When we open a web request in the client browser, such as " http://www.yourdomain.com ", then The following events will occur one after another:
1. The client requests "www.yourdomain.com" from DNS and obtains the corresponding IP address 202.99.11.120. Then, the client uses a certain port (such as 1066) to initiate a web connection request to port 80 of the IP address to request a web page.
2. When the request packet passes through the transparent proxy server, it is redirected to the proxy server's binding port 8080. Therefore, the transparent proxy server uses a certain port (such as 1088) to initiate a web connection request to port 80 of 202.99.11.120 to request a web page.
3. After receiving the response web page, the proxy server transmits the data to the client.
4. The client browser displays the page.
From the perspective of www.yourdomain.com, the connection is established between port 1088 at 1.2.3.4 and port 80 at 202.99.11.120. From the client's perspective, the connection is established between port 1066 of 192.168.1.100 and port 80 of 202.99.11.120.
The above is the difference between the traditional proxy server and the transparent proxy server.
Section 2 Comparison of various proxy servers
There are many proxy server software under linux, I checked it from www.freshmeat.com (a famous linux software site), there are more than sixty. However, only Apache, socks, squid, etc. have been widely used in practice and proved to be high-performance agent software. Let's compare these software separately:
2.1 Apache
Apache is the most widely used HTTP server in the world. The reason why it is most widely used is because of its powerful functions, high efficiency, security and speed. Starting from version 1.1.x, Apache includes a proxy module. The performance advantage of using Apache as a proxy server is not obvious and is not recommended.
2.2 Socks
Socks is a network proxy protocol that allows clients to gain full access to the Internet through the Socks server. Scoks establishes a secure proxy data channel between the server and the client. From the perspective of the client, Scoks is transparent; from the perspective of the server, Socks is the client. The client does not need to have direct access to the Internet (that is, a private IP address can be used) because the Socks server can redirect connection requests from the client to the Internet. In addition, the Socks server can authenticate user connection requests, allowing legitimate users to establish proxy connections. Similarly, Socks can also prevent unauthorized Internet users from accessing the internal network. So often use Socks as a firewall.
Common browsers such as netscape, IE, etc. can directly use Socks, and we can also use the client that comes with socsk5 to enable Internet software that does not directly support socks to use Socks.
For more information, please refer to the official Socks website http://www.socks.nec.com .
2.3 Squid
For web users, Squid is a high-performance proxy cache server. Squid supports FTP, gopher, and HTTP protocols. Unlike common proxy caching software, Squid uses a single, non-modular, I / O-driven process to handle all client requests.
Squid caches data elements in memory and caches DNS query results. In addition, it also supports non-modular DNS queries to passively cache failed requests. Squid supports SSL and access control. Due to the use of ICP (Lightweight Internet Cache Protocol), Squid can implement a cascading array of agents, thereby maximizing bandwidth savings.
Squid is composed of a main service program squid, a DNS query program dnsserver, several rewriting requests and performing authentication procedures, and several management tools. When Squid is started, it can spawn a predetermined number of dnsserver processes, and each dnsserver process can perform a separate DNS query, which greatly reduces the time the server waits for DNS queries.
2.4 Select
1. The client requests "www.yourdomain.com" from DNS and obtains the corresponding IP address 202.99.11.120. Then, the client uses a certain port (such as 1066) to initiate a web connection request to port 80 of the IP address to request a web page.
2. When the request packet passes through the transparent proxy server, it is redirected to the proxy server's binding port 8080. Therefore, the transparent proxy server uses a certain port (such as 1088) to initiate a web connection request to port 80 of 202.99.11.120 to request a web page.
3. After receiving the response web page, the proxy server transmits the data to the client.
4. The client browser displays the page.
From the perspective of www.yourdomain.com, the connection is established between port 1088 at 1.2.3.4 and port 80 at 202.99.11.120. From the client's perspective, the connection is established between port 1066 of 192.168.1.100 and port 80 of 202.99.11.120.
The above is the difference between the traditional proxy server and the transparent proxy server.
Section 2 Comparison of various proxy servers
There are many proxy server software under linux, I checked it from www.freshmeat.com (a famous linux software site), there are more than sixty. However, only Apache, socks, squid, etc. have been widely used in practice and proved to be high-performance agent software. Let's compare these software separately:
2.1 Apache
Apache is the most widely used HTTP server in the world. The reason why it is most widely used is because of its powerful functions, high efficiency, security and speed. Starting from version 1.1.x, Apache includes a proxy module. The performance advantage of using Apache as a proxy server is not obvious and is not recommended.
2.2 Socks
Socks is a network proxy protocol that allows clients to gain full access to the Internet through the Socks server. Scoks establishes a secure proxy data channel between the server and the client. From the perspective of the client, Scoks is transparent; from the perspective of the server, Socks is the client. The client does not need to have direct access to the Internet (that is, a private IP address can be used) because the Socks server can redirect connection requests from the client to the Internet. In addition, the Socks server can authenticate user connection requests, allowing legitimate users to establish proxy connections. Similarly, Socks can also prevent unauthorized Internet users from accessing the internal network. So often use Socks as a firewall.
Common browsers such as netscape, IE, etc. can directly use Socks, and we can also use the client that comes with socsk5 to enable Internet software that does not directly support socks to use Socks.
For more information, please refer to the official Socks website http://www.socks.nec.com .
2.3 Squid
For web users, Squid is a high-performance proxy cache server. Squid supports FTP, gopher, and HTTP protocols. Unlike common proxy caching software, Squid uses a single, non-modular, I / O-driven process to handle all client requests.
Squid caches data elements in memory and caches DNS query results. In addition, it also supports non-modular DNS queries to passively cache failed requests. Squid supports SSL and access control. Due to the use of ICP (Lightweight Internet Cache Protocol), Squid can implement a cascading array of agents, thereby maximizing bandwidth savings.
Squid is composed of a main service program squid, a DNS query program dnsserver, several rewriting requests and performing authentication procedures, and several management tools. When Squid is started, it can spawn a predetermined number of dnsserver processes, and each dnsserver process can perform a separate DNS query, which greatly reduces the time the server waits for DNS queries.
2.4 Select
As can be seen from the above comparison, Apache web server main function is, the proxy function is only one of its modules only, Socks powerful, but inflexible, so we recommend that you focus on the use Squid. In the following chapters, we will learn about Squid's exciting features and related installation and configuration.
Section III install Proxy Server Squid
3.1 acquisition software
you can get the software in the following ways:
1. From the official site of Squid http://www.squid-cache.org download the software;
2. From your linux release Get the software;
Generally, there are two types of Squid software packages: one is the source code, which needs to be recompiled after downloading; the executable file can be used only after decompression after downloading; the other is the rpm package used by RedHat. Below we talk about the installation methods of these two software packages.
3.2 Installing the software
we present the latest stable version of squid-2.3.STABLEX example.
3.2.1 Installation of rpm package
1. Enter / mnt / cdrom / RedHat / RPMS
2. Execute rpm -ivh squid-2.2.STABLE4-8.i386.rpm.
Of course, we can also install the software in the process of starting to install the system.
3.2.2 Installation of source code package
1. Download squid-2.3.STABLE2-src.tar.gz from http://www.squid-cache.org .
2. Copy the file to the / usr / local directory.
3. Unzip the file tar xvzf squid-2.3.STABLE2-src.tar.gz.
4. After unpacking, create a new directory squid-2.3.STABLE2 in / usr / local. For convenience, use the mv command to rename the directory to squid mv squid-2.3.STABLE2 squid;
5. Enter squid cd squid
6. ./configure can be performed ./confgure --prefix = / directory / you / want installation directory specified
default installation directory / usr / local / squid.
7. Execute make all
8. Execute make install
9. After the installation is complete, the executable file of Squid is in the bin subdirectory of the installation directory, and the configuration file is in the etc subdirectory.
Section IV configuration squid Basics - let the proxy server run up
due to the various advantages of RedHat (including ease of use, stability, etc.), the user releases worldwide more, so we are following The instructions are mainly based on Squid-2.2.STABLE4-8 version under RedHat6.1 environment. From my experience, this version of Squid is more stable than other versions. The previous version 1.1.22 is also more stable, but it lacks in function and flexibility.
Squid has a main configuration file squid.conf. In the RedHat environment, all Squid configuration files are located in the / etc / squid subdirectory.
Section III install Proxy Server Squid
3.1 acquisition software
you can get the software in the following ways:
1. From the official site of Squid http://www.squid-cache.org download the software;
2. From your linux release Get the software;
Generally, there are two types of Squid software packages: one is the source code, which needs to be recompiled after downloading; the executable file can be used only after decompression after downloading; the other is the rpm package used by RedHat. Below we talk about the installation methods of these two software packages.
3.2 Installing the software
we present the latest stable version of squid-2.3.STABLEX example.
3.2.1 Installation of rpm package
1. Enter / mnt / cdrom / RedHat / RPMS
2. Execute rpm -ivh squid-2.2.STABLE4-8.i386.rpm.
Of course, we can also install the software in the process of starting to install the system.
