_regex test.com http_access deny forbidden_urls
4、禁止下載帶有某些類型后綴的文件,如.avi,.rar
acl forbidden_file_types urlpath_regex -i \.rar$ \.avi$ http_access deny forbidden_file_types
如果環境比較復雜,為了方便后續維護黑白名單,也可以創建幾個配置文件,然后與squid.conf這個主配置文件關聯:
[root@localhost conf.d]# mkdir /etc/squid/conf.d 創建配置文件client_IP.conf、content-filter.conf和time.conf
[root@localhost conf.d]# cat client_IP.conf
acl client_whitelist src 192.168.108.1
acl client_blacklist src 192.168.108.100
http_access deny client_blacklist
http_access allow client_whitelist
[root@localhost conf.d]# cat content-filter.conf
acl forbidden_domain dstdomain .jd.com
acl forbidden_keywords url_regex -i taobao
acl forbidden_urls url_regex -i qq.com
acl forbidden_file_types urlpath_regex -i \.rar$ \.avi$
http_access deny forbidden_domain
http_access deny forbidden_keywords
http_access deny forbidden_urls
http_access deny forbidden_file_types
[root@localhost conf.d]# cat time.conf
acl Working_time time MTWHF 08:00-20:59
http_access deny !Working_time
修改主配置文件squid.conf # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # #http_access allow localnet http_access allow localhost include /etc/squid/conf.d/content-filter.conf
include /etc/squid/conf.d/time.conf include /etc/squid/conf.d/client_IP.conf # And finally deny all other access to this proxy http_access deny all
身份認證
local基本認證后續完善。
集成AD域認證(需將squid服務器加域)
1、安裝samba和krb5
yum install samba* yum install krb5* 2、修改krb.conf root# cat /etc/krb5.conf #只貼出有關部分,域名須用大寫 [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt default_realm = DEMO.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] DEMO.COM = { kdc = dc1.DEMO.COM:88 admin_server = dc1.DEMO.COM:749 default_domain = DEMO.COM } [domain_realm] .DEMO.COM = DEMO.COM DEMO.COM = DEMO.COM 配置完成后可以通過Kinit工具進行測試方法如下 代碼: root# kinit administrtor Password for administrator@DEMO.COM: 3、修改smb.conf root # cat /etc/samba/smb.conf [global] workgroup = DEMO security = ads server string = netproxy realm = DEMO.COM password server = dc1.demo.com winbind use default domain = yes winbind offline logon = true encrypt passwords = yes idmap gid = 10000 - 20000 idmap uid = 10000 - 20000 os level = 20 dns proxy = no max log size = 50 4、加域: root# net ads join –U administrator #需使用有加域權限的賬號 5 、使用wbinfo –t驗證主機已成功加入AD root# wbinfo –t 系統返回 checking the trust secret via RPC calls succeeded 說明主機信任已成功建立 使用wbinfo –u 可以列出AD中注冊的帳號信息。Wbinfo –g可以返回AD中的組信息。 6、測試ntlm_auth驗證 root# ntlm_auth --username=administrator Password:************** NT_STATUS_OK: NT_STATUS_OK (0x0) 說明域帳號administrator已成功驗證
7、配置NSS Nss為Name Service Switch,控制帳號的驗證。編輯/etc/nsswitch.conf,如下
passwd: files winbind sss shadow: files sss group: files winbind sss
8、 在squid.conf文件中增加 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 hours acl squid_user proxy_auth REQUIRED http_access allow all squid_user 9、用戶要通過驗證squid必須能訪問winbind pipe,否則用戶不能通過Squid驗證。修改winbind pipe權限 root# chown -R root:squid /var/lib/samba/winbindd_privileged root#chmod -R 750 /var/lib/samba/winbindd_privileged 10、 重新啟動squid服務器,驗證使用域用戶身份驗證。 如果使用域帳號登陸計算機,那么瀏覽網頁時就不會提示輸入用戶名及密碼認證,非域用戶登陸計算機,通過代理訪問網站時,將彈出用戶身份驗證窗口要求用戶輸入用戶名及密碼驗證。
如果想設置特定域用戶組通過驗證才可以使用代理服務,可在 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 和auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic后加一句 --require-membership-of=DEMO.COM\\Groupname "DEMO.COM":域名 "Groupname":上網組名
反向代理
# 注釋掉正向代理監聽 #http_port 3128 # 配置反向代理
# 修改端口80 accel vhost vport 為反向代理 http_port 80 accel vhost vport # cache_peer 代理IP 端口 0 originserver name=a "a"代表一個域名 cache_peer 123.125.119.147 parent 80 0 originserver name=a cache_peer 61.135.169.125 parent 80 0 originserver name=b # 設置a的域名為 www.qq.com cache_peer_domain a www.qq.com cache_peer_domain b www.baidu.com
常用運維命令
[root@localhost squid]# squid -h Usage: squid [-cdzCFNRVYX] [-n name] [-s | -l facility] [-f config-file] [-[au] port] [-k signal] -h | --help Print help message. -v | --version Print version details. -a port Specify HTTP port number (default: 3128). -d level Write debugging to stderr also. -f file Use given config-file instead of /etc/squid/squid.conf -k reconfigure|rotate|shutdown|restart|interrupt|kill|debug|check|parse Parse configuration file, then send signal to running copy (except -k parse) and exit. -n name Specify service name to use for service operations default is: squid. -s | -l facility Enable logging to syslog. -u port Specify ICP port number (default: 3130), disable with 0. -z Create missing swap directories and then exit. -C Do not catch fatal signals. -D OBSOLETE. Scheduled for removal. -F Don't serve any requests until store is rebuilt. -N Master process runs in foreground and is a worker. No kids. --foreground Master process runs in foreground and creates worker kids. --kid role-ID Play a given SMP kid process role, with a given ID. Do not use this option. It is meant for the master process use only. -R Do not set REUSEADDR on port. -S Double-check swap during rebuild. -X Force full debugging. -Y Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.
下面幾條在修改配置后用的較多
[root@localhost squid]# squid -k check #檢查配置文件 [root@localhost squid]# squid -k reconfig #讓配置熱生效,不用重啟服務 [root@localhost squid]# squid -k parse #解析配置文件,反饋錯誤
驗證與日志查看
服務器本地使用代理驗證,curl -x localhost:3128 <url> -I
[root@localhost squid]# curl -x localhost:3128 www.baidu.com -I HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 277 Content-Type: text/html Date: Mon, 31 Aug 2020 03:17:22 GMT ETag: "575e1f72-115" Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT Pragma: no-cache Server: bfe/1.0.8.18 X-Cache: MISS from localhost.localdomain X-Cache-Lookup: MISS from localhost.localdomain:3128 Via: 1.1 localhost.localdomain (squid/4.4) Connection: keep-alive
查看日志文件
[root@localhost squid]# cat /var/log/squid/access.log [root@localhost squid]# cat /var/log/squid/cache.log