3.2.2 Installation of source code package
1. Download squid-2.3.STABLE2-src.tar.gz from http://www.squid-cache.org .
2. Copy the file to the / usr / local directory.
3. Unzip the file tar xvzf squid-2.3.STABLE2-src.tar.gz.
4. After unpacking, create a new directory squid-2.3.STABLE2 in / usr / local. For convenience, use the mv command to rename the directory to squid mv squid-2.3.STABLE2 squid;
5. Enter squid cd squid
6. ./configure can be performed ./confgure --prefix = / directory / you / want installation directory specified
default installation directory / usr / local / squid.
7. Execute make all
8. Execute make install
9. After the installation is complete, the executable file of Squid is in the bin subdirectory of the installation directory, and the configuration file is in the etc subdirectory.
Section IV configuration squid Basics - let the proxy server run up
due to the various advantages of RedHat (including ease of use, stability, etc.), the user releases worldwide more, so we are following The instructions are mainly based on Squid-2.2.STABLE4-8 version under RedHat6.1 environment. From my experience, this version of Squid is more stable than other versions. The previous version 1.1.22 is also more stable, but it lacks in function and flexibility.
Squid has a main configuration file squid.conf. In the RedHat environment, all Squid configuration files are located in the / etc / squid subdirectory.
4.1 common configuration options
because the default configuration file in question, we must first amend the contents of the configuration file in order to allow squid up and running.
Let's take a look at the structure of the squid.conf file and some commonly used options: The
squid.conf configuration file can be divided into thirteen parts. These thirteen parts are:
1.NETWORK OPTIONS (related network options)
2. OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM (relevant options for the neighbor selection algorithm)
3. OPTIONS WHICH AFFECT THE CACHE SIZE (relevant options for defining the size of the cache)
4. LOGFILE PATHNAMES AND CACHE DIRECTORIES (define the path and cache of the log file the catalog)
5. OPTIONS FOR EXTERNAL SUPPORT PROGRAMS (external support program option)
6. OPTIONS FOR TUNING THE CACHE (adjust cache option)
7. TIMEOUTS (timeout)
8. ACCESS CONTROLS (access control)
9. ADMINISTRATIVE PARAMETERS (management parameters)
10. OPTIONS FOR THE CACHE REGISTRATION SERVICE (
HTTP registration service option) 11. HTTPD-ACCELERATOR OPTIONS (HTTPD acceleration option)
12. MISCELLANEOUS (Miscellaneous)
13. DELAY POOL PARAMETERS (delay pool parameters)
Although the configuration file of Squid is very large, but if You are only providing proxy services for a small and medium-sized network, and you are only going to use one server, then you only need to modify a few options in the configuration file. These common options are:
1. http_port
Description: Define the port that Squid listens to for HTTP client connection requests. The default is 3128, or 80 if HTTPD acceleration mode is used. You can specify multiple ports, but all specified ports must be on one command line.
2.cache_mem (bytes)
Description: This option is used to specify the ideal value of the memory that Squid can use. This part of memory is used to store the following objects:
In-Transit objects (Incoming objects)
Hot Objects (hot objects, that is, objects frequently accessed by users)
Negative-Cached objects (negatively stored objects)
should be noted that this does not indicate that the memory used by Squid must not exceed this value. In fact, this option only defines one aspect of memory used by Squid. Use memory. So the memory actually used by Squid may exceed this value. The default value is 8MB.
3. cache_dir Directory-Name Mbytes Level-1 Level2
because the default configuration file in question, we must first amend the contents of the configuration file in order to allow squid up and running.
Let's take a look at the structure of the squid.conf file and some commonly used options: The
squid.conf configuration file can be divided into thirteen parts. These thirteen parts are:
1.NETWORK OPTIONS (related network options)
2. OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM (relevant options for the neighbor selection algorithm)
3. OPTIONS WHICH AFFECT THE CACHE SIZE (relevant options for defining the size of the cache)
4. LOGFILE PATHNAMES AND CACHE DIRECTORIES (define the path and cache of the log file the catalog)
5. OPTIONS FOR EXTERNAL SUPPORT PROGRAMS (external support program option)
6. OPTIONS FOR TUNING THE CACHE (adjust cache option)
7. TIMEOUTS (timeout)
8. ACCESS CONTROLS (access control)
9. ADMINISTRATIVE PARAMETERS (management parameters)
10. OPTIONS FOR THE CACHE REGISTRATION SERVICE (
HTTP registration service option) 11. HTTPD-ACCELERATOR OPTIONS (HTTPD acceleration option)
12. MISCELLANEOUS (Miscellaneous)
13. DELAY POOL PARAMETERS (delay pool parameters)
Although the configuration file of Squid is very large, but if You are only providing proxy services for a small and medium-sized network, and you are only going to use one server, then you only need to modify a few options in the configuration file. These common options are:
1. http_port
Description: Define the port that Squid listens to for HTTP client connection requests. The default is 3128, or 80 if HTTPD acceleration mode is used. You can specify multiple ports, but all specified ports must be on one command line.
2.cache_mem (bytes)
Description: This option is used to specify the ideal value of the memory that Squid can use. This part of memory is used to store the following objects:
In-Transit objects (Incoming objects)
Hot Objects (hot objects, that is, objects frequently accessed by users)
Negative-Cached objects (negatively stored objects)
should be noted that this does not indicate that the memory used by Squid must not exceed this value. In fact, this option only defines one aspect of memory used by Squid. Use memory. So the memory actually used by Squid may exceed this value. The default value is 8MB.
3. cache_dir Directory-Name Mbytes Level-1 Level2
Description: Specify the size of the swap space used by Squid to store objects and its directory structure. Multiple cache_dir commands can be used to define multiple such swap spaces,
and these swap spaces can be distributed across different disk partitions. \ "directory \" indicates the top directory of the swap space. If you want to use the entire disk as swap
space, then you can load the directory as a mount point up the entire disk. The default value is / var / spool / squid. "Mbytes" defines the total amount of available space.
It should be noted that the Squid process must have read and write rights to the directory. The number of "Level-1" is established in the first stage of the top-level directory subdirectory, the default
value is 16. Similarly, "Level-2" is the number of second-level subdirectories that can be created, and the default value is 256. Why are there so many subdirectories defined? This is because if the sub-
directory is too small, the number of files stored in a subdirectory will significantly increase, which will lead to greatly increase the file system to find a certain time, so that the whole system of
body performance drastically reduced. Therefore, in order to reduce the number of files in each directory, we must increase the number of directories used. If only one subdirectory of the top
number of subdirectories under the directory level too, so we use two subdirectory structure.
So, how to determine the number of subdirectories required by your system? We can use the following formula to estimate.
Known quantity:
DS = total available swap space (in KB) / number of swap spaces
OS = average size of each object = 20k
NO = average number of objects stored in each secondary sub-directory = 256
unknown:
L1 = a number of subdirectories
number of subdirectories L2 = two
formula:
Ll X L2 = the DS / the OS / NO
Note that this is a volatile equation, can have multiple solutions.
4.acl
description: define the access control list.
The definition syntax is:
acl aclname acltype string1 ...
acl aclname acltype \ "file \" ...
When using a file, the format of the file is one entry per line.
acltype can be one of src dst srcdomain dstdomain url_pattern urlpath_pattern time port proto method browser user.
The instructions are as follows:
src indicates the source address. You can use the following methods to specify:
acl aclname src ip-address / netmask ... (customer ip address)
acl aclname src addr1-addr2 / netmask ... (address range)
dst indicates the target address. The syntax is:
acl aclname dst ip-address / netmask ... (that is, the IP address of the server requested by the customer)
srcdomain indicates the domain to which the customer belongs. The syntax is:
acl aclname srcdomain foo.com ... Squid will query DNS in reverse based on the customer ip.
dstdomain indicates the domain to which the request server belongs. The syntax is:
acl aclname dstdomain foo.com ... determined by the URL requested by the customer.
Note that if the user uses the server ip instead of the full domain name, Squid will perform a reverse DNS resolution to determine its full domain name, and record "none" if it fails.
time indicates the access time. The syntax is as follows:
acl aclname time [day-abbrevs] [h1: m1-h2: m2] [hh: mm-hh: mm]
day-abbrevs:
S-Sunday
M-Monday
T-Tuesday
W-Wednesday
H-Thursday
F- Friday
A-Saturday
h1: m1 must be less than h2: m2, expressed as [hh: mm-hh: mm].
port Specifies the access port. You can specify multiple ports, such as:
acl aclname port 80 70 21 ...
acl aclname port 0-1024 ... (specify a port range)
proto specifies the usage protocol. You can specify multiple protocols:
acl aclname proto HTTP FTP ...
method Specify the request method. For example:
acl aclname method GET POST ...
and these swap spaces can be distributed across different disk partitions. \ "directory \" indicates the top directory of the swap space. If you want to use the entire disk as swap
space, then you can load the directory as a mount point up the entire disk. The default value is / var / spool / squid. "Mbytes" defines the total amount of available space.
It should be noted that the Squid process must have read and write rights to the directory. The number of "Level-1" is established in the first stage of the top-level directory subdirectory, the default
value is 16. Similarly, "Level-2" is the number of second-level subdirectories that can be created, and the default value is 256. Why are there so many subdirectories defined? This is because if the sub-
directory is too small, the number of files stored in a subdirectory will significantly increase, which will lead to greatly increase the file system to find a certain time, so that the whole system of
body performance drastically reduced. Therefore, in order to reduce the number of files in each directory, we must increase the number of directories used. If only one subdirectory of the top
number of subdirectories under the directory level too, so we use two subdirectory structure.
So, how to determine the number of subdirectories required by your system? We can use the following formula to estimate.
Known quantity:
DS = total available swap space (in KB) / number of swap spaces
OS = average size of each object = 20k
NO = average number of objects stored in each secondary sub-directory = 256
unknown:
L1 = a number of subdirectories
number of subdirectories L2 = two
formula:
Ll X L2 = the DS / the OS / NO
Note that this is a volatile equation, can have multiple solutions.
4.acl
description: define the access control list.
The definition syntax is:
acl aclname acltype string1 ...
acl aclname acltype \ "file \" ...
When using a file, the format of the file is one entry per line.
acltype can be one of src dst srcdomain dstdomain url_pattern urlpath_pattern time port proto method browser user.
The instructions are as follows:
src indicates the source address. You can use the following methods to specify:
acl aclname src ip-address / netmask ... (customer ip address)
acl aclname src addr1-addr2 / netmask ... (address range)
dst indicates the target address. The syntax is:
acl aclname dst ip-address / netmask ... (that is, the IP address of the server requested by the customer)
srcdomain indicates the domain to which the customer belongs. The syntax is:
acl aclname srcdomain foo.com ... Squid will query DNS in reverse based on the customer ip.
dstdomain indicates the domain to which the request server belongs. The syntax is:
acl aclname dstdomain foo.com ... determined by the URL requested by the customer.
Note that if the user uses the server ip instead of the full domain name, Squid will perform a reverse DNS resolution to determine its full domain name, and record "none" if it fails.
time indicates the access time. The syntax is as follows:
acl aclname time [day-abbrevs] [h1: m1-h2: m2] [hh: mm-hh: mm]
day-abbrevs:
S-Sunday
M-Monday
T-Tuesday
W-Wednesday
H-Thursday
F- Friday
A-Saturday
h1: m1 must be less than h2: m2, expressed as [hh: mm-hh: mm].
port Specifies the access port. You can specify multiple ports, such as:
acl aclname port 80 70 21 ...
acl aclname port 0-1024 ... (specify a port range)
proto specifies the usage protocol. You can specify multiple protocols:
acl aclname proto HTTP FTP ...
method Specify the request method. For example:
acl aclname method GET POST ...
5. http_access
Description: According to the access control list to allow or prohibit a certain type of user access.
If there is no matching item for an access, the default is to apply the "NO" of the last item. For example, if the last item is allowed, the default is to prohibit. Therefore, usually the last entry should be set to \ "deny all \" or \ "allow all \" to avoid security risks.
4.2 Application Example
hypothetical scenario: A company with squid as a proxy server, the proxy server is configured to PII450 / 256M / 8.4G, the company used ip 1.2.3.0/24 segment, and would like to use as a proxy port 8080.
The corresponding Squid configuration options are:
1. http_port
http_port 8080
2. cache_mem
idea: Since the server only provides proxy services, this value can be set as large as possible.
cache_mem 194M 3.
cache_dir Directory-Name Mbytes Level-1 Level2
Idea: The hard disk is 8.4G, you should plan well when installing the system, and divide the available space for different file systems. In this example, we can divide it like this:
/ cache1 3.5G
/ cache2 3.5G
/ var 400M
the swap 127M
/ remaining portion
and, during installation, we try not to install unnecessary packet. This saves space while improving the security and stability of the system. Let's calculate the number of first-level and second-level subdirectories required.
Known quantity:
DS = total available swap space (in KB) / number of swap spaces = 7G / 2 = 3500000KB
OS = average size of each object = 20k
NO = average number of objects stored in each secondary subdirectory = 256
unknowns:
Ll = a number of subdirectories
L2 = the number of two subdirectories
formula:
Ll X L2 = the DS / the OS / NO = 3.5 million / 20 is / 256 = 684
we take
Ll = 16
L2 = 43 is
therefore, Our cache_dir statement is:
cache_dir / cache1 3500M 16 43
cache_dir / cache2 3500M 16 43
4.acl
idea: define acl through src.
Acl allow_ip src 1.2.3.4/255.255.255.0
5.http_access
http_access allow allow_ip
4.3 start and stop squid .
After configuring and saving Squid.conf, you can start Squid with the following command.
Squid
Or, use the RedHat startup script to start Squid.
/etc/rc.d/init.d/squid start
Similarly, you can also use the following script to stop running Squid or restart Squid.
/etc/rc.d/init .d / squid STOP
/etc/rc.d/init.d/squid restart
Section V configuration according to the needs of your squid-- advanced chapter
5.1 other configuration options
before making a number of advanced applications squid, it is necessary to other Useful configuration options for a comprehensive understanding. Let's talk about these options in the following categories. The options for some special applications will be discussed when we talk about this kind of application.
5.1.1 Network options
1. tcp_incoming_address
tcp_outgoing_address
udp_incoming_address
udp_outgoing_address
Description:
tcp_incoming_address specifies to listen to the bound IP address from the client or other Squid proxy server;
tcp_outgoing_address specifies the IP address to initiate a connection to the remote server or other Squid proxy server
udp_incoming_address specifies the IP address for receiving packets from other Squid proxy servers for ICP sockets. udp_outgoing_address specifies the IP address for sending packets to other Squid proxy servers for ICP sockets; by
default, no IP address is bound. The binding address can be specified with ip or with the complete domain name.
5.1.2 Swap space setting options
Description: According to the access control list to allow or prohibit a certain type of user access.
If there is no matching item for an access, the default is to apply the "NO" of the last item. For example, if the last item is allowed, the default is to prohibit. Therefore, usually the last entry should be set to \ "deny all \" or \ "allow all \" to avoid security risks.
4.2 Application Example
hypothetical scenario: A company with squid as a proxy server, the proxy server is configured to PII450 / 256M / 8.4G, the company used ip 1.2.3.0/24 segment, and would like to use as a proxy port 8080.
The corresponding Squid configuration options are:
1. http_port
http_port 8080
2. cache_mem
idea: Since the server only provides proxy services, this value can be set as large as possible.
cache_mem 194M 3.
cache_dir Directory-Name Mbytes Level-1 Level2
Idea: The hard disk is 8.4G, you should plan well when installing the system, and divide the available space for different file systems. In this example, we can divide it like this:
/ cache1 3.5G
/ cache2 3.5G
/ var 400M
the swap 127M
/ remaining portion
and, during installation, we try not to install unnecessary packet. This saves space while improving the security and stability of the system. Let's calculate the number of first-level and second-level subdirectories required.
Known quantity:
DS = total available swap space (in KB) / number of swap spaces = 7G / 2 = 3500000KB
OS = average size of each object = 20k
NO = average number of objects stored in each secondary subdirectory = 256
unknowns:
Ll = a number of subdirectories
L2 = the number of two subdirectories
formula:
Ll X L2 = the DS / the OS / NO = 3.5 million / 20 is / 256 = 684
we take
Ll = 16
L2 = 43 is
therefore, Our cache_dir statement is:
cache_dir / cache1 3500M 16 43
cache_dir / cache2 3500M 16 43
4.acl
idea: define acl through src.
Acl allow_ip src 1.2.3.4/255.255.255.0
5.http_access
http_access allow allow_ip
4.3 start and stop squid .
After configuring and saving Squid.conf, you can start Squid with the following command.
Squid
Or, use the RedHat startup script to start Squid.
/etc/rc.d/init.d/squid start
Similarly, you can also use the following script to stop running Squid or restart Squid.
/etc/rc.d/init .d / squid STOP
/etc/rc.d/init.d/squid restart
Section V configuration according to the needs of your squid-- advanced chapter
5.1 other configuration options
before making a number of advanced applications squid, it is necessary to other Useful configuration options for a comprehensive understanding. Let's talk about these options in the following categories. The options for some special applications will be discussed when we talk about this kind of application.
5.1.1 Network options
1. tcp_incoming_address
tcp_outgoing_address
udp_incoming_address
udp_outgoing_address
Description:
tcp_incoming_address specifies to listen to the bound IP address from the client or other Squid proxy server;
tcp_outgoing_address specifies the IP address to initiate a connection to the remote server or other Squid proxy server
udp_incoming_address specifies the IP address for receiving packets from other Squid proxy servers for ICP sockets. udp_outgoing_address specifies the IP address for sending packets to other Squid proxy servers for ICP sockets; by
default, no IP address is bound. The binding address can be specified with ip or with the complete domain name.
5.1.2 Swap space setting options
1. cache_swap_low (percent, 0-100)
cache_swap_high (percent, 0-100)
Description: Squid uses a lot of swap space to store objects. Then, after a certain period of time, the swap space will be used up, so you must also periodically remove objects below a certain level according to certain indicators. Squid uses the so-called "least recently used algorithm" (LRU) to do this job. When the used swap space reaches cache_swap_high, Squid calculates the value of each object according to the LRU calculation and clears the objects below a certain horizontal line. This clearing process continues until the used space reaches cache_swap_low. These two values ββare expressed as percentages. If the swap space you use is large, it is recommended that you reduce the gap between these two values, because then a percentage point may be a few hundred megabytes, which will inevitably affect Squid's performance. The default is:
cache_swap_low 90
cache_swap_high 95
2.maximum_object_size
Note: Objects larger than this value will not be stored. If you want to increase the access speed, please lower this value; if you want to maximize the bandwidth savings and reduce costs, please increase this value. The unit is K, and the default value is:
maximum_object_size 4096 KB
5.1.3 Log options
1. cache_access_log
Description: Specify the full path of the client request to record the log (including the name of the file and the directory where it is located). The request can be an HTTP request from a general user or an ICP request from a neighbor. The default value is:
cache_access_log /var/log/squid/access.log
If you do not need the log, you can use the following statement to cancel: cache_access_log none
2.cache_store_log
Description: Specify the full path of the object storage record log (including the name of the file and The directory where). The record indicates which objects were written to the swap space and which objects were cleared from the swap space. The default path is:
cache_log /var/log/squid/cache.log
If you do not need the log, you can use the following statement to cancel: cache_store_log none
3.cache_log
Description: Specify the full path of Squid general information log (including the name of the file and The directory where).
The default path is: cache_log /var/log/squid/cache.log
4. cache_swap_log
Description: This option indicates the full path of the "swap.log" log of each swap space (including the name of the file and the directory where it is located). The log file contains metadata of objects stored in the swap space. Normally, the system automatically saves the file in the first top-level directory defined by "cache_dir", but you can also specify other paths. If you define multiple "cache_dir", the corresponding log file may be like this:
cache_swap_log.00
The number extension after cache_swap_log.01
cache_swap_log.02
corresponds to the specified multiple "cache_dir".
It should be noted that it is best not to delete such log files, otherwise Squid will not work properly.
5.pid_filename
Description: Specify the full path of the log recording the Squid process number (including the name of the file and the directory where it is located). The default path is
pid_filename /var/run/squid.pid.
If you don't need the file, you can use the following statement to cancel:
pid_filename none 6.debug_options
Description: Control the amount of information recorded when logging. It can be controlled from two aspects: section control records from several aspects; level controls the detail level of records in each aspect. The recommended way (which is also the default) is: debug_options ALL, 1
means that every aspect is recorded, but the level of detail is 1 (lowest).
cache_swap_high (percent, 0-100)
Description: Squid uses a lot of swap space to store objects. Then, after a certain period of time, the swap space will be used up, so you must also periodically remove objects below a certain level according to certain indicators. Squid uses the so-called "least recently used algorithm" (LRU) to do this job. When the used swap space reaches cache_swap_high, Squid calculates the value of each object according to the LRU calculation and clears the objects below a certain horizontal line. This clearing process continues until the used space reaches cache_swap_low. These two values ββare expressed as percentages. If the swap space you use is large, it is recommended that you reduce the gap between these two values, because then a percentage point may be a few hundred megabytes, which will inevitably affect Squid's performance. The default is:
cache_swap_low 90
cache_swap_high 95
2.maximum_object_size
Note: Objects larger than this value will not be stored. If you want to increase the access speed, please lower this value; if you want to maximize the bandwidth savings and reduce costs, please increase this value. The unit is K, and the default value is:
maximum_object_size 4096 KB
5.1.3 Log options
1. cache_access_log
Description: Specify the full path of the client request to record the log (including the name of the file and the directory where it is located). The request can be an HTTP request from a general user or an ICP request from a neighbor. The default value is:
cache_access_log /var/log/squid/access.log
If you do not need the log, you can use the following statement to cancel: cache_access_log none
2.cache_store_log
Description: Specify the full path of the object storage record log (including the name of the file and The directory where). The record indicates which objects were written to the swap space and which objects were cleared from the swap space. The default path is:
cache_log /var/log/squid/cache.log
If you do not need the log, you can use the following statement to cancel: cache_store_log none
3.cache_log
Description: Specify the full path of Squid general information log (including the name of the file and The directory where).
The default path is: cache_log /var/log/squid/cache.log
4. cache_swap_log
Description: This option indicates the full path of the "swap.log" log of each swap space (including the name of the file and the directory where it is located). The log file contains metadata of objects stored in the swap space. Normally, the system automatically saves the file in the first top-level directory defined by "cache_dir", but you can also specify other paths. If you define multiple "cache_dir", the corresponding log file may be like this:
cache_swap_log.00
The number extension after cache_swap_log.01
cache_swap_log.02
corresponds to the specified multiple "cache_dir".
It should be noted that it is best not to delete such log files, otherwise Squid will not work properly.
5.pid_filename
Description: Specify the full path of the log recording the Squid process number (including the name of the file and the directory where it is located). The default path is
pid_filename /var/run/squid.pid.
If you don't need the file, you can use the following statement to cancel:
pid_filename none 6.debug_options
Description: Control the amount of information recorded when logging. It can be controlled from two aspects: section control records from several aspects; level controls the detail level of records in each aspect. The recommended way (which is also the default) is: debug_options ALL, 1
means that every aspect is recorded, but the level of detail is 1 (lowest).
7.log_fqdn on | off
Description: Control the recording method of user address in access.log. When this option is turned on, Squid records the customer's full domain name. When this option is canceled, Squid records the customer's IP address. Note that if this option is turned on, it will increase the burden on the system, because Squid also has to perform DNS queries for customer ip. The default value is: log_fqdn off
5.1.4 Options for external support programs
1.ftp_user
Note: Set the email address provided when logging into the anonymous ftp server. When logging into the anonymous ftp server, you are required to use your email address as the login password (for more information, please refer to the relevant chapters of this book). It should be noted that some anonymous ftp servers are very demanding on this point, and some will even check the validity of your email. The default value is:
ftp_user Squid @ 2.ftp_list_width
Description: Set the width of the ftp list. If it is set too small, you cannot browse to long file names. The default value is: ftp_list_width 32
3.cache_dns_program
Description: Specify the full path of the DNS query program (including the name of the file and the directory where it is located). The default path is:
cache_dns_program / usr / lib / squid / dnsserver
4.dns_children
Description: Set the number of DNS query program processes. For large login server systems, the value is recommended to be at least 10. The maximum value can be 32, and the default setting is 5. Note that if you lower this value arbitrarily, the system performance may be drastically reduced because the main process of Squid has to wait for the results of the domain name query. There is no need to reduce this value, because the DNS query process does not consume too much system resources.
5.dns_nameservers
Description: Specify a list of DNS servers, forcing Squid to use the DNS servers in this list instead of using the DNS servers defined in the /etc/resolv.conf file. You can specify multiple DNS servers like this: dns_nameservers 10.0.0.1 192.172.0.4 The
default setting is: dns_nameservers none
6.unlinkd_program
Description: Specify the full path of the file deletion process.
The default setting is:
unlinkd_program / usr / lib / squid / unlinkd
7.pinger_program
Description: Specify the full path of the ping process. This process is used by Squid to measure the routing distance to other neighbors. This option is only useful when you enable this feature. The default is:
pinger_program / usr / lib / squid / pinger
8.authenticate_program
Description: Specify the full path of the external program used for user authentication. Squid's user authentication function will be described in later chapters. The default setting is no authentication.
5.1.5 User access control options
1. request_size (KB)
Description: Set the maximum allowable value of user request traffic (in KB). If the user requests with the POST method, a larger value should be set. The default setting is:
request_size 100 KB
2.reference_age
Description: Squid clears the object based on the object's LRU (Least Recently Used Algorithm), and Squid dynamically calculates the object's LRU age based on the total amount of disk space used. We use reference_age to define the maximum LRU age of the object. If an object is not accessed within the specified reference_age, Squid will delete the object. The default value is one month. You can use the time representation method shown below.
1 week
3.5 days
4 months
2.2 hours
Description: Control the recording method of user address in access.log. When this option is turned on, Squid records the customer's full domain name. When this option is canceled, Squid records the customer's IP address. Note that if this option is turned on, it will increase the burden on the system, because Squid also has to perform DNS queries for customer ip. The default value is: log_fqdn off
5.1.4 Options for external support programs
1.ftp_user
Note: Set the email address provided when logging into the anonymous ftp server. When logging into the anonymous ftp server, you are required to use your email address as the login password (for more information, please refer to the relevant chapters of this book). It should be noted that some anonymous ftp servers are very demanding on this point, and some will even check the validity of your email. The default value is:
ftp_user Squid @ 2.ftp_list_width
Description: Set the width of the ftp list. If it is set too small, you cannot browse to long file names. The default value is: ftp_list_width 32
3.cache_dns_program
Description: Specify the full path of the DNS query program (including the name of the file and the directory where it is located). The default path is:
cache_dns_program / usr / lib / squid / dnsserver
4.dns_children
Description: Set the number of DNS query program processes. For large login server systems, the value is recommended to be at least 10. The maximum value can be 32, and the default setting is 5. Note that if you lower this value arbitrarily, the system performance may be drastically reduced because the main process of Squid has to wait for the results of the domain name query. There is no need to reduce this value, because the DNS query process does not consume too much system resources.
5.dns_nameservers
Description: Specify a list of DNS servers, forcing Squid to use the DNS servers in this list instead of using the DNS servers defined in the /etc/resolv.conf file. You can specify multiple DNS servers like this: dns_nameservers 10.0.0.1 192.172.0.4 The
default setting is: dns_nameservers none
6.unlinkd_program
Description: Specify the full path of the file deletion process.
The default setting is:
unlinkd_program / usr / lib / squid / unlinkd
7.pinger_program
Description: Specify the full path of the ping process. This process is used by Squid to measure the routing distance to other neighbors. This option is only useful when you enable this feature. The default is:
pinger_program / usr / lib / squid / pinger
8.authenticate_program
Description: Specify the full path of the external program used for user authentication. Squid's user authentication function will be described in later chapters. The default setting is no authentication.
5.1.5 User access control options
1. request_size (KB)
Description: Set the maximum allowable value of user request traffic (in KB). If the user requests with the POST method, a larger value should be set. The default setting is:
request_size 100 KB
2.reference_age
Description: Squid clears the object based on the object's LRU (Least Recently Used Algorithm), and Squid dynamically calculates the object's LRU age based on the total amount of disk space used. We use reference_age to define the maximum LRU age of the object. If an object is not accessed within the specified reference_age, Squid will delete the object. The default value is one month. You can use the time representation method shown below.
1 week
3.5 days
4 months
2.2 hours
3.quick_abort_min (KB)
quick_abort_max (KB)
quick_abort_pct (percent)
Description: Controls whether Squid continues to transmit requests interrupted by users. When the user interrupts the request, Squid will check
the value of quick_abort. If the remaining part is less than the value specified by "quick_abort_min", Squid will continue to complete the transmission of the remaining part; if the remaining part is greater than the value specified by "quick_abort_max", Squid will terminate the transmission of the remaining part; if the percentage specified by "quick_abort_pct" has been completed, Squid The transfer of the rest will continue. The default settings are:
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
5.1.6 Various timeout setting options
1.negative_ttl time-units
Description: Set the survival time of passive storage objects. The so-called passive storage objects are error messages such as "connection failed" and \ "404 Not Found \". The default setting is: negative_ttl 5 minutes
2. positive_dns_ttl time-units
Description: Set the time to survive the successful DNS query results cache. The default is 6 hours.
positive_dns_ttl 6 hours
3.negative_dns_ttl time-units
Description: Set the survival time of DNS query results that fail to cache. The default is 5 minutes.
negative_dns_ttl 5 minutes
4.connect_timeout time-units
Description: Set Squid to wait for the connection to complete the timeout value. The default value is 2 minutes.
connect_timeout 120 seconds
5. read_timeout time-units
Description: If Squid has not read any data from the requested server within the specified time, Squid will terminate the client request. The default value is 15 minutes.
read_timeout 15 minutes
6.request_timeout
Description: Set how long Squid will wait for the client to issue an HTTP request after establishing a connection with the client. The default value is 30 seconds.
request_timeout 30 seconds
7. client_lifetime time-units
Description: Set how long the client can keep the connection after establishing a connection with Squid.
Note that because each connection established by a customer consumes certain system resources, if you are providing proxy services for a large network, you must modify this value correctly. Because if the number of connections at the same time is too large, it may consume a lot of system resources, resulting in server downtime. The default value is 1 day, this value is too large, it is recommended to reduce this value according to your own situation.
client_lifetime 1 day
8.half_closed_clients on / off
Note: Sometimes due to the user's abnormal operation, the TCP connection with Squid may be half closed.
At this time, the sending end of the TCP connection has been closed, while the receiving end works normally. By default, Squid will keep this TCP connection in a semi-closed state until it returns a socket read and write error before closing it. If the value is set to off, Squid immediately closes the connection as soon as the message "no more data to read" is returned from the client. half_closed_clients on
9.pconn_timeout
Description: Set Squid to establish a connection with other servers and proxies, how long the connection is idle after being closed. The default value is 120 seconds.
pconn_timeout 120 seconds
10.ident_timeout
Description: Set the time Squid waits for user authentication request. The default value is 10 seconds.
ident_timeout 10 seconds
11. Shutdown_lifetime time-units
Description: After receiving the SIGTERM or SIGHUP signal, squid will enter a shutdown pending mode, waiting for all active sockets to close. After the time defined by shutdown_lifetime, all active users will receive a timeout message. The default value is 30 seconds.
shutdown_lifetime 30 seconds
5.1.7 Management parameter options
1.cache_mgr
Description: Set the administrator email address. The default is:
cache_mgr root
quick_abort_max (KB)
quick_abort_pct (percent)
Description: Controls whether Squid continues to transmit requests interrupted by users. When the user interrupts the request, Squid will check
the value of quick_abort. If the remaining part is less than the value specified by "quick_abort_min", Squid will continue to complete the transmission of the remaining part; if the remaining part is greater than the value specified by "quick_abort_max", Squid will terminate the transmission of the remaining part; if the percentage specified by "quick_abort_pct" has been completed, Squid The transfer of the rest will continue. The default settings are:
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
5.1.6 Various timeout setting options
1.negative_ttl time-units
Description: Set the survival time of passive storage objects. The so-called passive storage objects are error messages such as "connection failed" and \ "404 Not Found \". The default setting is: negative_ttl 5 minutes
2. positive_dns_ttl time-units
Description: Set the time to survive the successful DNS query results cache. The default is 6 hours.
positive_dns_ttl 6 hours
3.negative_dns_ttl time-units
Description: Set the survival time of DNS query results that fail to cache. The default is 5 minutes.
negative_dns_ttl 5 minutes
4.connect_timeout time-units
Description: Set Squid to wait for the connection to complete the timeout value. The default value is 2 minutes.
connect_timeout 120 seconds
5. read_timeout time-units
Description: If Squid has not read any data from the requested server within the specified time, Squid will terminate the client request. The default value is 15 minutes.
read_timeout 15 minutes
6.request_timeout
Description: Set how long Squid will wait for the client to issue an HTTP request after establishing a connection with the client. The default value is 30 seconds.
request_timeout 30 seconds
7. client_lifetime time-units
Description: Set how long the client can keep the connection after establishing a connection with Squid.
Note that because each connection established by a customer consumes certain system resources, if you are providing proxy services for a large network, you must modify this value correctly. Because if the number of connections at the same time is too large, it may consume a lot of system resources, resulting in server downtime. The default value is 1 day, this value is too large, it is recommended to reduce this value according to your own situation.
client_lifetime 1 day
8.half_closed_clients on / off
Note: Sometimes due to the user's abnormal operation, the TCP connection with Squid may be half closed.
At this time, the sending end of the TCP connection has been closed, while the receiving end works normally. By default, Squid will keep this TCP connection in a semi-closed state until it returns a socket read and write error before closing it. If the value is set to off, Squid immediately closes the connection as soon as the message "no more data to read" is returned from the client. half_closed_clients on
9.pconn_timeout
Description: Set Squid to establish a connection with other servers and proxies, how long the connection is idle after being closed. The default value is 120 seconds.
pconn_timeout 120 seconds
10.ident_timeout
Description: Set the time Squid waits for user authentication request. The default value is 10 seconds.
ident_timeout 10 seconds
11. Shutdown_lifetime time-units
Description: After receiving the SIGTERM or SIGHUP signal, squid will enter a shutdown pending mode, waiting for all active sockets to close. After the time defined by shutdown_lifetime, all active users will receive a timeout message. The default value is 30 seconds.
shutdown_lifetime 30 seconds
5.1.7 Management parameter options
1.cache_mgr
Description: Set the administrator email address. The default is:
cache_mgr root
2. cache_effective_user
cache_effective_group
Note: If you start Squid with root, Squid will become the user and user group specified by these two statements. The default becomes the Squid user and Squid user group. Note that the users and user groups specified here must really exist in / etc / passwd. If you start Squid with a non-root account, Squid will keep the user and user group running. At this time, you cannot specify http_port less than 1024.
cache_effective_user squid
cache_effective_group squid
3.visible_hostname
Description: Define the host name in the error message returned to the user.
Such as: visible_hostname www-cache.foo.org
4.unique_hostname
Description: If you have a proxy server array, and you specify the same "visible_hostname" for each proxy server, you must also specify a different "unique_hostname" for them Avoid "forwarding loops" (transmission loops).
5.1.8 Miscellaneous
1.
Description of dns_testnames : Set to perform DNS query test. If the first site resolves successfully, the DNS query test will end immediately. If you are not willing to conduct DNS query tests, do not remove the default settings.
#dns_testnames netscape.com internic.net nlanr.net microsoft.com
2.logfile_rotate
Note: Generally, Squid will periodically rename and package log files. For example, if the log file in use is access.log, Squid will rename it and package it as access.log.1.gz; after a certain period of time, Squid will
rename access.log.1.gz to access.log. 2.gz and rename the current log file and package it as access.log.1.gz, in this cycle. The number specified by logfile_rotate is the number of files packaged and backed up. When this number is reached, Squid will delete the oldest backup file. The default value is 10. If you want to perform these operations manually, you can use logfile_rotate 0 to cancel the automatic operation.
3. err_html_text
Description: Use this statement to define a string variable, which can be referenced in the error information file returned to the user with% L. Error message files are usually in the / etc / squid / errors directory. These are some script files written in HTML. You can modify it yourself.
4.deny_info
Description: You can customize a custom denied access information file, and can be associated with different user lists. When the user is denied by the relevant rules of http_access, Squid can show the user the corresponding access denied information file you customized. The syntax is:
Usage: deny_info err_page_name acl For
example:
deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
5.memory_pools on | off
Note: If you set this item to on, Squid will keep all the allocated (but unused) memory pools for future use. The default is on.
Memory_pools on
6.log_icp_queries on | off
Description: Set whether to log ICP requests. If your system is heavily loaded, you can use off to cancel the function. The default is:
log_icp_queries on
7.always_direct
Description: This option allows you to specify certain user classes, Squid will directly forward the requests of these user classes to the requested server. The syntax is:
always_direct allow | deny [!] Aclname ...
Such as: directly forwarding FTP requests can be set like this:
acl FTP proto FTP
always_direct allow FTP
8.never_direct
Description: opposite to always_direct. The syntax is:
Usage: never_direct allow | deny [!] Aclname ... For
example, to force users other than the local domain to use a proxy server, you can set it like this:
acl local-servers dstdomain foo.net
acl all src 0.0.0.0/ 0.0.0.0
never_direct deny local-servers
never_direct allow all
9.icon_directory
Description: Specifies the directory of icon files used when transmitting error messages to users. The default path is: icon_directory / usr / lib / squid / icons
10.error_directory
Description: Specify the directory of the error description file used to transmit error information to the user. The default path is:
error_directory / etc / Squid / errors
cache_effective_group
Note: If you start Squid with root, Squid will become the user and user group specified by these two statements. The default becomes the Squid user and Squid user group. Note that the users and user groups specified here must really exist in / etc / passwd. If you start Squid with a non-root account, Squid will keep the user and user group running. At this time, you cannot specify http_port less than 1024.
cache_effective_user squid
cache_effective_group squid
3.visible_hostname
Description: Define the host name in the error message returned to the user.
Such as: visible_hostname www-cache.foo.org
4.unique_hostname
Description: If you have a proxy server array, and you specify the same "visible_hostname" for each proxy server, you must also specify a different "unique_hostname" for them Avoid "forwarding loops" (transmission loops).
5.1.8 Miscellaneous
1.
Description of dns_testnames : Set to perform DNS query test. If the first site resolves successfully, the DNS query test will end immediately. If you are not willing to conduct DNS query tests, do not remove the default settings.
#dns_testnames netscape.com internic.net nlanr.net microsoft.com
2.logfile_rotate
Note: Generally, Squid will periodically rename and package log files. For example, if the log file in use is access.log, Squid will rename it and package it as access.log.1.gz; after a certain period of time, Squid will
rename access.log.1.gz to access.log. 2.gz and rename the current log file and package it as access.log.1.gz, in this cycle. The number specified by logfile_rotate is the number of files packaged and backed up. When this number is reached, Squid will delete the oldest backup file. The default value is 10. If you want to perform these operations manually, you can use logfile_rotate 0 to cancel the automatic operation.
3. err_html_text
Description: Use this statement to define a string variable, which can be referenced in the error information file returned to the user with% L. Error message files are usually in the / etc / squid / errors directory. These are some script files written in HTML. You can modify it yourself.
4.deny_info
Description: You can customize a custom denied access information file, and can be associated with different user lists. When the user is denied by the relevant rules of http_access, Squid can show the user the corresponding access denied information file you customized. The syntax is:
Usage: deny_info err_page_name acl For
example:
deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
5.memory_pools on | off
Note: If you set this item to on, Squid will keep all the allocated (but unused) memory pools for future use. The default is on.
Memory_pools on
6.log_icp_queries on | off
Description: Set whether to log ICP requests. If your system is heavily loaded, you can use off to cancel the function. The default is:
log_icp_queries on
7.always_direct
Description: This option allows you to specify certain user classes, Squid will directly forward the requests of these user classes to the requested server. The syntax is:
always_direct allow | deny [!] Aclname ...
Such as: directly forwarding FTP requests can be set like this:
acl FTP proto FTP
always_direct allow FTP
8.never_direct
Description: opposite to always_direct. The syntax is:
Usage: never_direct allow | deny [!] Aclname ... For
example, to force users other than the local domain to use a proxy server, you can set it like this:
acl local-servers dstdomain foo.net
acl all src 0.0.0.0/ 0.0.0.0
never_direct deny local-servers
never_direct allow all
9.icon_directory
Description: Specifies the directory of icon files used when transmitting error messages to users. The default path is: icon_directory / usr / lib / squid / icons
10.error_directory
Description: Specify the directory of the error description file used to transmit error information to the user. The default path is:
error_directory / etc / Squid / errors
5.2 user authentication settings
default, squid itself, without any certification program, but we can implement user authentication through external authentication procedures. Generally speaking, there are the following authentication procedures:
1. LDAP authentication: You can access the following resources to obtain more useful information.
http://www.geocities.com/ResearchTriangle/Thinktank/5292/projects/ldap/
http://home.iae.nl/users/devet/squid/proxy_auth/contrib/ldap_auth.tar.gz
2.SMB certification: User authentication based on NT and samba can be achieved. For more information, please visit the following resources.
http://www.hacom.nl/~richard/software/smb_auth.html
3. User authentication based on mysql.
http://home.iae.nl/users/devet/squid/proxy_auth/contrib/mysql_auth.c
4. User authentication based on sock5 password.
http://nucleo.freeservers.com/
5. User authentication based on Radius.
http://home.iae.nl/users/devet/squid/proxy_auth/contrib/auth.pl
But what we commonly use is authentication with ncsa and user authentication based on NT and samba with smb_auth. Below we will talk about the specific implementation of these two authentication methods.
5.2.1 Implementation of ncsa user authentication
ncsa is one of the authentication procedures that comes with the Squid source code package. Below we take the Squid-2.3.STABLE2 version as an example to describe the installation and configuration of ncsa.
1. Download the squid source code package squid-2.3.STABLE2-src.tar.gz from www.squid-cache.org and place it in the / tmp directory.
2. Unzip with tar:
tar xvzf squid-2.3.STABLE2-src.tar.gz
% make
% make install
3. Then, enter the /tmp/squid-2.3.STABLE2/auth_modules/NCSA directory.
After% make
% make install is
compiled successfully, the ncsa_auth executable file will be generated.
4. Copy the generated execution file ncsa_auth to the / usr / bin directory
cp ncsa_auth / usr / bin / bin
5. Modify the relevant options in squid.conf as follows:
authenticate_program / usr / local / squid / bin / ncsa_auth / usr / bin / passwd
6. Define related user class
acl auth_user proxy_auth REQUIRED
Note that the REQUIRED keyword indicates to receive all legitimate user access.
7. Set http_access
http_access allow auth_user
Note that if you specify multiple user classes that are allowed to be accessed in the line change, you should put the user class to be authenticated first. As shown below:
wrong configuration: http_access allow auth_user all manager
correct configuration: http_access allow auth_user manager all
8. use the tool software htpasswd carried by apache to generate a password file under / usr / local / squid / etc and add the corresponding user information . Generally speaking, each line of the password file contains the user information of a user, that is, the user name and password.
Use htpasswd to generate password file passwd and add user bye.
htpasswd -c / usr / local / squid / etc / passwd bye
and then restart Squid, password authentication has taken effect.
default, squid itself, without any certification program, but we can implement user authentication through external authentication procedures. Generally speaking, there are the following authentication procedures:
1. LDAP authentication: You can access the following resources to obtain more useful information.
http://www.geocities.com/ResearchTriangle/Thinktank/5292/projects/ldap/
http://home.iae.nl/users/devet/squid/proxy_auth/contrib/ldap_auth.tar.gz
2.SMB certification: User authentication based on NT and samba can be achieved. For more information, please visit the following resources.
http://www.hacom.nl/~richard/software/smb_auth.html
3. User authentication based on mysql.
http://home.iae.nl/users/devet/squid/proxy_auth/contrib/mysql_auth.c
4. User authentication based on sock5 password.
http://nucleo.freeservers.com/
5. User authentication based on Radius.
http://home.iae.nl/users/devet/squid/proxy_auth/contrib/auth.pl
But what we commonly use is authentication with ncsa and user authentication based on NT and samba with smb_auth. Below we will talk about the specific implementation of these two authentication methods.
5.2.1 Implementation of ncsa user authentication
ncsa is one of the authentication procedures that comes with the Squid source code package. Below we take the Squid-2.3.STABLE2 version as an example to describe the installation and configuration of ncsa.
1. Download the squid source code package squid-2.3.STABLE2-src.tar.gz from www.squid-cache.org and place it in the / tmp directory.
2. Unzip with tar:
tar xvzf squid-2.3.STABLE2-src.tar.gz
% make
% make install
3. Then, enter the /tmp/squid-2.3.STABLE2/auth_modules/NCSA directory.
After% make
% make install is
compiled successfully, the ncsa_auth executable file will be generated.
4. Copy the generated execution file ncsa_auth to the / usr / bin directory
cp ncsa_auth / usr / bin / bin
5. Modify the relevant options in squid.conf as follows:
authenticate_program / usr / local / squid / bin / ncsa_auth / usr / bin / passwd
6. Define related user class
acl auth_user proxy_auth REQUIRED
Note that the REQUIRED keyword indicates to receive all legitimate user access.
7. Set http_access
http_access allow auth_user
Note that if you specify multiple user classes that are allowed to be accessed in the line change, you should put the user class to be authenticated first. As shown below:
wrong configuration: http_access allow auth_user all manager
correct configuration: http_access allow auth_user manager all
8. use the tool software htpasswd carried by apache to generate a password file under / usr / local / squid / etc and add the corresponding user information . Generally speaking, each line of the password file contains the user information of a user, that is, the user name and password.
Use htpasswd to generate password file passwd and add user bye.
htpasswd -c / usr / local / squid / etc / passwd bye
and then restart Squid, password authentication has taken effect.
5.2.2 smb implement user authentication
domestic introduction and use ncsa implement user authentication few articles, using smb_auth samba and NT-Based User Authentication I have not seen before, let's take a look at the squid achieved in NT-based user authentication.
The current highest version of smb_auth is smb_auth-0.05, you can download it at the following address. Of course, Squid's source code package also contains smb_auth, but it is version 0.02.
http://www.hacom.nl/~richard/software/smb_auth-0.05.tar.gz
The homepage address of smb_auth is http://www.hacom.nl/~richard/software/smb_auth.html .
1. System requirements:
Squid2.0 or above.
Install samba2.0.4 or above. You don't need to run the samba service, because smb_auth only uses the samba client software.
2. Download smb_auth-0.05.tar.gz and copy to / tmp.
3.tar xvzf smb_auth-0.05.tar.gz
4. Modify the SAMBAPREFIX and INSTALLBIN parameters in the Makefile according to your requirements. SAMBAPREFIX specifies your samba installation path, and INSTALLBIN specifies the installation path of smb_auth. We specify:
SAMBAPREFIX = / usr, INSTALLBIN = / usr / bin.
5.make
6.make install, after successful, the executable file smb_auth will be generated in the path specified by INSTALLBIN.
7. Follow the steps below to set the master you want to use for authentication Domain controller:
first create a "proxy" file in the NETLOG shared directory, the file contains only a "allow" string, generally speaking, the NETLOG directory is located in \\ winnt \\ system32 \\ Repl \\ import \ \ scripts directory; then, set all users and user groups that you want to access Squid to have read rights to the file.
8. Modify the relevant options in squid.conf as follows:
authenticate_program / usr / local / squid / bin / smb_auth your_domain_name
9. Define the relevant user class
acl auth_user proxy_auth REQUIRED
Note that the REQUIRED keyword indicates to receive all legitimate user access.
10. Set http_access
http_access allow auth_user
Note that if you specify multiple user classes that are allowed to be accessed in the line change, you should put the user class to be authenticated first. As shown below:
wrong configuration: http_access allow auth_user all manager
correct configuration: http_access allow auth_user manager all
If everything is correct, then restart Squid, password authentication has taken effect.
Description: How to call smb_auth: 1. smb_auth
-W your_domain_name
Use your_domain_name to specify your domain name. smb_auth will broadcast to find the primary domain controller.
2.smb_auth -W your_domain_name -B
If you have multiple network interfaces, you can use -B to specify the IP address of the network interface used for broadcasting.
3.smb_auth -W your_domain_name -U
You can also use -U to directly specify the IP address of the primary domain controller.
4.smb_auth -W your_domain_name -S share
You can use -S to specify a shared directory different from NETLOG.
5.2.3 Other authentication settings in
squid.conf 1.
authentication_children Description: Set the number of authentication subprocesses The default is 5. If you are in a busy network environment, you can increase this value appropriately.
2.authenticate_ttl
Description: Set the validity period of one authentication, the default is 3600 seconds.
3.proxy_auth_realm
Description: Set the domain name displayed to the user during user login authentication.
5.3 transparent proxy settings
on the concept of transparent proxy that we have in the first quarter will be over, let's look at how to achieve transparent proxy squid in.
The implementation of transparent proxy needs to be above Linux 2.0.29, but Linux 2.0.30 does not support this feature. Fortunately, we are currently using version 2.2.X or above, so do nβt worry about this problem. Below we use ipchains + squid to achieve transparent proxy. What needs to be explained before starting is that at present we can only implement HTTP support.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
domestic introduction and use ncsa implement user authentication few articles, using smb_auth samba and NT-Based User Authentication I have not seen before, let's take a look at the squid achieved in NT-based user authentication.
The current highest version of smb_auth is smb_auth-0.05, you can download it at the following address. Of course, Squid's source code package also contains smb_auth, but it is version 0.02.
http://www.hacom.nl/~richard/software/smb_auth-0.05.tar.gz
The homepage address of smb_auth is http://www.hacom.nl/~richard/software/smb_auth.html .
1. System requirements:
Squid2.0 or above.
Install samba2.0.4 or above. You don't need to run the samba service, because smb_auth only uses the samba client software.
2. Download smb_auth-0.05.tar.gz and copy to / tmp.
3.tar xvzf smb_auth-0.05.tar.gz
4. Modify the SAMBAPREFIX and INSTALLBIN parameters in the Makefile according to your requirements. SAMBAPREFIX specifies your samba installation path, and INSTALLBIN specifies the installation path of smb_auth. We specify:
SAMBAPREFIX = / usr, INSTALLBIN = / usr / bin.
5.make
6.make install, after successful, the executable file smb_auth will be generated in the path specified by INSTALLBIN.
7. Follow the steps below to set the master you want to use for authentication Domain controller:
first create a "proxy" file in the NETLOG shared directory, the file contains only a "allow" string, generally speaking, the NETLOG directory is located in \\ winnt \\ system32 \\ Repl \\ import \ \ scripts directory; then, set all users and user groups that you want to access Squid to have read rights to the file.
8. Modify the relevant options in squid.conf as follows:
authenticate_program / usr / local / squid / bin / smb_auth your_domain_name
9. Define the relevant user class
acl auth_user proxy_auth REQUIRED
Note that the REQUIRED keyword indicates to receive all legitimate user access.
10. Set http_access
http_access allow auth_user
Note that if you specify multiple user classes that are allowed to be accessed in the line change, you should put the user class to be authenticated first. As shown below:
wrong configuration: http_access allow auth_user all manager
correct configuration: http_access allow auth_user manager all
If everything is correct, then restart Squid, password authentication has taken effect.
Description: How to call smb_auth: 1. smb_auth
-W your_domain_name
Use your_domain_name to specify your domain name. smb_auth will broadcast to find the primary domain controller.
2.smb_auth -W your_domain_name -B
If you have multiple network interfaces, you can use -B to specify the IP address of the network interface used for broadcasting.
3.smb_auth -W your_domain_name -U
You can also use -U to directly specify the IP address of the primary domain controller.
4.smb_auth -W your_domain_name -S share
You can use -S to specify a shared directory different from NETLOG.
5.2.3 Other authentication settings in
squid.conf 1.
authentication_children Description: Set the number of authentication subprocesses The default is 5. If you are in a busy network environment, you can increase this value appropriately.
2.authenticate_ttl
Description: Set the validity period of one authentication, the default is 3600 seconds.
3.proxy_auth_realm
Description: Set the domain name displayed to the user during user login authentication.
5.3 transparent proxy settings
on the concept of transparent proxy that we have in the first quarter will be over, let's look at how to achieve transparent proxy squid in.
The implementation of transparent proxy needs to be above Linux 2.0.29, but Linux 2.0.30 does not support this feature. Fortunately, we are currently using version 2.2.X or above, so do nβt worry about this problem. Below we use ipchains + squid to achieve transparent proxy. What needs to be explained before starting is that at present we can only implement HTTP support.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β
π¦GET PERSONAL NUMBER FOR SOCIAL MEDIA OR SMS ...
Twitter.com/undercodeNews
1. Twilio.com
2. Textnow.com
3. Countrycode.org
4. Wp.pinger.com
5. Textmagic.com
6. Esendex.co.uk - (It's easy to get a trial period using a virtual number by fast registration, the package includes 25 free messages, the restriction of use in 7 days.No credit card is required.You can be counted for a personal number!)
7. Burstsms.com.au - (Similar service as the previous one, fast registration, the probe includes 14 days You do not need a credit card, so you can count as a personal number!)
8. Directsms.com.au - (You register, you get a free 30-day trial version Business sms. Personal Wirth.number!)
9. Vumber.com - (Register, receive a 14-day trial version.) Personal
PUBLIC NUMBER FOR RECEIVING SMSβ
1. Receive-sms-online.info
2. Receivefreesms.net
3. Sms-receive.net
4 . Receive-a-sms.com
5. Hs3x.com
6. Receive-sms-now.com - (There are Russian numbers)
7. Smsreceivefree.com
8. Receivesmsonline.com
9. Getsms.org - (Π ΡΡ.Π½ΠΎΠΌΠ΅ΡΠ°)
10. Tempsms.ru - (Rus.number)
11. Numberforsms.com - (There are Russian numbers)
12. Sonetel.com
13. Smska.us - (Rus.number)
14. Sellaite.com
15. Sms.ink - (Rus.numera)
16. Proovl.com
17. Onlinesim.ru
18. Zadarma.com - (There are Russian numbers)
19. Smsc.ru - (You need to register, there are Russian and Ukrainian numbers)
20. Freevirtualnumber.skycallbd.com
21. Getfreesmsnumber.com
22. Receive-smsonline.net - Yearly design
23. Receivefreesms.com
24. Receivesmsverification.com
25 Sms-online.co
26. Ireceivesmsonline.com
27. Receive-sms-online.com - (There are a number of scores)
28. Receive-sms-free.com
29. Esendex.com.au - (Registration required)
30. Receivesmsonline .in
31. Mytrashmobile.com
32. Receivesmsonline.me
33. Anon-sms.com
34. Mfreesms.com
35. Spryng.nl - (You need to register)
36. Smsreceiveonline.com
37. Smsget.net - (Megaphone and Beeline)
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β
π¦GET PERSONAL NUMBER FOR SOCIAL MEDIA OR SMS ...
Twitter.com/undercodeNews
1. Twilio.com
2. Textnow.com
3. Countrycode.org
4. Wp.pinger.com
5. Textmagic.com
6. Esendex.co.uk - (It's easy to get a trial period using a virtual number by fast registration, the package includes 25 free messages, the restriction of use in 7 days.No credit card is required.You can be counted for a personal number!)
7. Burstsms.com.au - (Similar service as the previous one, fast registration, the probe includes 14 days You do not need a credit card, so you can count as a personal number!)
8. Directsms.com.au - (You register, you get a free 30-day trial version Business sms. Personal Wirth.number!)
9. Vumber.com - (Register, receive a 14-day trial version.) Personal
PUBLIC NUMBER FOR RECEIVING SMSβ
1. Receive-sms-online.info
2. Receivefreesms.net
3. Sms-receive.net
4 . Receive-a-sms.com
5. Hs3x.com
6. Receive-sms-now.com - (There are Russian numbers)
7. Smsreceivefree.com
8. Receivesmsonline.com
9. Getsms.org - (Π ΡΡ.Π½ΠΎΠΌΠ΅ΡΠ°)
10. Tempsms.ru - (Rus.number)
11. Numberforsms.com - (There are Russian numbers)
12. Sonetel.com
13. Smska.us - (Rus.number)
14. Sellaite.com
15. Sms.ink - (Rus.numera)
16. Proovl.com
17. Onlinesim.ru
18. Zadarma.com - (There are Russian numbers)
19. Smsc.ru - (You need to register, there are Russian and Ukrainian numbers)
20. Freevirtualnumber.skycallbd.com
21. Getfreesmsnumber.com
22. Receive-smsonline.net - Yearly design
23. Receivefreesms.com
24. Receivesmsverification.com
25 Sms-online.co
26. Ireceivesmsonline.com
27. Receive-sms-online.com - (There are a number of scores)
28. Receive-sms-free.com
29. Esendex.com.au - (Registration required)
30. Receivesmsonline .in
31. Mytrashmobile.com
32. Receivesmsonline.me
33. Anon-sms.com
34. Mfreesms.com
35. Spryng.nl - (You need to register)
36. Smsreceiveonline.com
37. Smsget.net - (Megaphone and Beeline)
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β
Twitter
UNDERCODE NEWS (@UndercodeNews) | Twitter
The latest Tweets from UNDERCODE NEWS (@UndercodeNews). We provides you daily hacking News & Security Warning & Technologies news & Bugs reports & Analysis... @UndercodeNews @UndercodeUpdate @iUndercode @DailyCve. Aus/Leb
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Network configuration-Prevent users from browsing using external proxies full by undercode
t.me/undercodeTesting
1. Some background knowledge:
(1) HTTP / 1.0 protocol defines web server and When the client uses a proxy, in the
HTTP request and response header, use Via: to identify the proxy server used to prevent the
server loop;
(2) snort is an open source IDS (intrusion detection system) that can be used Host or network IDS. With many IDS
rules, it can perform pattern recognition and matching on the captured (ip, tcp, udp, icmp) packets, and can generate corresponding records.
(3) libnet is open source software that can be used as a network protocol / packet generator.
(4) The TCP / IP network is a packet-switched network.
(5) Snort also has the function of generating IP packets using the libnet library. You can interrupt the TCP connection by issuing a TCP_RESET packet.
2. Prerequisites:
(1) Snort runs on the route (linux) or through the port mirror function of the switch, runs on the same
network segment of the route
3. Implementation:
(1) compile snort with flexresp (flex response) feature
(2) Define snort rules:
alert tcp $ HOME_NET any <> $ EXTER_NET 80 (msg: "block proxy"; uricontent: "Via:"; resp: rst_all;)
4 . Effect:
Internal network users can browse external websites normally. If the internal user βs browser is configured with an external proxy, the
HTTP REQUEST and RESPONSE headers will include Via: ... characters, and snort rules will capture this connection, and then
Send RST packets to client and server sockets. In this way, the TCP connection is terminated.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Network configuration-Prevent users from browsing using external proxies full by undercode
t.me/undercodeTesting
1. Some background knowledge:
(1) HTTP / 1.0 protocol defines web server and When the client uses a proxy, in the
HTTP request and response header, use Via: to identify the proxy server used to prevent the
server loop;
(2) snort is an open source IDS (intrusion detection system) that can be used Host or network IDS. With many IDS
rules, it can perform pattern recognition and matching on the captured (ip, tcp, udp, icmp) packets, and can generate corresponding records.
(3) libnet is open source software that can be used as a network protocol / packet generator.
(4) The TCP / IP network is a packet-switched network.
(5) Snort also has the function of generating IP packets using the libnet library. You can interrupt the TCP connection by issuing a TCP_RESET packet.
2. Prerequisites:
(1) Snort runs on the route (linux) or through the port mirror function of the switch, runs on the same
network segment of the route
3. Implementation:
(1) compile snort with flexresp (flex response) feature
(2) Define snort rules:
alert tcp $ HOME_NET any <> $ EXTER_NET 80 (msg: "block proxy"; uricontent: "Via:"; resp: rst_all;)
4 . Effect:
Internal network users can browse external websites normally. If the internal user βs browser is configured with an external proxy, the
HTTP REQUEST and RESPONSE headers will include Via: ... characters, and snort rules will capture this connection, and then
Send RST packets to client and server sockets. In this way, the TCP connection is terminated.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ xwindow-Turn off Mozilla's auto-install plugin dialog old versions & new one :
new version of the Mozilla browser in the linux environment, when the page appears within the browser When Mozilla does not support plugins by default, Mozilla will continuously pop up a confirmation dialog box for installing plugins.
γγFor the plug-ins we want to install by default, this function is really good, you can remind the installation, but for some plug-ins that you don't want to install at all, it is a bit annoying to always prompt like this.
The solution is very simple, just enter the mozilla plugin directory, the default is
/ usr / local / mozilla / plugins
to move the libnullplugin.so inside to any other directory, such as / opt / backup directory. Come here:
cd / usr / local / mozilla / plugins
mkdir / opt / backup
mv libnullplugin.so / opt / backup
Restart Mozilla after this operation is completed, when it is completed, it will prompt whether to close the prompt dialog box, select Yes can.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ xwindow-Turn off Mozilla's auto-install plugin dialog old versions & new one :
new version of the Mozilla browser in the linux environment, when the page appears within the browser When Mozilla does not support plugins by default, Mozilla will continuously pop up a confirmation dialog box for installing plugins.
γγFor the plug-ins we want to install by default, this function is really good, you can remind the installation, but for some plug-ins that you don't want to install at all, it is a bit annoying to always prompt like this.
The solution is very simple, just enter the mozilla plugin directory, the default is
/ usr / local / mozilla / plugins
to move the libnullplugin.so inside to any other directory, such as / opt / backup directory. Come here:
cd / usr / local / mozilla / plugins
mkdir / opt / backup
mv libnullplugin.so / opt / backup
Restart Mozilla after this operation is completed, when it is completed, it will prompt whether to close the prompt dialog box, select Yes can.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β